The American Privacy Rights Act: A Bipartisan Step Forward in Consumer Data Privacy Legislation

Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA) have jointly unveiled draft proposed legislation, the American Privacy Rights Act (APRA), to establish a comprehensive national framework for consumer data privacy and security. This bipartisan effort, which does not specifically address employee data, reflects an acknowledgment of the evolving challenges and concerns surrounding data privacy in the digital age.

Overview: The proposal would establish national consumer data privacy rights and set federal standards for data security, addressing the current patchwork of state requirements. The proposal would also require covered entities to be transparent about how they use consumer data and give consumers the right to access, correct, delete, and export their data, as well as opt out of targeted advertising and data transfers. Read the section-by-section summary of the APRA. 

Personal data disclosure mitigation: A key provision of the proposal is the imposition of data security standards on businesses to mitigate the risk of data breaches and unauthorized access. The proposal also prevents companies from enforcing mandatory arbitration in cases of substantial privacy harm. Companies found in violation of these standards could face legal repercussions, including lawsuits from individuals or state attorneys general. The Federal Trade Commission would also play a significant role in enforcing the law, particularly in cases involving large-scale data breaches.

A long way to go: While the proposal aims to enhance consumer privacy rights, the current draft does not apply to data employers collect about their workers and does not preempt state laws related to employee data privacy. However, the legislative process for development of bill text is in the early stages and the final text may look quite different after what is sure to be a long, combative policymaking process.

Preemption of state laws: The introduction of the American Privacy Rights Act comes at a time when numerous states have already passed comprehensive data privacy laws, each with its own set of provisions and requirements. The variation among these state laws has posed challenges for multistate businesses striving to maintain consistent compliance. California's Consumer Privacy Act (CCPA) stands out as one of the most robust and far-reaching among these state laws, setting a high standard for data privacy regulation. In its current form, the APRA would preempt state data privacy laws, including much of California’s landmark CCPA, which is likely to draw strong opposition from that state’s powerful congressional representatives. 

Outlook: The fate of the American Privacy Rights Act hinges on gaining support from both the House and the Senate before it can become law. Unlike past proposals, this one seems to have momentum due to Commerce Committee leadership by Senator Cantwell in the Senate and Representative Cathy Rodgers in the House. While the bill has a chance of passing in 2024, it faces an uphill battle due to the slim margins in Congress, election year politics, and historic challenges of achieving consensus on privacy legislation. Disagreements over issues such as preemption of state laws, the private right of action, and the balance between consumer protections and business interests have derailed past efforts.