The APRA (Federal Privacy Bill) is here: What do you need to do?

Federal privacy law incoming? Draft bipartisan bill of the American Privacy Rights Act by Cathy McMorris Rodgers and Senator Maria Cantwell has been released - what do you need to know and do?

Eye openers:

• Strict data minimization and consent to share sensitive data
• Private right of action
• Effective date 180 days after enactment
• Broad preemption of state laws...
• Targeted advertising is an exception to the requirement to only process information which is necessary to provide a requested service along with cooperation with law enforcement, public safety, and prevention of fraud.
• Data Processors: Privacy notice required AND prohibited from processing data if they know that the instructing covered entity violated the law
• Clear requirements for data governance
• Envision compliance certification

• DPIAs and algorithm assessments only for large data holders

Scope:

• Applies to you if you are an entity subject to FTC jurisdiction and common carriers but are not a small business (with a definition that excludes any transfer of data in exchange for "anything of value");
• Additional obligations if you are a "large data holder" or a "covered high impact social media company"
• Employee data (solely as necessary for employment) and public information are out (but check out definition of public; doesn't include inferences that could be sensitive)
• Address all the biometrics: definition is data generated from biological characteristics not that has to be used to identify
• Address the algorithms that "makes a decision OR facilitates human decision making" including not only provision of products but also ranking/promoting/recommending the delivery or display of information"

Data minimization

• Only collect data that is necessary, proportionate and limited to (1) provide a specific product/service requested by an individual (FTC will issue guidance); (2) provided targeted advertising if you didn't opt out or (3) for the usual suspect exceptions like: protecting information security, compliance with legal obligation/subpoena, defending legal claims; product recall; market research; de-identifying data; transferring assets in a reorganization; protection against fraud; public safety incident);
• Adopt and abide by a retention schedule requiring the deletion of data no longer necessary for the purpose (unless you get consent).

Sensitive data

• Broad definition including CPRA and recent FTC decision stuff like: calendar and address book information; viewing of video programming; browsing history; information on minors;
• Make sure you get consent to share with a third party; must be as easy to withdraw as to provide.
• Make sure that when you ask for consent you have a stand alone request; list each purpose; explain all rights and rejection is just as easy as acceptance
• Make sure you get consent to collect/process/retain or share biometric or genetic information unless essential for specific listed purposes.
• Assess whether you have information of under 17 year olds (that is the definition of "children")

Transparency

• Provide (both if controller OR if processor) a clear, conspicuous, not misleading, easy to read privacy notice with a detailed and accurate representation of your data processing. Normal requirements plus: contact info of controller/processor + affiliates to which transfer data; retention for each category of data; whether the data is accessible to a foreign adversary.
• Provide a direct notification + opt out for each material change to your notice (Material change - is a change that would likely affect a person's decision to provide express consent or opt out of processing of their data)
• Provide a short form notice that is not more than 500 words in lengthy (FTC will issue guidance)

Individual Rights:

• Provide all the normal rights but with response time of 30 days and with naming specific third parties AND service providers with whom the data was shared
• Review the limited exceptions to the rights (that are similar to GDPR)
• Consider leaving data on-device with individual able to pull by themselves
• Enable a universal opt out mechanism from data sharing and targeted advertising
• Starting after 2 yrs: honor opt out preference signal provided by regs
• Make sure you don't use dark patterns
• Make sure you provide an opt-in for participation and for data sharing in loyalty programs

Governance

• Adopt employee data protection training;
• Assess your information security program
• Adopt an incident response program
• Designate at least 1 employee as a privacy or data security officer
• Implement a data privacy and a data security program
• Additional governance requirements if you are a large data holder
• Consider applying for approval of compliance guidelines which will provide a rebuttable presumption that you are compliance with the relevant provisions of this Act

Service Providers and Third Parties:

• If you are a service provider: refuse to process data if you know that the instructing covered entity violated the law. Otherwise - similar obligations and contract requirements
• If you are a third party: only process sensitive information for any other purpose than that for which the individual gave consent; you may rely on the controller's representation only if you conduct reasonable due diligence on these reps
• As a covered entity: You must conduct diligence before engaging a service provider/third party and will be liable for their violation if you had "reason to believe" (so: diligence + contract + audit)

Data brokers

• Narrower definition - that "principal source of revenue" from the sale.
• Provide a privacy notice based on guidance to be provided and provide a link for opt out that will work for most data brokers (a-la CA DELETE Act).
• Register in the data broker registry

Anti discrimination and Algorithms:

• Make sure that you don't process information in a way that discriminates
• Assess whether you have any algorithm that make or facilitate a consequential decision and if so: provide notice and an opt out
• If you are a "large data holder" conduct a covered algorithm impact assessment and algorithm design evaluation

Enforcement and preemption

• Effective date: 180 days after enactment
• Enforcement by: new FTC bureau + State AGs + private right of action
• Carve out for BIPA and CA data breach claims
• Injunctive relief subject to 30 day cure
• Generally state law are preempted except: employee privacy; student information; data breach laws;
• FTC NPRM of 8/8/2022 is terminated.

#dataprivacy #dataprotection #privacyFOMO