The United States Moves Toward a Comprehensive Privacy Law (One More Time)

The Case for a Comprehensive U.S. Privacy Law
The U.S. privacy law landscape is currently fragmented, with different protections for specific industries, types of data or jurisdictions. Since the GDPR went into effect in 2018, a flurry of new privacy, cybersecurity and consumer protection regulations have been passed, but not at the national level, resulting in uncertainty for businesses and confusion for consumers. For many years, both industry leaders and civil advocacy groups have called on Capitol Hill to pass a comprehensive U.S. privacy law. While policy experts have doubted that Congress could pass much legislation in the months leading up to the 2024 election, this could be achieved if the right stakeholders come to the table—and fast.

Why States Matter
It’s notable that the two Committee chairs who introduced the APRA both hail from Washington. Washington, as the home state to major retail and tech companies, has been innovating in the area of privacy protections, especially for health data. Washington’s My Health My Data Act (MHMDA) went into force just weeks ago on March 31, 2024, and provides protections for “consumer health data” that far exceed the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In addition to Washington, federal lawmakers will need to consider other states that have passed comprehensive privacy laws recently, including California. Following on the heels of the GDPR, California enacted the California Consumer Privacy Act (CCPA) in 2020, a landmark consumer protections law that, according to the assessment prepared for the California state attorney general, cost companies as much as $55 billion in compliance costs.

Just last year, Governor Gavin Newsom, Attorney General Rob Bonta and the California Privacy Protection Agency (CPPA) sent a joint letter to Congress opposing preemption language in the previously failed federal privacy draft bill, the American Data Privacy Protection Act (ADPPA). The California Office of the Attorney General and the CPPA, the first state agency in the United States dedicated to privacy, have been vigorously enforcing the CCPA since 2020 and have called on Congress to set the floor and not the ceiling. One likely point of contention will be whether the federal privacy law will allow states to go further than the federal law or if state laws like the MHMDA and the CCPA will be preempted. On April 16, the CPPA sent a letter to the two co-sponsors of the bill, outlining the areas where it believes the APRA is weaker than the CCPA.

Even if the bill passes the House, the APRA may still face an uphill climb in the Senate. Sen. Ted Cruz (R- TX), has already issued an initial statement that “I'll be carefully reviewing this bill to ensure it doesn't have the same flaws as the failed (ADPPA).” Texas has a comprehensive privacy law that goes into effect in July. The Texas law contains significant protections for Texas consumers and is currently setting the high-bar standard for regulation of small businesses.

Key Differences Between the APRA, ADPPA and CCPA
As there is a lot to unpack and we anticipate the draft legislation to undergo a number of changes before it is put to a vote, we will continue to monitor the legislative developments in a series of articles, highlighting different aspects of this new draft bill. First, we provide high-level comparisons between the APRA, the ADPPA and the CCPA.

The APRA builds on the foundation of the ADPPA, which was approved by the House Committee on Energy and Commerce in 2022 but failed to advance to the House or Senate in the last Congress. The APRA appears to borrow from, and harmonizes requirements with, existing privacy laws, including the CCPA.

Like the ADPPA and the CCPA, the APRA provides consumer privacy rights, includes new requirements for data minimization, and has private right of action. The APRA differs from the ADPPA and the CCPA in the following areas:

• Key Definitions: While the definition of Covered Data is slightly broader than the ADPPA, it still does not define “inference” in the manner that is defined under the CCPA. The CPPA had previously objected to how the ADPPA had not included “inference” in the definition of the covered data. The APRA currently includes five exclusions from Covered Data with “inferences made exclusively from multiple independent sources of publicly available information” as one of the exclusions. “Publicly available information” is defined in the APRA and is slightly different from how that term was defined in the CCPA. The following list of terms are worth a careful review, as they represent either new requirements for businesses or an expanded set of obligations building upon existing privacy protections:

- Affirmative express consent

- Biometric information

- Covered algorithm

- Data broker

- De-identified data

- Derived data

- Health information

- On-device data

- Portable connected device

- Precise geolocation information

- Sensitive covered data

- Substantial privacy harm

- Targeted advertising

- Unique persistent identifier

• Transfer of Sensitive Data: Unless certain exceptions apply, the Section 3 (b) of the APRA prohibits the transferring of sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains. Pursuant to Section 19 (a), an entity who violates this section is subject to civil enforcement from individuals. The ADPPA had contained a broader provision prohibiting the collection, processing and transfer of sensitive covered data unless the individual provided affirmative express consent. The CCPA requires businesses to provide a clear and conspicuous link on the business’s internet homepage titled “Limit the Use of Sensitive Personal Information” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of a consumer’s sensitive personal information to the use that is necessary to perform the services or provide the goods that is reasonably expected by an average consumer. An affirmative express consent requirement under the APRA would be a more difficult standard to meet for businesses, especially given the broad definition of what constitutes sensitive data under the APRA. The current definition includes calendar information, address book information and account or device log-in credentials, for example, which traditionally have not been defined as sensitive data in existing U.S. privacy laws. In its April 16 letter, the CPPA has noted, in particular, that it would like the APRA to include protections for information revealing sexual orientation, union membership and immigration status, which are protected as sensitive data under the CCPA.
• Global Opt-Out: Under Section 6 (b) of the APRA, the Federal Trade Commission (FTC) has two years to clarify the outlines of that requirement, which is six months longer than what was proposed by the ADPPA. A covered entity will be required to abide by any designation made by an individual through any mechanism.
• Non-Retaliation and Non-Discrimination Provisions: Section 8 of the APRA, like the CCPA, prohibits a covered entity from retaliating against a person for exercising their rights. The APRA prevents a covered entity or a service provider from collecting, processing, retaining or transferring covered data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex or disability. However, this prohibition does not apply to advertising, marketing or soliciting economic opportunities or benefits to underrepresented populations or members of a protected class (i.e., race, color, religion, national origin, sex or disability). This is a departure from the CCPA’s discrimination provisions which only address discrimination against an individual who exercised their rights under the law. While the ADPPA also prohibited discrimination on the basis of race, color, religion, national origin, sex or disability, it did not contain the exception noted above.
• Loyalty Programs: Section 8 (b) of the APRA would require providers of bona fide loyalty programs to obtain affirmative express consent from individuals to participate in the bona fide loyalty programs and provide the means to withdraw the affirmative express consent provided. The current draft of the APRA would not require businesses to calculate the value of the consumer’s data, which the CCPA regulations currently require as part of the loyalty program notice.
• Executive Responsibility: Section 10 (a) of the APRA requires covered entities and service providers to designate one or more qualified employees to serve as privacy or data security officers. Covered entities or service providers who are large data holders will need to designate one qualified employee to serve as privacy officer and one qualified employee to serve as a data security officer. One year after the APRA’s enactment, the CEO of a large data holder and each privacy data security officer must make an annual certification to the FTC attesting to the entity’s internal controls and reporting structures. The ADPPA took a slightly different approach. It required a covered entity or service provider with more than 15 employees to designate at least one person as a privacy officer and at least one person to act as a data security officer. The ADPPA also imposed additional requirements for entities that are large data holders. This provision in the APRA differs from the CCPA, which did not contain any privacy or security officer requirements or any annual certification requirement.
• Service Providers: While the GDPR and the CCPA have specific requirements for data processors and service providers, Section 11 of the APRA makes it clear that a service provider is not a “covered entity.” The question of who is a service provider and who is a third party was central to determining whether there is a “sale” of consumer data under the CCPA. How the APRA builds upon the concept of data controller and data processor and applies the consumer opt-out rights to certain data transfer practices will be one of the key areas to watch.
• Data Brokers: Section 12 of the APRA provides consumers a right to submit a global data broker “Do Not Collect” request through a searchable registry maintained by the FTC. The CPPA has highlighted that this is one of the areas where the APRA may be weaker than the CCPA because under the current draft, the APRA would still allow the data brokers to retain and sell consumers’ information. In October 2023, California passed the California Delete Act, which amended the existing data broker law and sought to establish a one-stop shop for consumers to make a singular request that all data brokers delete their personal information. The CPPA also noted that the APRA caps certain penalties for data brokers’ noncompliance with registration and notice requirements to approximately $10,000 per year. The California Delete Act has no such cap.
• Consequential Decision Opt-Out: Section 14 (a) of the APRA requires that an entity that makes or facilitates a “consequential decision” provide notice to any individual subject to such use of the “covered algorithm” and provide an opt-out of use of the covered algorithm. This was not in the ADPPA. Lack of such an opt-out in the ADPPA was previously highlighted by the CPPA as an area of concern and the CPPA is currently engaged in rulemaking on automated decision-making, which is expected to conclude before the end of 2024.
• Privacy Enhancing Technology Pilot Program: Section 16 (a) of the APRA provides for a pilot program to encourage private sector use of privacy enhancing technology for the purpose of protecting covered data and has an audit provision that would allow the FTC to audit entities in the pilot program. In its objection to the ADPPA, the CPPA stated that the California law allows the California enforcers to “audit business’s compliance without bringing an enforcement action—ensuring that the law is upheld without costly litigation.” It remains to be seen whether this audit right is something the federal legislators will reconsider.
• Enforcement by States: Section 18 of the APRA allows the state attorneys general or other authorized officer of the state authorized to enforce privacy or data security laws to bring civil action in the name of the state in an appropriate federal district court of the United States. In the April 16 letter, the CPPA has stated that it believes the draft seeks to remove the CPPA’s authority and specifically highlighted the fact that the CCPA provides the CPPA with the power to audit and bring administrative actions against businesses.
• Pre-Dispute Arbitration: Under Section 19 (d), an individual alleging a violation of the APRA may choose to void any pre-dispute arbitration agreement with respect to a claim alleging a violation involving a person under the age of 18 or a claim alleging a violation that resulted in a substantial privacy harm—i.e., those harms involving at least $10,000 in alleged damages, physical or mental injuries that require medical treatment, highly offensive intrusions into privacy, or alleged discrimination based on race, religion or other protected classes. As currently drafted, this broad provision is expected to generate a surge in lawsuits for privacy rights violations. The APRA states that a Federal court, rather than an arbitrator, shall determine whether this provision is applicable to an agreement to arbitrate and the validity and arbitrability of an agreement to arbitrate. This unique provision has no counterpart in the CCPA. The APRA’s pre-dispute arbitration provision varies slightly from the ADPPA, which had proposed an arbitration ban for claims by minors as well as claims “related to gender or partner-based violence or physical harm.”
• Private Right of Action: One of the sticking points during the last debate was whether there should be private right of action. Section 19 of APRA comes to the table with a very broad private right of action. As currently drafted, the APRA would allow civil litigation for violation of many enumerated provisions of the APRA and not just for data breaches, including the provision that requires affirmative express consent for the transfer of sensitive covered data. This means, for example, that plaintiffs may bring civil actions to allege that certain data sharing practices of businesses were illegal under the APRA because such transfers were done without meeting the new “affirmative express consent” standard. In comparison, the CCPA only provided a private right of action in instances of a data breach. The ADPPA, on the other hand, permitted any person or class of persons to bring a civil action in Federal court for any violation of the ADPPA. The current draft of the APRA provides a limited 30-day notice to cure unless the violation resulted in a “substantial privacy harm.” Any terms of service that mandated arbitration would be deemed unenforceable for any claims alleging a violation involving minors or any claims resulting in a substantial privacy harm.
• Preemption: Much like the ADPPA, Section 20 (a)(1) of the APRA makes it clear in the “purpose” sections that the legislation’s aim is to “establish a uniform national data privacy and data security standard in the United States,” and effectively preempt any state laws related to consumer privacy. Preemption is poised to be the top issue for California again as the discussion draft goes through legislative consideration. On April 8, Ashkan Soltani, the Executive Director of the CPPA, issued a brief statement stating that “Congress should set a floor, not a ceiling.” Preemption was again featured prominently as one of the reasons the CPPA does not support the APRA in its April 16 letter to the bill sponsors.

What Happens Next
The House E&C subcommittee on innovation, data and commerce (IDC), which held the April 17^th hearing, is expected to hold a hearing and mark up the bill, and the draft will move through both the E&C Committee on the House side and the Senate Commerce Committee. IDC subcommittee Ranking Member Jan Schakowsky (D-IL) said that while she preferred how the ADPPA handled preemption of laws, including the Illinois Biometric Information Privacy Act, the urgency to get this bill passed is more compelling than the disagreements. She says “[t]here is just a real consensus that we just have to work it out.” E&C Committee Ranking Member Frank Pallone has also said he’s “optimistic that we’ll be able to get comprehensive privacy legislation across the finish line” and added he hopes to add more specific protections for children and wants to create a division of youth privacy at the FTC.

While we continue to unpack this landmark draft legislation, we will monitor developments to see if the United States can find a way to reach agreement. This draft has both the carrots and the sticks and may be the best vehicle for finally passing the U.S. national standard on privacy.