Privacy Rights Act introduced into the US House of Representatives. Possible Federal Privacy Act

April 23, 2024 |

There are mandatory data breach notification laws in all 50 states of the United States of America. There has been occasional attempts to enact comprehensive privacy legislation at a Federal level. There is the 1974 Privacy Act which established a Code of Fair Information Practice on federal agencies. The result has been limited and generally sector specific legislation at the Federal level. There may be a change on the horizon with a bill being introduced for an American Privacy Rights Act 2024 (“APRA”) by House of Representatives members Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA)

The APRA will apply to businesses:

  • subject to the authority of the Federal Trade Commission (“FTC”),
  • common carriers, and
  • nonprofits
  • businesses that process covered data5 on behalf of or at the direction of Covered Entitie

APRA will:

  • impose obligations to minimize processing of covered data and apply reasonable data security measures.
  •  impose heightened obligations on high-impact social media companies and large data holders.
  • create uniform data privacy rights including the right to:
    • opt out of targeted advertising
    • view, correct, export or delete their data.
    • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
  • impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
  • impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
    • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
    • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
  • require large data holders to

    • retain and publish on their websites copies of each version of their privacy policy for at least the previous 10 years
    • make publicly available on their websites a log that describes the date and nature of each material change to their privacy policy during such 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change;
    • provide a short-form notice (500 words or less) of their covered data practices that is concise, clear, readily accessible, and includes an overview of individual rights

  • give consumers a right to enforce the law by filing a civil suit against entities that violate their rights under the APRA.
  • limit the enforceability of consumer arbitration agreements.

Leave a Reply





Verified by MonsterInsights