Privacy Rights Act introduced into the US House of Representatives. Possible Federal Privacy Act
April 23, 2024 |
There are mandatory data breach notification laws in all 50 states of the United States of America. There has been occasional attempts to enact comprehensive privacy legislation at a Federal level. There is the 1974 Privacy Act which established a Code of Fair Information Practice on federal agencies. The result has been limited and generally sector specific legislation at the Federal level. There may be a change on the horizon with a bill being introduced for an American Privacy Rights Act 2024 (“APRA”) by House of Representatives members Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA)
The APRA will apply to businesses:
- subject to the authority of the Federal Trade Commission (“FTC”),
- common carriers, and
- nonprofits
- businesses that process covered data5 on behalf of or at the direction of Covered Entitie
APRA will:
- impose obligations to minimize processing of covered data and apply reasonable data security measures.
- impose heightened obligations on high-impact social media companies and large data holders.
- create uniform data privacy rights including the right to:
- opt out of targeted advertising
- view, correct, export or delete their data.
- increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
- impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
- impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
- the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
- the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
- require large data holders to
-
- retain and publish on their websites copies of each version of their privacy policy for at least the previous 10 years
- make publicly available on their websites a log that describes the date and nature of each material change to their privacy policy during such 10-year period in a manner that is sufficient for a reasonable individual to understand the effect of each material change;
- provide a short-form notice (500 words or less) of their covered data practices that is concise, clear, readily accessible, and includes an overview of individual rights
- give consumers a right to enforce the law by filing a civil suit against entities that violate their rights under the APRA.
- limit the enforceability of consumer arbitration agreements.