The American Privacy Rights Act (APRA) is a comprehensive data privacy law proposed in the United States. It would place limitations on the kinds of data companies can collect about their users, create processes for users to access or remove data about them, and allow users opt-out from having data sold by data brokers. The bipartisan proposal was introduced in April 2024 by Senator Maria Cantwell (D-WA), and Representative Cathy McMorris Rodgers (R-WA). Cantwell is Chair of the Senate Committee on Commerce, Science, and Transportation and McMorris Rodgers is Chair of the House Committee on Energy and Commerce. If passed, it would supersede some state-based laws which have emerged in the absence of a comprehensive federal data privacy law. The bill underwent controversial revisions in June 2024, removing several consumer protections under pressure from House Republicans, including a section about civil rights. The changes led many privacy and civil society organizations to withdraw support, and the June 27, 2024, committee markup session was canceled amid signals from Republicans that they would kill the bill if it got out of committee.
The Constitution of the United States and the United States Bill of Rights do not explicitly include a right to privacy, no federal law takes a holistic approach to privacy legislation, and the US has no national data protection authority. [1] It is the only G20 country without such a law. [2] As a result, in most states and for most companies there are no limits to how they use, share, or sell their users' data and no requirements to notify users when or how they do so. [3]
The laws which have been passed focus on specific types of data or specific populations of data subjects. The Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and the Children's Online Privacy Protection Act (COPPA) of 1998, for example, regulate the use of data by federal agencies, how patients' health data is communicated, and aspects of collecting data about children. [4] [5] In the absence of a federal data privacy law, several states have passed laws to like the 2008 Biometric Information Privacy Act in Illinois and the 2018 California Consumer Privacy Act (CCPA). [5] As of 2021, only California, Colorado, and Virginia had enacted comprehensive data privacy legislation. [3] Proponents of broad data privacy legislation argue that it provides a more effective and durable solution to the problems many narrower bills attempt to address through focus on specific companies like TikTok. [6]
There have been multiple attempts to pass a comprehensive data privacy law, such as the Personal Data Privacy and Security Act of 2009 and the American Data Privacy and Protection Act (ADPPA) in 2022. Both had bipartisan support and passed committees, but were not brought up for a vote. [7] [8] [9] A common sticking point in debates over these laws is the relationship between the federal law and current or future state laws. [10] While the first draft of the APRA would have superseded state privacy laws, a June 2024 revision clarified state laws could place more stringent regulations on privacy. [11] There has also been disagreement about enforcement, including whether users could use the laws as a basis to sue companies directly for privacy violations. [12] Senator Cantwell, one of the lawmakers behind the APRA, opposed the ADPPA on the basis of its enforcement. [13]
The idea of a comprehensive federal data protection law gained increased attention and support in the early 2020s. [14] Privacy experts, technologist journalists, and consumer advocacy organizations have spoken in support of ADPPA and others, like APRA, which focus on "data minimization" rather than "notice and consent" ("notice and choice") frameworks. [15] [16] [17] Notice and consent is the standard, widely criticized for its failure to provide real protections for user privacy, by which a company displays a notification to users inviting them to read lengthy legal documents about their use of data and asking them to accept the terms in order to continue using the website or application. [18] [19] Data minimization places limits on what data can be collected in the first place rather than simply dictate how use of data is communicated. [19] [14] US President Joe Biden included the importance of such a data privacy law in his 2023 State of the Union address. [20]
The bipartisan proposal was introduced in April 2024 by two Washington lawmakers, Senator Maria Cantwell and Representative Cathy McMorris Rodgers. [10] Cantwell is a Democrat who serves as Chair of the Senate Committee on Commerce, Science, and Transportation and McMorris Rodgers is a Republican who chairs the House Committee on Energy and Commerce. [21] Cantwell did not support the ADPPA, which is part of why that legislation stalled, according to The Verge . [13] She wanted individuals to be more empowered to sue companies for violating their privacy rights (a private right of action). In that and other ways, some state laws took privacy measures further than the ADPPA, leading to some Democratic opposition for the way the federal policy would supersede the states. The initial draft of APRA would have still overridden most of the state laws, but was written to incorporate elements of those laws in part to overcome such objections. [22]
The bill underwent a series of revisions prior to being shared in early June 2024. Those revisions made concessions to Republican lawmakers that were poorly received by privacy advocates. The bill was introduced as H.R. 8818 on June 25, 2024 and scheduled for markup to begin on June 27. [23] When the markup date arrived, the session was canceled amid reports that Republican leaders had signaled they would not permit the bill to move forward regardless of committee decisions. [24] [25]
The American Privacy Rights Act would create limitations on the kinds of data companies can collect about their users. [21] [13] [26] It includes provisions to give users the ability to access the data companies have about them as well as to make changes or remove such data and restricts the ability of companies to impose mandatory arbitration. It creates a registry for data brokers and includes opt-out procedures for consumers who do not want their data sold or used for personalized advertising. [12] [21]
APRA expands some of the California law's enforcement mechanisms, enabling not just the Federal Trade Commission (FTC) to take legal action against violators, but also state attorneys general and private citizens. [12] Except in cases of a "substantial privacy harm", companies have a 30-day window after being notified of a violation to make a correction. [13]
The legislation would apply to businesses that sell users data or which have more than $40 million in annual revenue, intended to apply primarily to those with greater than $250 million in revenue ("large data holders"). [27] [28]
In June 2024, prior to a committee markup session, the bill was subject to several controversial revisions. Under pressure from Republican lawmakers, a section on civil rights protections was removed. Sections on AI and algorithms were also cut, as was an enforcement mechanism through the Federal Trade Commission. [11] [29] [30] The changes also weakened data minimization principles, regarding data kept on a user's device as exempt. [11] The extent to which the bill preempts state privacy laws changed as well, preempting only those laws with a scope similar to the APRA but allowing states to have stricter or more specific requirements. Other sections were added or expanded, such as new "Privacy By Design" requirements, additional obligations for data brokers, and a provision to allow users to request humans make "consequential decisions" rather than algorithms. [29]
According to The Washington Post in April 2024, the law is a "major breakthrough" in an "issue that has befuddled lawmakers despite near-universal agreement -- in Silicon Valley and in Washington -- on the need for federal standards to determine how much information companies can collect from consumers online". [22]
McMorris Rodgers' Democratic counterpart on the House committee, Frank Pallone of New Jersey, called the draft "very strong" but said he wanted to see greater protections applied to children. [13] Representative Jan Schakowsky, Ranking Member on the committee's Innovation, Data, and Commerce subcommittee, expressed optimism about the proposal and cited "an urgency that's felt to get this done". [6]
The digital rights advocacy organization Electronic Frontier Foundation was positive about the basic components of the bill, but presented many ways in which the bill should be strengthened or modified to increase consumer protections, including allowing states to pass more strict laws and limiting the extent to which companies can share data with the government. [31]
Stewart Baker, in the Volokh Conspiracy , criticized the bill's requirement that companies assess the extent to which their algorithms harm certain groups more than others and document any measures they take to mitigate such harms. Baker argued that efforts to curb discrimination would themselves lead to discrimination against other groups. [32] Advertising industry advocates and other critics expressed concern at the way restrictions on data security and targeted advertising could affect dominant business models, creating a situation that larger companies may be better able to adapt to than small businesses. [33] [34]
The June 2024 revisions were poorly received by privacy rights groups. The removal of civil rights protections provisions in particular led dozens of data privacy, internet rights, and civil rights groups to express objections or withdraw support. The American Civil Liberties Union, Center for Democracy and Technology, and the NAACP, for example, issued critical statements. [24] According to Wired , the new version was "engineered to appease conservative lobbyists representing the interests of big business," but even after the changes, Republican leadership signaled they would not support it even with the changes, leading the markup session to be canceled. House Majority Leader Steve Scalise named the private right of action as a point of contention, which remained after the changes. [25] [24]
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.
Maria Ellen Cantwell is an American politician who is the junior United States senator from Washington since 2001. A member of the Democratic Party, she served in the Washington House of Representatives from 1987 to 1993, and in the United States House of Representatives from 1993 to 1995.
Cathy Anne McMorris Rodgers is an American politician who is the United States representative for Washington's 5th congressional district, which encompasses the eastern third of the state and includes Spokane, the state's second-largest city. A Republican, McMorris Rodgers previously served in the Washington House of Representatives. From 2013 to 2019, she chaired the House Republican Conference.
Center for Democracy & Technology (CDT) is a Washington, D.C.–based 501(c)(3) nonprofit organisation that advocates for digital rights and freedom of expression. CDT seeks to promote legislation that enables individuals to use the internet for purposes of well-intent, while at the same time reducing its potential for harm. It advocates for transparency, accountability, and limiting the collection of personal information.
Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.
Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.
Frank Joseph Pallone Jr. is an American lawyer and politician serving as the U.S. representative for New Jersey's 6th congressional district since 1988. He is a member of the Democratic Party. The district, numbered as the 3rd district from 1988 to 1993, is in the north-central part of the state and includes New Brunswick, Woodbridge Township, Perth Amboy, Sayreville, Edison, Piscataway and Asbury Park. Pallone is the ranking member of the House Energy and Commerce Committee.
The Online Protection and Enforcement of Digital Trade Act is a bill introduced in the United States Congress proposed as an alternative to the Stop Online Piracy Act and PROTECT IP Act, by Senator Ron Wyden of Oregon, a Democrat, and Representative Darrell Issa of California, a Republican. The text of the bill is available for public comment at keepthewebopen.com.
Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.
The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.
The USA Freedom Act is a U.S. law enacted on June 2, 2015, that restored and modified several provisions of the Patriot Act, which had expired the day before. The act imposes some new limits on the bulk collection of telecommunication metadata on U.S. citizens by American intelligence agencies, including the National Security Agency. It also restores authorization for roving wiretaps and tracking lone wolf terrorists. The title of the act is a ten-letter backronym that stands for Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015.
The Biometric Information Privacy Act (BIPA) is a law set forth on October 3, 2008 in the U.S. state of Illinois, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. While Texas and Washington are the only other states that implemented similar biometric protections, BIPA is the most stringent. The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Because of this damages provision, the BIPA has spawned several class action lawsuits.
Zack Stephenson is an American politician and member of the Minnesota House of Representatives. A member of the Minnesota Democratic–Farmer–Labor Party (DFL), he represents District 35A in the northwestern Twin Cities metropolitan area.
The EARN IT Act is a proposed legislation first introduced in 2020 in the United States Congress. It aims to amend Section 230 of the Communications Act of 1934, which allows operators of websites to remove user-posted content that they deem inappropriate, and provides them with immunity from civil lawsuits related to such posting. Section 230 is the only surviving portion of the Communications Decency Act, passed in 1996.
The Digital Services Act (DSA) is an EU regulation adopted in 2022 that addresses illegal content, transparent advertising and disinformation. It updates the Electronic Commerce Directive 2000 in EU law, and was proposed alongside the Digital Markets Act (DMA).
The Augmenting Compatibility and Competition by Enabling Service Switching Act of 2021, or the ACCESS Act of 2021, is a proposed antitrust bill in the United States House of Representatives. The purpose of the legislation is to mandate data portability from Big Tech companies to provide users the ability to switch their data between platforms.
The American Data Privacy and Protection Act (ADPPA) was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. The bipartisan, bicameral bill was the first American consumer privacy bill to pass committee markup, which it did with near unanimity.
The Kids Online Safety Act (KOSA) is a proposed legislation first introduced in Congress in 2022. The bill aims to establish guidelines to protect minors from harmful material on social media platforms through a "duty of care" system and requiring covered platforms to disable "addicting" design features to minors.
Data minimization is the principle of collecting, processing and storing only the necessary amount of personal information required for a specific purpose. The principle emanates from the realisation that processing unnecessary data is creating unnecessary risks for the data subject without creating any current benefit or value. The risks of processing personal data vary from identity theft to unreliable inferences resulting in incorrect, wrongful and potentially dangerous decisions.
The Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA) is an act of Congress that was signed into law on April 24, 2024, as part of Public Law 118-50. It would ban social networking services within 270 to 360 days if they are determined by the president of the United States and relevant provisions to be a "foreign adversary controlled application"; the definition covers websites and application software, including mobile apps. The act explicitly applies to ByteDance Ltd. and its subsidiaries—including TikTok—without the need for additional determination. It ceases to be applicable if the foreign adversary controlled application is divested and no longer considered to be controlled by a foreign adversary of the United States.