Americans have wanted a federal data protection law However, for years this wish has been repeatedly thwarted by intensive lobbying by the technology industry and the general incompetence of our federal legislators. Well, in 2024 it’s possible that we’ll finally get a strong federal data protection law.
I’ll say it again: it’s possible. This is also technically possible Frogs could rain from the sky over Lower Manhattan, blanketing New Yorkers in a spring shower of amphibious viscera, but is that actually likely?
The American Privacy Rights Act The 2024 Act, recently introduced by Cathy McMorris Rodgers (R-WA) and Maria Cantwell (D-WA), would create basic digital privacy protections for Americans. The law, if passed, would create a range of protections and rights for consumers, including the ability to access, control and delete information collected by companies.
While that sounds like a good thing, there is one aspect of the legislation that appears to be troubling privacy advocates. The proposed law would potentially eliminate stronger state-level protections that currently exist. While privacy groups remain cautiously optimistic about APRA’s potential, they are also wary of proposed exclusionary state laws. If the currently proposed regulations appear strong, the legislative process is just beginning and there is no telling what the federal law will look like after what is sure to be a long, combative political decision-making process.
Here’s a quick look at what the legislation currently promises and what data protection advocates say about it.
The right to access, control and deletion
The American Privacy Rights Act would provide comprehensive protections for Americans’ data and give consumers the ability to access, control and delete the data covered by the legislation. The policy would give all Americans the power to request information from companies that have collected data about them. Companies covered by the law would have to comply with consumers’ requests within “specified time frames,” the bill says. The bill allows certain exceptions to these regulations, including small businesses (which are defined as businesses that have “$40,000,000 or less in annual revenue” or collect, process, store, or transmit “the collected data of 200,000 or fewer individuals.” ). and governments and “entities working on behalf of governments.”
Data minimization
The bill would also require something called “data minimization.” The idea is to reduce the overall amount of information companies can collect about web users. Proponents of the bill say companies covered by the legislation will not be able to “collect, process, retain or transfer data in excess of what is necessary, proportionate or limited to meet a To provide or maintain a product or service requested by an individual or to provide a communication within the context of the relationship is reasonably expected or a legitimate purpose. While that sounds good, the devil is in the details here and it is not yet entirely clear , what this type of data minimization would look like in real life.
What is Covered Data?
The bill defines the data covered by the law as follows:
…information that identifies, is linked to, or can reasonably be linked to, an individual or device. Covered does not include anonymized data, employee data, publicly available information, conclusions drawn from multiple sources of publicly available information that do not meet the definition of sensitive Covered Data and are not combined with Covered Data, and information in a library, archive, or museum collection, subject to certain limitations .
Strengthening the FTC
Enforcement of the law would occur at both the federal and state levels. Specifically, the Federal Trade Commission would be charged with developing regulations and technical specifications for a “centralized mechanism for individuals to exercise” their opt-out rights, as well as other technical issues related to the implementation of the legislation, the bill states. At the same time, the bill gives “attorneys general, chief consumer protection commissioners, and other officials of a state in federal district court” the authority to take enforcement actions against companies that violate the law.
The target is the data broker industry
The bill also targets data brokers. Under the new legislation, the FTC would be required to establish a data broker registry that could be used by consumers to identify which companies are brokers and to opt out of data collection by those firms. All data brokers that collect data from more than 5,000 people would have to re-register with the Federal Register every year. At the same time, brokers would also be forced to maintain their own websites that identify them as data brokers and include a tool for consumers to opt out.
Private right of action
A long-standing wish of privacy advocates is a private right of action– a mechanism that allows individual consumers to sue companies that have violated their rights. A number of state privacy laws have not taken this into account. Under the current version of APRA, consumers would be given a private right of action, allowing them to bring legal action against companies found to have violated their digital privacy rights.
Data protection advocates remain cautiously optimistic
Faced with years of inaction from federal regulators on privacy policy, state governments have passed a series of tough privacy laws over the past decade. Some of these laws, like California’s CCPA, were quite strict. The newly proposed federal law openly admits that it would eliminate “the existing patchwork of federal comprehensive privacy laws” and in its place “establish robust enforcement mechanisms to hold violators accountable.” The fact that APRA would preempt state laws worries some privacy advocates, who fear the possibility of a watered-down federal law. The fact that APRA appears to be strong now does not mean much as it could easily be neutered by lobbyists during the legislative process.
Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, said that prioritizing federal law over state regulation is only appropriate if it is ultimately a strong law. “From our perspective — in an ideal world — it would not preempt state laws, but would allow states to pass stronger laws,” Fitzgerald said. “We recognize that compromises are necessary and that this is a major sticking point. If it is to preempt state law, it must be stricter than existing state laws and regulations. We are still reviewing the bill to determine whether this is the case.”
Other privacy advocates, such as the Surveillance Technology Oversight Project (STOP), expressed similar concerns. “The ADPPA provides strong privacy protections, particularly data minimization rules,” said Will Owen, STOP’s communications director. “But the bill falls short because it prevents states from taking even tougher measures if they wish. Worst of all, the ADPPA bars states from enforcing protections, leaving it solely to the U.S. executive branch, which has been inconsistent in enforcing Americans’ privacy rights.”
Cody Venzke, senior policy counsel at the ACLU, said his organization remains “concerned that this bill’s broad exclusion of state law will freeze our ability to respond to evolving technology challenges.”