What Could a Federal Privacy Law Mean for the US?

The US federal government has seen its fair share of proposed broad consumer privacy laws, which all seem to wither. Its latest might be different.

While most other legislative attempts have been partisan, the authors of the American Privacy Rights Act (APRA), Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA), come from either side of the Senate floor. Sen. Cantwell opposed APRA’s predecessor, the American Data Privacy and Protection Act (ADPPA), which failed to reach the President’s desk in 2022. Now, she’s the bipartisan author of its replacement. Even though this proposal is still just a discussion draft, that alone could make it the closest we’ve come yet to a GDPR-like U.S. federal bill.

Broad Coverage

If adopted, organizations falling under APRA’s scope would have to follow data minimization standards, collecting it only for limited purposes. Consumers would be able to access their data, demand its deletion, correction, and export, and could opt out of non-sensitive data transfers for third parties. They would also need to opt into sensitive data transfers.

Organizations covered by bill are those that determine the purpose of collecting or processing data and which fall under the FTC Act. There is a subgroup of large data holders with larger minimum thresholds ($250m and five million people), members of which face tighter constraints. Businesses making less than $40m annually and handling the data of no more than 200,000 people are outside its scope.

The act covers data that is reasonably linkable to a device, but not public or employee information. There is also a subset of sensitive data that includes data points such as: health; biometric (not photos, audio or video) and genetic information; race; ethnicity; national origin; religion; and sex; along with financial account and payment data. This sensitive category goes wider, covering precise geolocation information, log-in data, private communications, phone logs, and even calendar data.

There are also some explicit definitions including photos and recordings for private use, naked or private images, and information revealing sexual behavior.

Ben Sperry, senior scholar of innovation policy at the International Center for Law & Economics, worries about a particular data type in the sensitive data category: online activities collected over time and across third party websites.

“This is generally how targeted advertising works,” he tells ISMS.online, adding that curtailing the ability to target ads will affect business models for online platforms and the content creators that use them.

Broad Obligations

The obligations for those covered by the bill are numerous. There is a section forbidding manipulation practices designed to divert consumers’ attention from their privacy rights (known as ‘dark patterns’), and another mandating apppropriate security practices. Yet another demands due diligence when selecting third-party service providers that will handle user data.

Algorithms are also subject to regulation under the proposed act, with large data holders required to conduct impact assessments on those with “consequential risk of harm”. They must report these to the FTC. Consumers would have the right to opt out of these algorithms.

Covered organizations would need to publish privacy policies explaining the purposes of the data processing and how long it will be retained. The policies would have to list third parties that the data is transferred to, explicitly including data brokers. The FTC would also have to establish a data broker registry with an opt-out option for consumers.

The FTC plays a major part in this legislation, serving as its enforcement body to the extent that it would terminate its Rulemaking on Commercial Surveillance and Data Security when the act came into force.

Ashley Johnson, senior policy manager at tech industry lobby group the Information Technology & Innovation Foundation (ITIF), identifies the FTC’s role as a sticking point for the proposed bill. The requirement for an opt-out central FTC registry undermines the opt-out provisions for covered data, she tells ISMS.online, adding that it would shrink ad revenue for online services.

Whose Law Counts?

Another bone of contention is which laws would take precedent; APRA or state-level legislation. As it stands, the federal law would preempt state laws – except when it doesn’t, which, as it turns out, is quite often.

“While APRA aims to establish a national standard, it also seeks to incorporate the strong protections of state laws like those in California, Illinois, and Washington,” warns Perla Khattar, a doctoral candidate in the University of Notre Dame Law School’s Tech Ethics Lab. “Balancing these aims to address concerns from states with robust privacy protections poses a complex challenge.”

The pre-emption question plays into another point of tension: the bill’s provision for private lawsuits alongside penalties from state attorneys general and the FTC. This leaves ITIF fretting about runaway costs.

“Under the Illinois Biometric Information Privacy Act (BIPA) there have been enormous settlements of court cases in the millions of dollar ranges, just for that one state law,” says ITIF’s Johnson. The law allows individuals to bring private lawsuits.

“A lot of companies look at examples like that and think ‘what would that look like if it was on a federal level?’.”

The act would allow for individuals in Illinois to sue under BIPA and its Genetic Information Privacy Act when the violation occurred there. It also allows Californians to sue under the California Privacy Rights Act. Johnson calls this “backroom dealing” that would give states an unfair advantage.

Disputes like these are difficult to resolve, given the many stakeholders and agendas involved, and time is running out.

“If the bill lingers too long without progress, it risks losing momentum and the support of key stakeholders,” warns Khattar.

“Since 2024 is an election year, timing becomes even more critical for the passage of legislation like the APRA. Lawmakers are typically more responsive to public opinion during this period. However, they might also be cautious about supporting controversial or divisive measures.”

Even the most promising law has little use if it doesn’t make it over the line. Nevertheless, businesses should prepare for the APRA – or any subsequent attempts at legislation – as a business risk.

“First, evaluate how well your current data handling aligns with stringent state laws, like those of California or Illinois,” concludes Khattar. “Companies already compliant with such robust regulations may find transitioning to APRA compliance smoother. However, if your practices have been tailored to meet less stringent standards, you might need significant adjustments.”

Where possible, moving to comply with key provisions now could avert headaches later on. It might also help to build valuable customer trust.