Americans have wanted a federal privacy law for years but intensive lobbying by the tech industry and general incompetence by our federal legislators has repeatedly thwarted that desire. Well, in 2024, it’s possible that we may finally get a strong federal privacy law.
The FTC Just Prescribed a Can of Whoop Ass on Health Data
I’ll say it again: It’s possible. It’s also technically possible that frogs could rain from the sky over lower Manhattan, coating New Yorkers in a spring shower of amphibious guts, but is that actually likely to happen?
The American Privacy Rights Act of 2024, recently introduced by Cathy McMorris Rodgers (R-WA) and Maria Cantwell (D-WA), would create basic digital privacy protections for Americans. The law, if enacted, would create a variety of protections and rights for consumers, including the ability to access, control, and delete information collected by companies.
While that may sound like a good thing, there’s one aspect of the legislation that privacy advocates seem concerned about. The proposed law would eliminate potentially stronger, state-level protections that currently exist. While privacy rights groups remain cautiously optimistic about the APRA’s potential, they are also wary of its proposed preemption of state laws. If the currently proposed regulations look strong, the legislative process is just beginning and there’s no telling what the federal law may look like after what is sure to be a long, combative policymaking process.
Here’s a quick look at what the legislation currently promises, and what privacy advocates are saying about it.
The right to access, control, and delete
The American Privacy Rights Act would create broad protections for Americans’ data, giving consumers the ability to access, control, and delete data covered by the legislation. The policy would give all Americans the power to request information from entities that have collected data about them. Businesses that fall under the law would need to comply with consumers’ requests within “specified timeframes,” the bill states. The bill allows certain exemptions from these mandates, including small businesses (which are defined as companies making “$40,000,000 or less in annual revenue” or that collect, process, retain, or transfer “the covered data of 200,000 or fewer individuals”), as well as governments, and “entities working on behalf of governments.”
Data minimization
The bill would also mandate something called “data minimization.” The idea here is to reduce the overall amount of information that companies can collect about web users. Bill backers say that companies covered by the legislative will not be able to “collect, process, retain, or transfer data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or provide a communication reasonably anticipated in the context of the relationship, or a permitted purpose.” Again, while that sounds good, the devil is in the details here, and it’s not totally clear yet what this sort of data minimization would look like in real life.
What is covered data?
The bill defines the data covered by the legislation as follows:
…information that identifies or is linked or reasonably linkable to an individual or device. It does not include de-identified data, employee data, publicly available information, inferences made from multiple sources of publicly available information that do not meet the definition of sensitive covered data and are not combined with covered data, and information in a library, archive, or museum collection subject to specific limitations.
Empowering the FTC
Enforcement of the law would take place at both the federal and state levels. Most notably, the Federal Trade Commission would be tasked with developing regulations and technical specifications for a “centralized mechanism for individuals to exercise” their opt-out rights, as well as other technical issues surrounding the execution of the legislation, the bill states. At the same time, the bill gives authority to “State attorneys general, chief consumer protection officers, and other officers of a State in Federal district court” to pursue enforcement actions against companies that violate the law.
Taking aim at the data broker industry
The bill also targets data brokers. Under the new legislation, the FTC would be mandated to establish a data broker registry that could be used by consumers to identify which companies are brokers and to opt out of data collection by those firms. All data brokers that collect data on more than 5,000 people would be forced to re-register with the federal registry every year. At the same time, brokers would also be forced to maintain their own websites that identify them as data brokers and include a tool for consumers to opt out.
Private right of action
A longstanding desire for privacy advocates has been a private right of action—which is a mechanism allowing individual consumers to sue companies that have violated their rights. A number of state privacy laws have failed to include this. Under the current version of the APRA, consumers would be given a private right of action, allowing them to file litigation against companies that have demonstrably violated their digital privacy rights.
Privacy advocates remain cautiously optimistic
Given years of inaction on privacy policy by federal regulators, state governments have passed a number of strong privacy laws over the past decade. Some of those laws, like California’s CCPA, have been quite strong. The newly proposed federal law openly acknowledges that it would eliminate “the existing patchwork of state comprehensive data privacy laws” and establish in its place “robust enforcement mechanisms to hold violators accountable.” The fact that the APRA would pre-empt state laws worries some privacy advocates who fear the potential for a watered-down federal law. The fact that the APRA may seem strong now doesn’t mean much, since it could easily be neutered by lobbyists during the legislative process.
Caitriona Fitzgerald, the deputy director at the Electronic Privacy Information Center, said that the federal law’s preemption of state-level regulation is only appropriate if it ends up being a strong law. “From our perspective—in an ideal world—it would not preempt state laws, it would allow states to pass stronger laws,” said Fitzgerald. “We recognize that compromise is necessary and that this is a big sticking point. If it’s going to preempt state laws, it needs to be stronger than existing state laws and regulations. We’re still evaluating the bill to determine whether that’s the case.”
Other privacy advocates, like the Surveillance Technology Oversight Project (STOP), expressed similar concerns. “The ADPPA does offer strong privacy protections, especially data minimization rules,” said STOP Communications Director Will Owen. “But the bill falls short by preempting states from taking even stronger action, should they so choose. Worst of all, the ADPPA preempts states from enforcing protections, leaving it solely up to the U.S. executive branch, which has been fickle in enforcing Americans’ privacy rights.”
Cody Venzke, senior policy counsel at the ACLU, said his organization remained “concerned this bill’s broad preemption of state laws will freeze our ability to respond to evolving challenges posed by technology.”