On April 7, 2024, Senate Commerce Committee Chair Maria Cantwell and House Energy & Commerce Committee Chair Cathy McMorris Rodgers jointly released a draft of the American Privacy Rights Act (APRA). The APRA would create a comprehensive federal consumer privacy framework. It builds on prior congressional efforts to enact a comprehensive privacy bill, most notably incorporating elements of the American Data Privacy and Protection Act (ADPPA) (H.R. 8152), which was advanced out of the House Energy & Commerce Committee during the 117th Congress (H.Rept. 117-669).
The APRA has already evolved since its initial release. The House Energy & Commerce Committee unveiled an updated version (Updated House Draft) in advance of a markup on May 23, 2024, by the Innovation, Data, and Commerce Subcommittee. The Updated House Draft includes a new Title II amending the Children's Online Privacy Protection Act of 1998 (COPPA). It also makes other changes, such as creating a centralized mechanism for individuals to request that data brokers delete their personal information and prohibiting covered entities from targeting advertisements to children under the age of 17.
This Sidebar begins with a summary of the APRA, relying primarily on the joint draft released on April 7, 2024, but noting where the Updated House Draft differs from the original joint draft. The Sidebar also contains a discussion of how Title II of the Updated House Draft would amend COPPA and how that language compares with similar bills previously introduced in the 118th Congress. The Sidebar next compares the APRA to the ADPPA and other comprehensive privacy bills that have been introduced in Congress. The APRA borrows a substantial amount from the ADPPA but includes material differences, such as its treatment of small businesses, approach toward minors, and interaction with state laws, as well as its requirement for algorithmic opt-out rights and immediate availability of a private right of action. The Sidebar concludes by discussing stakeholders' reactions to the APRA and potential litigation that may arise should Congress enact the bill.
Summary of the Bill
Key Definitions
The APRA's chief focus is governing how covered entities use covered data. Thus, these two definitions are central to the bill's scope. The APRA defines "covered entities" to include most individuals, commercial entities, and nonprofits that "alone, or jointly with others, determine[] the purposes and means of collecting, processing, and retaining, or transferring covered data." Small businesses, among others, are exempt from this definition. The APRA defines "covered data" to include any information that "identifies or is linked or reasonably linkable" to an individual.
Another key definition is sensitive covered data, for which the APRA provides additional protections. "Sensitive covered data" includes, among other things, government-issued identifiers, genetic information, health information, financial information, precise geolocation information, and information about a child under the age of 17. The APRA would give the Federal Trade Commission (FTC) authority to expand the categories of sensitive covered data through regulation.
The APRA also defines large data holder and data broker, which are two subsets of covered entities that must comply with additional requirements. Large data holders are those covered entities with annual gross revenue of more than $250 million in the preceding calendar year that collect enough data to meet one of the bill's thresholds. Data brokers are entities "whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly" from the individual linked to the data.
Rights and Obligations
The APRA would establish rights for individuals from whom covered data is collected and impose obligations on covered entities. Individuals would have the right to access, correct, delete, and export their covered data held by a particular covered entity. When an individual submits a verified request to a covered entity to exercise one of these rights, the covered entity must generally respond within 30 calendar days. Large data holders must generally respond to requests by individuals to exercise their rights within 15 calendar days of receiving the request. The Updated House Draft, however, would lengthen these timeframes to 45 and 30 days, respectively.
In terms of obligations, the APRA would impose a data minimization requirement on covered entities that would prohibit them from collecting, processing, retaining, or transferring covered data unless it is (1) reasonably necessary and proportionate to provide a specific product or service requested by a consumer or to provide a communication anticipated in the context of the customer relationship; or (2) for one of the fifteen permitted purposes (sixteen in the Updated House Draft) expressly listed in the bill (e.g., to conduct market research, investigate and defend against legal claims, or transfer to law enforcement pursuant to lawful process). The APRA would also require covered entities to comply with opt-out and consent requirements. For most covered data, covered entities would need to give individuals an opportunity to opt out of the transfer of their covered data or the use of their data for targeted advertising. For sensitive covered data, covered entities would be required to obtain an individual's affirmative, express consent before transferring that data. Covered entities would also be required to get express consent before collecting, processing, or retaining biometric or genetic information.
Covered entities would have to comply with a number of other obligations, including transparency rules, data security standards, and algorithm opt-out requirements. They would also be prohibited from using covered data in a way that discriminates on the basis of a protected class, using "dark patterns" to interfere with individuals' use of their rights, or retaliating against individuals exercising their rights by denying them service or giving them a different level of service (subject to certain exceptions such as for "bona fide loyalty programs").
Large data holders and data brokers would have to comply with additional requirements. For example, large data holders would have to conduct algorithm impact assessments and privacy impact assessments, and their CEOs would have to make annual certifications to the FTC regarding their companies' compliance with the APRA. Data brokers would be required to register with the FTC, which would establish a central data broker registry with a "Do Not Collect" mechanism allowing individuals to opt out of data brokers' collection of their covered data. The Updated House Draft would go further, requiring the FTC to create a "Delete My Data" mechanism, allowing individuals to request that all registered data brokers delete their covered data. Data brokers also would be required to establish public-facing websites containing a link to the FTC's data broker registry.
Federal Trade Commission Authority
The APRA would give the FTC authority to enforce violations of the bill. Violations of the APRA, or any regulations issued under it, would constitute violations of rules defining unfair or deceptive acts or practices under the Federal Trade Commission Act, giving the FTC grounds to seek civil penalties, injunctions, and other equitable relief for violations. The APRA would create a fund for holding civil monetary penalties paid by violators of the Act, from which the FTC could disburse payments to covered persons affected by the penalized conduct.
The APRA would also give the FTC authority to add to and clarify certain provisions of the APRA. While the APRA would not give the FTC broad authority to expound on its provisions through regulations, it would vest the FTC with rulemaking authority in certain instances (e.g., regulations defining categories of sensitive covered data and establishing data security requirements). The APRA also would direct the FTC to issue guidance on how covered entities could comply with certain requirements (e.g., the data minimization provision and data broker disclosure requirements). The APRA would further require the FTC to create a process by which covered entities could submit compliance guidelines for approval, and would require the FTC to establish a pilot program encouraging private-sector use of privacy-enhancing technology.
To carry out these responsibilities, the APRA would direct the FTC to create a new bureau, comparable in size to the existing consumer protection and competition bureaus. The new bureau would need to be staffed and fully operational within one year of the APRA's enactment.
State and Private Enforcement
The APRA would authorize state attorneys general and state privacy authorities to bring civil actions on behalf of their states' residents. In these actions, state enforcers could ask a federal court to issue an injunction, impose civil penalties, award damages or appropriate equitable relief, and award litigation costs and attorneys' fees.
The APRA also would create a private right of action that would allow individuals to sue for certain violations, for example, disclosure or use of their sensitive, biometric, or genetic information without their consent; violation of their individual rights; and data security violations resulting in a breach of their covered data. In such suits, courts could award aggrieved individuals actual damages, injunctive relief, litigation costs, and attorneys' fees. Before an individual could bring a lawsuit, however, the APRA would require that individual to provide potential defendants with notice and, in actions for injunctive relief, an opportunity to cure the alleged violation, unless the alleged harm qualifies as a "substantial privacy harm." The APRA also provides that, in certain cases, a plaintiff filing a suit would be entitled to the remedies currently provided under Illinois or California state laws. The Updated House Draft would extend the private right of action to persons—a term often interpreted to include business entities—as opposed to individuals, a term more likely to be understood as limited to natural persons.
In certain circumstances, the APRA allows individuals to pursue claims in federal court, notwithstanding any pre-dispute arbitration agreements. If the claim involves a minor, or if the claim alleges a substantial privacy harm, then the APRA makes any arbitration agreement unenforceable with respect to those claims if the individual harmed elects to proceed in federal court. The APRA clarifies that any disputes over the application of this provision should be resolved by the federal court and not any arbitrator.
Preemption of State Law
The APRA includes an express preemption clause providing that no state may "adopt, maintain, enforce, or continue in effect any law, regulation, rule, or requirement covered by the provisions" of the APRA or any regulations promulgated under it. The APRA has numerous exceptions to this preemption clause, however. For instance, the APRA would not preempt, among other things, "consumer protection laws of general applicability," laws addressing the "privacy rights or other protections of employees or employee information," and laws that "protect the privacy of health information, healthcare information, medical information, medical records, HIV status, or HIV testing."
Relation to Existing Federal Privacy Law
The APRA would generally preserve existing federal data privacy and data security laws, such as the Gramm-Leach-Bliley Act, the Health Information Portability and Accountability Act's administrative simplification provisions and regulations implementing those provisions, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act. (For an overview of these federal laws, see CRS Report R45631, Data Protection Law: An Overview, by Steve P. Mulligan and Chris D. Linebaugh.) The Updated House Draft also explicitly preserves additional laws, such as the Health Care Quality Improvement Act of 1986 and the Patient Safety and Quality Improvement Act. Covered entities that are subject to these existing laws would be "deemed to be in compliance" with—or, in the case of the Updated House Draft, would "not be subject" to—the APRA insofar as they handle data subject to those existing laws. The APRA provides that covered entities that are required to comply with these existing laws will be "deemed to be in compliance" with the "related provisions" of the APRA. The APRA would, however, displace most privacy requirements under the Communications Act of 1934 and the FCC's implementing regulations. Finally, the APRA specifically preserves COPPA and "antitrust laws."
Updated House Draft and COPPA 2.0
Along with the changes mentioned above, the Updated House Draft includes a "Title II" called "Children's Online Privacy Protection Act 2.0" (Title II), which would amend COPPA. COPPA, as it currently stands, provides privacy protections to children under the age of 13. COPPA's requirements apply to online operators that direct their website or online service to children or that have "actual knowledge" they are collecting children's information. Under COPPA and the FTC's implementing regulations, covered operators must, among other things, obtain verifiable parental consent before collecting, using, or disclosing children's personal information; provide parents with notice of the operator's privacy policies; maintain reasonable data security procedures; and comply with data retention and deletion requirements. COPPA preempts state laws that regulate the activities of online operators in a manner that is "inconsistent with the treatment of those activities or actions" under COPPA. Courts applying COPPA's preemption provision to state law causes of action have reached different outcomes in different cases. The U.S. Court of Appeals for the Ninth Circuit has held that COPPA does not preempt individuals from bringing state lawsuits based on conduct that also violates COPPA. In contrast, some district courts in other circuits have held that such suits are inconsistent with COPPA's enforcement structure, which does not include a private right of action.
Some lawmakers have sought to update COPPA. In the 118th Congress, the Children and Teens' Online Privacy Protection Act (commonly referred to as "COPPA 2.0") has been introduced and sponsored by bipartisan groups of lawmakers in both the House (H.R. 7890) and Senate (S. 1418), and in July 2023 the Senate Commerce Committee voted to advance S. 1418 to the full Senate. H.R. 7890 and S. 1418 would extend COPPA's protections to teens (defined as individuals "over the age of 12 and under the age of 17") and revise COPPA's "actual knowledge" standard to include situations where an online operator "has knowledge fairly implied on the basis of objective circumstances" that they are collecting information from a child or teen. These bills would also ban "individual-specific advertising" to children or teens, prohibit online operators from storing or transferring a child or teen's data outside of the United States without providing direct notice, and impose data minimization requirements on online operators. These bills would direct the FTC to, among other things, update its regulations to address how COPPA applies in the educational context, evaluate the feasibility of a common verifiable consent mechanism for multiple operators providing a joint service, and submit oversight and enforcement reports to Congress.
Title II of the Updated House Draft contains many of the same provisions as H.R. 7890. For instance, it contains most of the same definitional updates, the same provision addressing COPPA's application in the educational context, the same provision directing the FTC to evaluate a common verifiable consent mechanism, and the same requirement directing the FTC to submit reports to Congress.
There are notable differences. Title II would not extend COPPA's protections to teens, would not include H.R. 7890's prohibition on "individual-specific advertising," and it would not broaden COPPA's knowledge standard. The Updated House Draft does, however, include certain protections for "covered minors" (individuals under the age of 17) in Title I. These protections include a ban on transferring sensitive covered data (which includes information about a covered minor) without affirmative express consent and a prohibition on "targeted advertising" to covered minors. Title I does not, however, specify any knowledge standard or other mental state requirement that applies to these prohibitions. There are other distinctions between Title II and H.R. 7890 that appear to reflect Title II's integration with the APRA. For instance, Title II omits H.R. 7890's prohibition on collecting personal information from children or teens when not necessary to complete a transaction or perform a service, but Title II would expressly prohibit online operators subject to COPPA from collecting personal information from a child in a manner that violates the APRA. Similarly, Title II does not include H.R. 7890's data minimization requirements, but the APRA has its own data minimization provision in Title I. Lastly, Title II does not have a provision expressly allowing state laws that provide additional protections to children or teens, thus leaving COPPA's existing preemption provision in place.
Comparison to the ADPPA and Other Privacy Bills
While the APRA has many similarities with the ADPPA, containing broadly similar individual rights and covered-entity obligations, there are differences. For example, the APRA would exempt small businesses entirely from its scope, while the ADPPA would have excluded small businesses only from certain requirements. The APRA also does not have some of the protections that the ADPPA would have established for minors under the age of 17, such as its prohibition of targeted advertising (although such a prohibition was added in the Updated House Draft) and the creation of a Youth Privacy and Marketing Division at the FTC. The APRA, however, contains some obligations not found in the ADPPA, such as the requirement that covered entities give individuals an opportunity to opt out of the use of certain algorithms. (The Updated House Draft creates an exception for this opt-out requirement where doing so would be prohibitively costly or technologically impracticable.) While both bills contain a private right of action, the APRA's private right of action would be effective immediately, whereas the ADPPA would have delayed it for two years after the law's enactment. The two bills' preemption provisions have the same basic structure, yet there are several potentially significant differences. For instance, the ADPPA would have expressly preserved several specified state privacy laws, such as Illinois's Biometric Privacy Act and Genetic Information Privacy Act and California's private right of action for victims of data breach. In contrast, under the APRA, these laws would not expressly be preserved, although individuals would be able to obtain the remedies provided by these laws in certain circumstances.
Numerous other comprehensive data privacy bills that further differ from the APRA have been introduced in the 117th and 118th Congresses. For example, rather than specifying detailed user rights and consumer obligations, the Data Care Act of 2023 (S. 744, 118th Cong.) would impose broad duties of care, loyalty, and confidentiality on online service providers. Other bills contain a set of individual rights and covered entity obligations similar to the APRA yet differ on individual enforcement and preemption of state laws. For example, the Online Privacy Act of 2023 (H.R. 2701, 118th Cong.) would provide, and the Consumer Online Privacy Rights Act (COPRA) (S. 3195, 117th Cong.) would have provided, a private right of action without requiring an opportunity to cure or imposing other limitations and would not preempt state laws unless there was a direct conflict with the federal law.
Commentary and Potential Legal Challenges
The draft APRA has garnered bipartisan support, and various interest groups, commentators, and technology companies, such as, respectively, the Center for Democracy and Technology, the Washington Post's editorial board, and Microsoft, have expressed enthusiasm for the draft bill. Some of these commentators have lauded the bill for compromising on contested issues (namely, whether to provide a private right of action and whether to preempt state laws). At a House Energy & Commerce Committee hearing on April 17, 2024, all of the witnesses agreed that the APRA was the "best chance" for "getting something done" on comprehensive data privacy. At the same time, some of the APRA's supporters have also suggested ways it could be improved. For example, some lawmakers and commentators have said that the APRA's protections for minors should be strengthened, such as by including the ADPPA's ban on targeted advertising to those under the age of 17. Some commentators have also argued that its data broker provisions should be tightened, such as by including a "one-stop-shop for data deletion requests" and clarifying that data brokers are not exempt from the APRA even if they qualify as consumer reporting agencies under the Fair Credit Reporting Act. Several of these concerns have been addressed by the Updated House Discussion Draft, which, as mentioned, includes a ban on targeted advertising to minors under 17 and would require the FTC to create centralized data deletion request mechanisms for data brokers. At the same time, during the May 23 markup of the Updated House Draft, several Members expressed concerns with the way in which Title II of the Draft revises COPPA, such as by not updating COPPA to protect teens and by failing to expand COPPA's knowledge standard. Some Members also maintained that the Update House Draft's prohibition on targeted advertising to minors is less robust than H.R. 7890 and S. 1418's restriction on "individual-specific advertising."
Other stakeholders have been critical of the APRA's preemption provisions, which were not changed in the Updated House Draft. The California Privacy Protection Agency (CPPA), for example, has faulted the APRA for preempting state privacy laws and has argued that Congress should set a "floor" for privacy rights rather than a "ceiling." The CPPA cited its draft regulations on automated decisionmaking technology (ADMT), which would allow individuals to opt out of companies using their personal information to train ADMT, as an example of an important protection that could be preempted by the APRA. On the other hand, the U.S. Chamber of Commerce has criticized the APRA for taking too narrow of an approach to preemption. The Chamber also took issue with the APRA's private right of action and some of its substantiative requirements, such as its algorithm provisions and its right to opt out of targeted advertising.
Should the APRA be finalized, there may be litigation over its constitutionality and scope. As discussed further in a 2019 CRS report, the U.S. Supreme Court has said that "the creation and dissemination of information are speech within the meaning of the First Amendment." Litigants have challenged laws that restrict the sale or use of data collected from customers and laws that restrict certain targeted advertisements under the First Amendment. It is possible that similar challenges may be raised against some of the APRA's provisions that restrict the dissemination of customer data or the targeting of advertisements. There may also be litigation over the scope of the APRA's preemption provisions. For instance, questions may arise as to whether the APRA preempts state privacy laws that regulate entities not covered by the APRA, such as small businesses. The expansive reach of the APRA's savings clauses, too, may give rise to litigation, as potential challengers of the law might seek to clarify whether various state laws qualify as one of the categories of statutes exempt from preemption.