On Sunday, April 7, U.S. House of Representative Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell, D-Wash released a new bill – the American Privacy Rights Act (APRA) and a related section-by-section discussion draft. The passage of a federal privacy law in the United States has been elusive. However, the bicameral support for the bill has prompted cautious optimism that the bill could advance in Congress.

If passed, the APRA would apply to non-profit organizations and commercial enterprises. It would distinguish companies that act as "covered entities" from those that act as "service providers." "Covered entities" act in a similar capacity to data controllers as defined by the General Data Protection Regulation (GDPR), while "service providers" are analogous to data processors. It also establishes a special category of "Large data holders." These are covered entities or service providers with more than USD 250 million in annual revenue that process covered data above specified thresholds.

Small businesses with less than $40 million in revenue and data on fewer than 200,000 consumers generally do not need to meet the draft requirements when they act as covered entities and not service providers. However, the exemption only applies if the business does not transfer data "to a third party in exchange for revenue or anything of value."

The Provisions of the Bill

• Include a private right of action that allows individuals to sue in many, but not all, circumstances provided for in the bill.
• Limit the use of arbitration agreements between companies and individuals. As currently drafted, the bill would make pre-dispute arbitration agreements invalid for minors and for all individuals if they can show a "substantial privacy harm. Substantial privacy harm includes financial harms of USD 10,000 or more and physical or mental harms, but only if they involve one of the injuries specified in the bill.
• Establish data minimization requirements. The bill prohibits collecting, processing, retaining, and transferring personal data unless it meets general data-minimization principles or serves a specific permitted purpose.
• Allow the processing of personal data if it is necessary, proportionate, and limited to providing or maintaining a specific product or service requested by the individual or an anticipated communication to the individual.
• Require consent to transfer sensitive data to a third party, unless the transfer is necessary, proportionate, and limited to one of the permitted purposes. Businesses must obtain consent before collecting, processing, or retaining biometric and genetic data with certain limited exceptions. The draft specifies an extensive list of sensitive data and empowers the Federal Trade Commission to expand the list through its rulemaking process.
• In addition to data minimization, "affirmative express consent" is required before transferring sensitive data to a third party unless the transfer is necessary, proportionate, and limited to one of the permitted purposes. Businesses must obtain consent before collecting, processing, or retaining biometric and genetic information, though there are limited exceptions when the data is "essential" for a specific set of permissible purposes.
• Require each covered entity and service provider to designate a "qualified employee" to serve as a privacy officer or a data security officer.

The APRA Will Be the Subject of a Hearing on April 17

The Kids Online Safety Act proposed updates to the Children's Online Privacy Protection Act. Other online safety-related issues will also be on the agenda.

Schedule your quick free consultation to review how Achieved Compliance can help you become fully compliant with local and global regulatory standards. Alternatively, you can reach us at info@achievedcompliance.

‍