The American Privacy Rights Act: Implications and Insights for a Data-Driven Future

Be it enacted by the Senate and House of Representatives of the United States of America in 4 Congress assembled,

I have been figuring out the American Privacy Rights Act's (APRA) data minimisation requirements. I think I get it, but they're kind of oddly constructed, and I think there are some drafting issues. Here we go.

Versions used:

·??????? American Privacy Rights Act(APRA), discussion draft, version posted by House Energy & Commerce Committee on 9 April 2024. Note: there are slight differences between this version, the initial version shared days before, and the similar discussion draft posted by the Senate Committee on Commerce, Science and Technology.

·??????? American Data Privacy and Protection Act(DPPA), as amended by House Energy & Commerce Committee in July 2022 and reported in the House of Representatives on 30 December 2022.

·??????? Consumer Online Privacy Act(COPRA), as introduced on 4 November 2021. Note: Although Senator Cantwell’s team worked on a non-public version of this bill in 2022 that was circulated among stakeholders in D.C., this document compares only the public version.

Bear in mind I've taken some paraphrasing liberties throughout this post. Read the discussion draft:

Draft Changes Observed: Revised draft doesn't have a 14(C).

Refer Section:

SEC. 3. DATA MINIMIZATION

There are 15 exceptions, called "Permitted Purposes-A covered entity, or service provider acting on behalf of a covered entity, ".

The rules differ for "sensitive covered data".

A service provider acting on behalf of a covered entity, shall not transfer sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains.

?

By default, covered entities can only process "covered data" as "reasonably necessary, proportionate, and necessary" for two reasons:

1. To provide or maintain services requested by the individual (this includes billing etc), or

2. For communications reasonably expected by the individual.

?

SEC. 9. DATA SECURITY AND PROTECTION OF 13 COVERED DATA:

"ASSESS VULNERABILITIES, Data Security, PREVENTATIVE AND CORRECTIVE ACTION, INFORMATION RETENTION AND DISPOSAL, RETENTION SCHEDULE, INCIDENT RESPONSE"

?

SEC. 11. SERVICE PROVIDERS AND THIRD PARTIES:

"Transferring" is like "selling" under the CCPA (essentially, disclosing data for money or other valuable consideration).

?

The "Affirmative Express Consent" definition is as strong as has become usual under US law. You must also provide an easy way to withdraw consent.

If you DON'T have consent for the transfer, the "permitted purposes" are still available. However:

? Two exclude sensitive covered data (related to advertising)

? Some exclude transfers for "consideration".

?

Then there's "biometric information" and "genetic information".

To collect, process, retain, or transfer biometric or genetic information, you need affirmative express consent.

But if you don't have consent, you can:

? "Collect, process, or retain" it where "essential" for nine of the 15 permitted purposes, or

? "Transfer" it where essential for seven out of the 15 permitted purposes

?

SEC. 16. PRIVACY-ENHANCING TECHNOLOGY PILOT PROGRAM

1.???? Pilot Program: -Pilot Program to encourage private sector use of privacy-enhancing technology for the purpose of protecting covered data in compliance with section 9.

·? The Comptroller General of the United States (in this subsection referred to as the “Comptroller General”) shall conduct a study to: (A) assess the progress of the pilot program established under subsection (a);

2.???? Data Security: Covered entities and service providers must implement reasonable data security practices commensurate with the nature and sensitivity of the data involved.

3.???? Requirements for Large Data Holders: Large data holders must appoint privacy and data security officers, certify compliance to the FTC, and conduct periodic privacy impact assessments.

APRA Click here

Index of Section’s:

SECTION 1. SHORT TITLE; TABLE OF CONTENTS

SEC. 2. DEFINITIONS

SEC. 3. DATA MINIMIZATION

SEC. 4. TRANSPARENCY

SEC. 5. INDIVIDUAL CONTROL OVER COVERED DATA

SEC. 6. OPT-OUT RIGHTS AND CENTRALIZED MECHANISM

SEC. 7. INTERFERENCE WITH CONSUMER RIGHTS

SEC. 8. PROHIBITION ON DENIAL OF SERVICE AND WAIVER OF RIGHTS

SEC. 9. DATA SECURITY AND PROTECTION OF COVERED DATA

SEC. 10. EXECUTIVE RESPONSIBILITY

SEC. 11. SERVICE PROVIDERS AND THIRD PARTIES

SEC. 12. DATA BROKERS

SEC. 13. CIVIL RIGHTS AND ALGORITHMS

SEC. 14. CONSEQUENTIAL DECISION OPT OUT

SEC. 15. COMMISSION APPROVED COMPLIANCE GUIDELINES

SEC. 16. PRIVACY-ENHANCING TECHNOLOGY PILOT PROGRAM

SEC. 17. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION

SEC. 18. ENFORCEMENT BY STATES

SEC. 19. ENFORCEMENT BY INDIVIDUALS

SEC. 20. RELATION TO OTHER LAWS

SEC. 21. CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998

SEC. 22. TERMINATION OF FTC RULEMAKING ON COMMERCIAL SURVEILLANCE AND DATA SECURITY

SEC. 23. SEVERABILITY

SEC. 24. EFFECTIVE DATE