Kirkland Discusses Prospect of Comprehensive Nationwide Privacy Legislation

In the latest effort to enact a federal privacy law, Senator Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science and Transportation, and Representative Cathy McMorris Rodgers (R-WA), Chair of the House Committee on Energy and Commerce, recently announced a bipartisan, bicameral draft of the American Privacy Rights Act of 2024 (APRA). If enacted, the law would replace the current state-by-state framework of data privacy laws with a national standard and create a number of enforcement mechanisms, including a central role for the Federal Trade Commission (FTC) and state attorneys general (AGs) and a private right of action for individual consumers. We expect Congress to continue to discuss the bill in the coming months.

Key Provisions

The APRA would require covered entities — essentially any person or business that collects or receives consumer data, has more than $40 million in annual revenue, and is not exempt from the FTC Act (APRA’s scope is discussed below) — to provide consumers with more control over their data and implement heightened protections over consumer data within six months of the bill’s enactment by:

  • Allowing consumers to request access to, correction of, deletion of and export of covered data (e.g., address, browsing data, private communications, login credentials);
  • Allowing consumers to opt out of targeted advertising and the transfer of covered data to third parties;
  • Prohibiting algorithmic discrimination based on sensitive characteristics;
  • Requiring data minimization, particularly for biometric, health and other sensitive data;
  • Requiring increased transparency in the form of more detailed privacy policies, with heightened obligations for large data holders;
  • Requiring increased executive responsibility by designating certain privacy officers and, in some instances, conducting privacy impact assessments, among other things; and
  • Establishing a standard for data security practices, including incident response procedures.

Scope

Covered Entities. The Act applies to entities that (1) “determine the purpose and means of collecting, processing, retaining, or transferring covered data” and (2) are subject to the FTC Act.1[1] The Act does not apply to small businesses whose business does not focus on the monetization of data. Specifically, the Act excludes businesses with less than $40 million in average annual gross revenue over the preceding three years that do not engage in the transfer of consumer data to third parties for revenue, government entities, and certain non-profits. In addition, the bill would establish heightened requirements for large data holders, data brokers, and high-impact social media companies.

Covered Data. The Act’s definition of “covered data” is likewise broad, defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.” Deidentified data, certain employee information and publicly available information are excluded from the definition of “covered data” under the APRA.

The bill would also establish heightened requirements for “sensitive covered data” (e.g., information about individuals under the age of 17, financial account information, biometric information, precise geolocation information, health data, log-in credentials and certain web-browsing history).

Enforcement

The draft Act would allow enforcement by the FTC (including a new bureau established specifically to implement and enforce the law), state attorneys general, and, perhaps most notably, individual consumers. APRA’s inclusion of a private cause of action to seek damages for violations almost certainly would result in a proliferation of new lawsuits, including class actions, across the country.

Preemption of State Privacy Laws

With certain exceptions, the Act would preempt state privacy laws, including California’s landmark Consumer Privacy Act (CCPA). The draft law would preserve state laws that regulate certain kinds of data (such as financial or health data) and general claims under state UDAP laws, civil rights laws and contract/tort law. Although the draft says the law’s purpose is “to establish a uniform national data privacy and data security standard,” it may take litigation to flesh out the breadth of the preemption provisions and which state laws remain operative vis-à-vis privacy claims.

Likelihood of Enactment

In contrast to previous congressional attempts to enact federal privacy legislation, the draft APRA appears to have momentum due to support from key stakeholders among both parties’ leadership and thus represents the most significant step towards a comprehensive privacy law in the U.S. since the failure of the much-awaited American Data Privacy and Protection Act of 2023.

ENDNOTES

[1] The Act would also cover common carriers subject to Title II of the Communications Act and nonprofit organizations. The FTC Act excludes a small segment of entities, including banks, insurance companies and certain nonprofits.

This post comes to us from Kirkland & Ellis LLP. It is based on the firm’s memorandum, “Prospect of Comprehensive Nationwide Privacy Legislation Reemerges,’ dated April 17, 2024, and available here.