A bipartisan, bicameral legislative proposal to create a federal comprehensive data privacy framework may be back on the table. On April 7, 2024, House Energy and Commerce chair Rep. Cathy McMorris Rogers (R-WA) and Senate Commerce, Science, and Transportation chair Sen. Maria Cantwell (D-WA) released a "discussion draft" of a privacy bill dubbed the American Privacy Rights Act (APRA). APRA, which appears to be the retooled successor of a 2022 proposal from McMorris Rodgers and Rep. Frank Pallone (D-NJ) called the American Data Privacy and Protection Act (ADPPA), would create a national data privacy standard that has remained elusive from federal lawmakers for years.

APRA Summary

If enacted, the APRA would create a comprehensive federal data privacy regime which, in addition to granting all Americans certain rights regarding their personal data, would expressly preempt current state privacy laws, create a private right of action, and address a wide range of additional privacy-related issues.

The APRA would protect any data that "identifies or is linked or reasonably linkable . . . to an individual or a device." Entities would be subject to the APRA if they "determine[] the purposes and means of collecting, processing, retaining, or transferring" such data and are either

1. subject to the Federal Trade Commission Act,
2. are a common carrier under the Communications Act of 1934, or
3. are a non-profit organization.

The law contains a number of categories of exceptions, including for small businesses that satisfy certain criteria. The APRA also creates a separate category of "Large Data Holders," which appears to intentionally target the nation's major tech companies and imposes significant additional compliance requirements on such entities.

The APRA would create rights for consumers that mirror many of those afforded by state laws: the right to access the data collected about them, to correct inaccuracies in their data, to have their data deleted, and to receive a portable copy of their data. Consumers would also have the right to know the name of any third party or service provider to which covered data was transferred, as well as the purpose of that transfer, and to opt out of at least some of these transfers. Additionally, consumers would be able to opt out of the use of their personal data for targeted advertising. The APRA would direct the Federal Trade Commission (FTC) to create a universal opt-out mechanism.

Two key and very likely contentious aspects of the APRA are preemption and a private right of action. With regard to preemption, the law would explicitly preempt "any [state] law, regulation, rule, or requirement covered by the provisions of [the bill]." Notably, however, the bill does contain several exceptions to its preemptive scope, including for state consumer protection laws and provisions of laws that address the privacy rights of students. With regard to remedies, unlike any state law to date, with the exception of California's Consumer Privacy Act (CCPA), the APRA would create a private right of action. Individuals would be able to bring suit under the APRA for privacy-related harms, and the law would entitle them to seek actual damages, injunctive and declaratory relief, and recover their attorneys' fees and costs. The bill contains no language prohibiting the consolidation of claims into class actions.

Legislative Prospects

Federal attempts to produce and enact a comprehensive data privacy framework have remained elusive. In 2022, the ADPPA advanced out of committee in the U.S. House of Representatives but did not receive a floor vote. Yet many industry stakeholders had already written off the possibility of comprehensive federal data privacy legislation ahead of what's expected to be a contentious 2024 presidential election and an increasingly divided Congress. While APRA's release represents yet another chance for legislators to implement privacy protections at a federal level, significant hurdles still remain for APRA to become law. Senate Commerce Committee Ranking Member Ted Cruz (R-TX) is signaling early opposition to the proposal, while Chair Rodgers's counterpart, Rep. Pallone, has indicated that he has a desire to make further refinements to the bill. Other federal lawmakers in the House and Senate, particularly those who were not involved in the early stages of the talks, have indicated a desire to weigh in on the proposal before advancing it any further.

Next week, the House Energy & Commerce Committee plans to hold its first hearing on the discussion draft, an important initial step in the legislative process. At the hearing, lawmakers are expected to hear testimony from industry witnesses regarding the need for a strong federal privacy framework. Chair McMorris Rodgers, who is retiring at the end of the Congress, will likely make a heavy push to pass the bill ahead of her departure. The hearing will also include discussions about the multiple pending proposals regarding online safety for children. Additionally, Chair Cantwell announced her intention to move quickly on a separate proposal to ban the sale of Americans' sensitive data to foreign adversaries. It is expected that if Congress does not act, states will continue to expand the existing patchwork of data privacy regulation. In the past two weeks alone, the legislatures of both Kentucky and Maryland have passed comprehensive data privacy bills, and several other states seem poised to follow suit.