On Sunday April 7th, U.S. House of Representative Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash. released a new privacy bill – the American Privacy Rights Act (APRA) and a related section-by-section discussion draft. Although passage of a federal privacy law in the United States has proven elusive, bicameral support for the bill has prompted cautious optimism for its advancement in Congress.

If passed, the APRA would apply to both non-profit organizations and commercial enterprises. It delineates between "covered entities," acting in a similar capacity to data controllers under the GDPR, and "service providers," comparable to data processors. Additionally, it introduces a distinct category of "Large data holders" encompassing entities with over USD 250 million in annual revenue processing specified thresholds of covered data.

Small businesses with revenue under $40 million and data on fewer than 200,000 consumers are usually exempt from the draft requirements when operating as covered entities rather than service providers. However, this exemption is contingent upon not transferring data “to a third party in exchange for revenue or anything of value.” If small businesses sell personal data from even a single individual, they forfeit this exemption.

The Provisions of the Bill:

• Include a private right of action, enabling individuals to sue in numerous circumstances outlined within the legislation, although not all.
• ‍Limit the use of arbitration agreements between companies and individuals. It specifies that pre-dispute arbitration agreements would be invalid for minors and any individual who can demonstrate a "substantial privacy harm," defined as financial losses exceeding USD 10,000 or more, and physical or mental harms, provided it matches one of the injuries specified in the bill.‍
• Establish data minimization requirements to prohibit collecting, processing, retaining, and transferring personal data unless it complies with general data-minimization principles or serves a specific permitted purpose.
• Permits processing of personal data, if necessary, proportionate, and limited to providing or maintaining a specific product or service requested by the individual or anticipated communication with them.
• ‍Require consent to the transfer of sensitive data to a third party, except when the transfer is necessary, proportionate, and limited one of the permitted purposes. Also, require consent before collecting, processing, or retaining biometric and genetic data, with certain limited exceptions. The draft provides an extensive list of sensitive data and empowers the Federal Trade Commission to expand this list through its rulemaking process.
• Require, in addition to data minimization, "affirmative express consent" before the transfer of any sensitive data to a third party, unless the transfer is necessary, proportionate, and limited to one of the permitted purposes. For biometric and genetic information, consent is also required before collecting, processing, or retaining such data, although there are limited exceptions when the data is "essential" for a limited set of the permissible purposes.
• Require each covered entity and service provider to designate a "qualified employee" to serve as a privacy officer or a data security officer.

The APRA Will Be the Subject of a Hearing to Be Held April 17

The agenda will include discussions on relates issues, including the Kids Online Safety Act, proposed updates to the Children's Online Privacy Protection Act and other online safety-related issues will also be on the agenda.

Schedule your quick free consultation to review how Achieved Compliance can help you to become fully compliant with local and global regulatory standards. Alternatively, you can reach us at info@achievedcompliance.com for more information on this package and the other services we offer.