Understanding the Proposed American Privacy Rights Act

On April 7, 2024, draft legislation for a new American Privacy Rights Act was unveiled. After years of anticipation and calls for a comprehensive federal privacy standard, this bipartisan effort represents a concerted attempt to address the complex landscape of data privacy and security in the United States.

For decades, the US has navigated privacy concerns with a patchwork of state laws and sector-specific regulations. The Privacy Act of 1974 set early standards for data privacy, but the rise of digital technology has outpaced its provisions.

Meanwhile, in recent years, states like California and Virginia have enacted their own privacy laws, creating a mosaic of regulations across the US that challenge consumers, businesses and overseas organizations.

Introducing the American Privacy Rights Act

The new bill was introduced by House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) on April 7, 2024.

The American Privacy Rights Act aims to address the lack of privacy provisions in the US Constitution and Bill of Rights, while acknowledging existing state laws.

“This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent,” said Chair Rodgers.

Chair Cantwell added, “A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right.”

The American Privacy Rights Act: Key Provisions

The proposed American Privacy Rights Act aims to harmonize the current patchwork of state privacy laws under a single federal standard.

Key features of the proposed legislation include:

• Right to control personal information: The Act empowers individuals with the right to control their personal data, including the ability to access, correct and delete their information.
• Restrictions on data sale: It places stringent limitations on the sale of personal data, ensuring that individuals have a say in who can profit from their information.
• National standards for data privacy: By establishing a national standard, the new legislation seeks to simplify compliance for businesses and ensure consistent protections for all Americans.

The Challenges of Introducing a Federal Privacy Law

This isn’t the first attempt to introduce federal privacy legislation. Previous proposals included the Personal Data Privacy and Security Act of 2009 and the American Data Privacy and Protection Act (ADPPA) in 2022. However, these failed because of various disagreements around the relationship between federal and state privacy laws and enforcement mechanisms.

While the new bill is the result of years of collaborative effort between the House and the Senate, it still has several challenges to overcome before it can become law. These include:

Federal preemption — In the US, federal legislation typically supersedes state laws, but states like California and Virginia have already established their own comprehensive privacy laws. These states may resist federal laws that would override their own, especially if the federal standards are perceived as weaker.

The Privacy Rights Act includes provisions that would supersede state privacy laws, creating a uniform standard across the country. This aims to resolve the patchwork of state laws and provide clarity for businesses operating in multiple states, as well as businesses providing goods and services to US citizens from overseas.

Balancing stakeholder interests — Federal lawmakers need support from a wide range of groups for legislation to become law. Outside government itself, this includes businesses, privacy advocates and consumer rights groups. Lawmakers need to negotiate a balance between protecting consumer privacy rights, enforcing adequate protections and enforcement mechanisms, and ensuring businesses can comply with the legislation while continuing to operate effectively.

The Privacy Rights Act attempts to balance the varied interests of stakeholders, including tech companies, consumer advocacy groups and state governments. It seeks to protect consumer privacy while considering the operational realities of businesses. The legislation allows for a private right of action, enabling individuals to sue companies for privacy violations, further empowering consumers to enforce their privacy rights.

Future-proofing legislation for technological change — The rapid pace of technological innovation means that privacy laws can quickly become outdated. New privacy legislation needs to be adaptable to keep up with changes in how data is collected, used and shared both now and in the future.

The draft legislation introduces requirements for data minimization, restricting data collection to what is necessary and sets standards for data security.

Implications for the Future

The introduction of the American Privacy Rights Act is a response to the growing demand for privacy reform at the federal level. If passed, it could dramatically alter the landscape of data privacy in the US, aligning it more closely with international standards like the European Union’s GDPR.

The American Privacy Rights Act is a promising step towards a unified data privacy framework in the United States. As the bill moves through the legislative process, it will be crucial for stakeholders to engage in the conversation and shape a law that protects individual rights while fostering innovation and growth in the digital economy.