The American Privacy Rights Act (APRA): What You Need to Know

Expert insight from a data privacy lawyer

Kirsten Craig is a qualified lawyer with more than 20 years’ experience, and a data privacy specialist.

She’s previously worked as a senior data privacy counsel for the European arm of a global health insurance provider, advising on data privacy and liaising with a wide range of business units and a variety of stakeholders. Kirsten has also worked as compliance counsel within regulated industries.

Now, Kirsten is a data privacy lawyer at our sister company GRCI Law, where she helps organizations meet their data protection obligations under laws like the GDPR (General Data Protection Regulation), as well as national privacy laws.

One such law could be the proposed APRA – the ‘American Privacy Rights Act’. We sat down to get her thoughts on this potentially landmark deal.

In this interview

  • What the APRA is, and why this may be a landmark deal
  • The interplay of the APRA with state-specific laws
  • APRA requirements and rights for individuals
  • To whom the APRA would apply
  • APRA and EU GDPR overlaps
  • Next steps for the APRA

In the US, expectations are – cautiously – rising that we could see a landmark single federal privacy standard enacted into law. Could you tell us more about that?

A bipartisan deal was formally announced at the start of April this year.

This was brokered by co-sponsors Senator Maria Cantwell [Democratic chair of the Senate Commerce Committee] and Republican representative Cathy McMorris Rodgers [leader of the House Energy and Commerce Committee].

The deal proposes the American Privacy Rights Act – or ‘APRA’ – and with it, increased control for American consumers over their personal data.

Note: The draft bill is available here.

What makes this deal ‘landmark’?

Existing data privacy laws in the US focus on either:

  • Narrower sector-specific rules, such as HIPAA [Health Insurance Portability and Accountability Act] and COPPA [Children’s Online Privacy Protection Act]; or
  • State-specific provisions, such as the CPRA [California Privacy Rights Act]. However, only 15 states have localized data privacy legislation.

This makes the US data privacy landscape a complex and varied patchwork of laws. One that doesn’t adequately meet the expectations of increasingly privacy-savvy consumers concerned with the safety and integrity of their personal information.

To that end, the APRA proposal, with support across both parties and chambers, marks a significant step forward.

Why doesn’t the US already have a federal privacy law like this?

Lawmakers across the Republican/Democratic divide have long struggled to reach consensus on the scope of any possible broader federal positioning on data privacy.

Key disagreements have focused on points such as:

  • Whether federal laws should override existing state privacy laws
  • The extent to which individuals should have the right to sue where their privacy rights have been violated

Indeed, attempts to create suitable legislation on a federal basis have been ongoing for more than two decades. However, negotiations have repeatedly stalled.

How would the APRA work?

The APRA’s overarching intent is to deliver greater control to individuals over how their personal data is used and, crucially, who it may be shared with.

That said, some exceptions will be necessary, including around:

  • Civil rights
  • Criminal law
  • Employee privacy
  • Consumer protection

The intention is that the APRA will pre-empt state privacy rules. Or, where they conflict, override state-specific rules.

Speaking of state-specific rules, I read a recent letter to Congress, signed by 15 Attorney Generals, expressing concern over the ‘federal ceiling’ approach, preferring a “federal floor.” What are your thoughts?

It’s interesting that the multi-state response is led by Senator Bonta of California – the state that currently boasts the most robust data privacy protections in the country.

The key concern expressed in the letter is that the APRA – by the provisions that it’ll supersede state law – could in practice lessen protections in states where more robust protections already exist.

The concern about this risk seems valid. If federal positioning is always to prevail, existing protections at state level may be weakened. Not only that – the future evolution of privacy protections in individual states could be limited.

The letter champions the importance of state-level privacy legislation, making clear that states may be better able to quickly adjust to technological challenges and data collection practices – and to therefore legislate for those – in areas that may otherwise elude federal attention.

We’ll have to wait and see what the response from Congress will be, and how the letter affects the passage and/or contents of the APRA.

What are the proposed APRA requirements?

Among other things, organizations may collect only the minimum data necessary to enable them to do their legitimate business.

Also, the APRA would prohibit the transfer of sensitive personal data – so, information like geolocation, financial, and biometric data – to third parties without the explicit consent of the relevant individual. Though this would be subject to some exceptions, like if the data-sharing is necessary for the purposes of preventing fraud.

Larger organizations would also have to appoint a privacy or data security officer – a bit like the EU GDPR’s DPO role.

The APRA would also mandate privacy impact assessments under certain circumstances. These are similar to DPIAs [data protection impact assessments].

What rights would the APRA introduce for individuals?

The APRA would create certain rights in favor of the individual, not unlike those already familiar in Europe under the GDPR, including the right for an individual to:

  • Request a copy of their data
  • Have their data corrected if inaccurate
  • Opt out of targeted advertising altogether
  • Opt out of processing if a privacy policy changes
  • In certain circumstances, have their data deleted
  • Sue if and when their privacy rights have been violated

If the APRA is passed, who must comply with it?

Organizations subject to the Federal Trade Commission Act – commercial and non-profit – that alone, or jointly with others, determine the purposes and means of collecting, processing, retaining, or transferring personal data.

Those organizations must also have:

  • An annual revenue of at least $40 million
  • Personal data on at least 200,000 US consumers

However, organizations that “transfer covered data to a third party in exchange for revenue or anything of value” fall within scope, regardless of their size. So, if you sell personal data of even just one US consumer, you fall within scope of the APRA.

Also note that government entities and their service providers are exempt.

Would it be fair to describe the APRA as the American version of the EU GDPR?

That’s not easy to answer.

I’ve seen some people referring to the APRA as the American answer to the GDPR, because it represents a significant pull in an aligned direction of travel toward much more robust and consistent data privacy protections across the country.

Plus, there definitely are similarities with the GDPR, like how it empowers individuals with respect to their personal data.

But there are differences, too, so I wouldn’t describe the APRA and the GDPR as like for like.

What are the next steps for the APRA?

The proposed bill is yet to make its way through due legislative process.

In other words, it must still be introduced into both chambers, and duly advanced by committee, before it can be considered for potential passage into law.

However, with the upcoming presidential elections, neither swift nor smooth passage is a given. Plus, the House passed only 27 pieces of legislation in 2023 – a record low.

That said, the bill’s key sponsors, Senator Cantwell and representative McMorris Rodgers, remain optimistic, saying in a joint statement:

This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information.

Interviewer note: We await news of progress and will report further as developments emerge.

Speak to a data protection expert

Got any more questions about the APRA? Or other privacy laws, whether in the US or internationally?

We’re always happy to help!

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert with GRC International Group.

In the meantime, why not check out our interview with data privacy and cybersecurity trainer Andrew Snow on the UK–US data bridge?

Alternatively, explore our full index of interviews here.