Discussion Draft on National Data Privacy Rights Introduced in Congress

In April 2024, House Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash.) and Senate Commerce Committee Chair Maria Cantwell (D-Wash.) released a bipartisan, bicameral discussion draft of the American Privacy Rights Act of 2024 (APRA). A discussion draft is created to share with colleagues before being formally proposed. The discussion draft builds on prior congressional efforts to enact a comprehensive privacy bill, incorporating elements of the American Data Privacy and Protection Act (ADPPA). If enacted, the APRA would establish the first national comprehensive consumer data privacy rights law in the United States. 

Many associations, including PRINTING United Alliance, recognize the need for federal data privacy legislation to address the current patchwork of state laws, enhance consumer protections and provide businesses with clear and consistent rules for data collection and use. The Alliance has called for a national uniform standard to achieve a federal legislative solution to data privacy protection that both benefits consumers and preserves the right for businesses to use marketing and advertising data in a responsible way. 

In brief, APRA would preempt current and future state comprehensive data privacy laws, set standards for the minimization of the collection and use of data, and provide for enforcement by the Federal Trade Commission (FTC), state attorneys general, and private right of action. The key provisions of the APRA are outlined below. 

Who is Covered? 

“Covered entities” under the APRA include any entity that collects, processes, retains, or transfers personal data, or has it done for them, and who is subject to the FTC Act. The APRA does not apply to small businesses, which it defines as those businesses:   

  • With $40 million or less in annual revenue;  
  • That collect, process, retain, or transfer the covered data of 200,000 or fewer individuals; and  
  • That do not earn revenue from transferring covered data to third parties (i.e., data brokers).  

Printing companies meeting that definition would be exempt from the requirements of the APRA. In addition to small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and fraud-fighting non-profits are excluded.  .  

What is Covered? 

The APRA defines “covered data” to include any information that “identifies or is linked or reasonably linkable” to an individual. The APRA would exclude de-identified information, employee information, and publicly available information from covered data. 

The APRA would provide additional protections for “sensitive covered data,” defined to include government-issued identifiers, genetic information, health information, financial information, precise geolocation information, and information of “covered minors,” those under the age of 17. 

Data Minimization 

The APRA imposes a data minimization requirement establishing that covered data should be restricted to specific, expected uses. In APRA, covered entities and service providers are prohibited from collecting, processing, retaining, or transferring personal data beyond what is necessary, proportionate, and limited to provide the requested product or service.  

While the bill starts with a presumption against expansive data processing, it offers flexibility by setting forth sixteen “permitted purposes” for data processing. These permitted purposes include: 

  1. Protecting data security; 

  2. Complying with legal obligations; 

  3. Making legal claims; 

  4. Transfers to law enforcement pursuant to a warrant, administrative subpoena, or other lawful process; 

  5. Effectuating a product recall or fulfilling a warranty; 

  6. Conducting market research (which requires affirmative express consent for consumer participation); 

  7. With respect to data already lawfully collected under APRA, de-identifying data for use in product improvement and research; 

  8. Asset transfers in mergers and acquisitions; 

  9. Telecom and mobile carriers providing call location information for emergency services; 

  10. Preventing fraud and harassment (though not for selling to government agencies, including law enforcement); 

  11. Responding to an ongoing or imminent network security or physical security incident; 

  12. Responding to ongoing or imminent security incidents or public safety incidents (though not for selling to government agencies, including law enforcement); 

  13. Responding to criminal activity (though not for selling to government agencies, including law enforcement, and not health information); 

  14. Processing non-sensitive data for first party or contextual advertising; and 

  15. Processing non-sensitive data for targeted advertising; and 

  16. To conduct a public or peer-reviewed scientific, historical, or statistical research project to process and transfer covered data, and sensitive data with affirmative consent, if there is a public interest and the data handling conforms to applicable laws. 

The draft restricts the collection and transfer of biometric and genetic information to cases with explicit consent from the consumer. The transfer of sensitive data also requires explicit consent unless it falls under a permitted purpose. The FTC is tasked with issuing guidance on adhering to data minimization principles. 

Transparency 

Covered entities would be required to disclose their data practices through detailed privacy policies and additional requirements for “large data holders,” including short-form notices. “Large data holders” are entities with annual gross revenue of more than $250 million in the preceding calendar year that collect enough data to meet one of the bill’s thresholds. 

Deletion, Correction, Access, and Portability Rights 

The APRA would give individuals the right to access, correction, deletion, and data portability of their covered data. 

Rights to Opt-Out of Data Transfers and Targeted Advertising 

Under the APRA, covered entities would be required to allow individuals to opt out of data transfers and targeted advertising through their own mechanisms and centralized mechanisms such as browser- or device-based global privacy signals developed through FTC rulemaking. 

Interference With Rights 

The APRA would prohibit the use of “dark patterns” which are deceptive tactics that manipulate consumers into sharing more data than they may prefer. The bill would also prohibit retaliation against individuals for exercising their rights.  

Data Security 

The APRA would require covered entities and service providers to exercise “reasonable data security practices.” The bill would also impose a number of specific requirements, such as vulnerability assessments; preventative and corrective actions to mitigate reasonably foreseeable risks; information retention and disposal; training; and incident response. 

Governance 

Covered entities and service providers would be required to designate one or more qualified employees to serve as “privacy or data security officers.” Large data holders would be required to have one employee expressly designated for the privacy officer role, and another for security and to make annual certifications to the FTC. 

Data Brokers 

The APRA would impose several obligations and restrictions on “data brokers.” Data brokers are entities “whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly” from the individual linked to the data.  

Entities that acted as data brokers with respect to more than 5,000 individuals or devices linkable to an individual in the prior year would be required to register with the FTC, which would maintain a searchable, public registry of data brokers. The registry would offer “do not collect” and “delete my data” opt-out mechanisms when a consumer submits a request.  

Data brokers would also be required to maintain a public website that identifies them as a data broker and includes a tool for individuals to exercise their individual controls (e.g., deletion rights and opt-out rights), and includes a link to the FTC registry. 

Civil Rights and Algorithmic Fairness 

The APRA addresses civil rights and algorithmic fairness in the processing of covered data. The bill would broadly prohibit processing covered data in a manner that discriminates or makes unavailable the “equal enjoyment of goods or services” based on protected classes.  

Impact assessments. Large data holders that use “covered algorithms,” a computational process that makes a decision or facilitates human decision making by using covered data, would be required to conduct privacy impact assessments. The APRA defines a “consequential decision” as a decision or an offer that determines the eligibility of an individual for, or results in the provision or denial to an individual of, housing, employment, credit opportunities, education enrollment or opportunities, access to places of public accommodation, healthcare, or insurance. Large data holders must use a certified independent auditor to conduct the privacy impact assessment that results in a report to the entity, with an alternative being the entity submitting its own assessments to the National Telecommunications and Information Administration. 

Algorithm design evaluation. Covered entities and service providers that knowingly develop a covered algorithm must conduct a pre-deployment assessment of the algorithm’s design, structure, and inputs, including its training data. 

Notice and opt-out for consequential decisions. Any entity that uses a covered algorithm to make or facilitate consequential decisions must provide notice and allow individuals to opt-out of such use. 

Enforcement 

The APRA uses a tripartite enforcement structure to address privacy violations and protect consumer rights. PRINTING United Alliance supports enforcement by the FTC and state attorneys general but would like to see the private right of action removed from the APRA. This provision could expose printing companies that engage in data collection, use, and transfer to potential costly litigation. The private right of action provision may lead to class action lawsuits. 

FTC. The FTC would serve as the federal enforcer and could obtain injunctions, civil penalties, redress/restitution, and damages in federal court. The agency would be required to establish a new bureau dedicated to enforcing the APRA and related matters. 

States. States via their attorneys general, chief consumer protection officer, or an officer or office authorized to enforce privacy or data security laws could obtain injunctions, civil penalties, damages, and restitution in federal court civil actions. 

Private Right of Action. Under the APRA, an individual may seek actual damages, injunctive relief, declaratory relief, and reasonable attorneys’ fees and litigation costs. Specifically, individuals could bring a civil action for, among others, violations relating to data minimization, transparency, individual control over covered data, opt-out rights, interference with consumer rights, retaliation for exercising their rights under the APRA, and data security practices. 

Preemption 

Preemption, rooted in the U.S. Constitution’s Supremacy Clause, is the ability of the federal government to overrule or replace state law in favor of federal law.  

In the absence of a federal data privacy law, a patchwork of state data privacy laws has emerged. According to the Information Technology & Innovation Foundation (ITIF), without a national data privacy standard, U.S. small businesses could pay upwards of $20-23 billion annually trying to comply with a patchwork of state laws. This patchwork has caused both uneven protections for consumers and a confusing business environment for printing companies. The Alliance is in favor of strong preemption language that would end the current patchwork of state laws.  

Unfortunately, in its current form, the APRA does not provide a fully preemptive privacy law. Although the APRA draft states it seeks a “uniform national data privacy and security standard,” the operative language APRA uses to preempt state laws is limited and could inadvertently lead to states passing more restrictive privacy laws. APRA only preempts “any law, regulation, rule, or requirement covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.” 

According to the U.S. Supreme Court, “covered by” or “covering” is a more restrictive term (on what can be preempted) in comparison to the term “related to.” In other words, preemption will only stand if the federal regulations “substantially subsume” the subject matter of the relevant state law.  

Under the APRA, certain state laws or provisions would be exempt from preemption. This would include consumer protection laws of general applicability, civil rights laws, provisions that address the privacy rights or other protections of employees or students, or notification requirements in the event of a data breach, contract or tort law, certain criminal and civil laws (e.g., on blackmail, cyberbullying, child abuse), public safety laws, and laws that protect the privacy of health information.  

A national privacy law that merely preempts what it “covers” and then provides for exceptions to that preemption would indicate that Congress has not intended to “substantially subsume” regulation. 

Analysis 

The Alliance supports many of the provisions in APRA, such as the inclusion of the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and additional protections for sensitive data. However, the Alliance has concerns about the provisions covering the private right of action and preemption. The Alliance supports the U.S. Chamber’s advocacy efforts with urging committee leadership to not report out of committee the APRA as drafted.  

A private right of action would be particularly devastating for business under a privacy law that does not have a strong preemptive effect. Not only would states be able to continue passing their own laws, but individual judicial district precedent would create further confusion and conflict.    

And although the APRA exempts small businesses, as drafted, small businesses would have to meet three elements of a vague test to determine if they are identified as a small business. Given APRA’s inclusion of a private right of action, small businesses would have to bear litigation costs in court just to prove they are not covered by the bill. Even if a small business is not directly covered by the bill, the digital tools small businesses rely on could be threatened by other elements of APRA. 

Next Steps in the Process 

The House Energy and Commerce Committee held a hearing to discuss APRA on April 17, 2024, while the Senate Commerce Committee held its hearing on May 8, 2024. The text of the APRA was updated and on May 23, 2024, the APRA underwent a markup in the Innovation, Data, and Commerce Subcommittee of the House Energy and Commerce Committee. 

Once the House and Senate Committees have favorably reported the legislation, the next step will be full House and Senate floor consideration. It is unclear if the APRA can cross the finish line with all of the competing legislative priorities during a presidential election year. But the release of the discussion draft constitutes considerable progress in the march towards national data privacy legislation in the U.S.  

In this article, Stephanie Buka, Government Affairs Coordinator, PRINTING United Alliance, addresses the discussion draft American Privacy Rights Act of 2024. More information can be found at Business Excellence-Legislation or reach out to Steph should you have additional questions specific to how these issues may affect your business: sbuka@printing.org.     

To become a member of the Alliance and learn more about how our subject matter experts can assist your company with services and resources such as those mentioned in this article, please contact the Alliance membership team: 888-385-3588 / membership@printing.org

Stephanie Buka Government Affairs Coordinator

Stephanie Buka is the Government Affairs Coordinator for PRINTING United Alliance. In this role, she supports Ford Bowers, CEO, the Government Affairs team, and coordinates efforts with lobbying firm, ACG Advocacy. She manages all aspects of grassroots advocacy campaigns, including facilitating timely call-to-action alerts and updates to The Advocacy Center on key federal and state legislative issues. As a member of the Office of Corporate Communications, Buka manages the content and audience building responsibilities for the Government Affairs team. She is also responsible for the administration of the Alliance's political action committee, PrintPAC.

Prior to joining the Alliance, Buka served as a senior legislative researcher, and later as a constituent services coordinator, for the 15-member legislative body representing 1.3 million residents of Allegheny County, Commonwealth of Pennsylvania. In addition to drafting legislation and addressing constituent concerns, Buka cultivated strong relationships with appointed and elected officials at the local, state, and federal levels of government.

Buka holds a master’s degree in Public Policy and Management from the University of Pittsburgh, Graduate School of Public and International Affairs (GSPIA). She also earned a master's degree in Criminology from Indiana University of Pennsylvania, along with a Certificate in Forensic Science and Law from Duquesne University.

}