A bipartisan, bicameral legislative proposal to create a federal comprehensive data privacy framework may be back on the table. On April 7, 2024, House Energy and Commerce chair Rep. Cathy McMorris Rogers (R-WA) and Senate Commerce, Science, and Transportation chair Sen. Maria Cantwell (D-WA) released a “discussion draft” of a privacy bill dubbed the American Privacy Rights Act (APRA). APRA, which appears to be the retooled successor of a 2022 proposal from McMorris Rodgers and Rep. Frank Pallone (D-NJ) called the American Data Privacy and Protection Act (ADPPA), would create a national data privacy standard that has remained elusive from federal lawmakers for years.
APRA SUMMARY
If enacted, the APRA would create a comprehensive federal data privacy regime which, in addition to granting all Americans certain rights regarding their personal data, would expressly preempt current state privacy laws, create a private right of action, and address a wide range of additional privacy-related issues.
The APRA would protect any data that “identifies or is linked or reasonably linkable . . . to an individual or a device.” Entities would be subject to the APRA if they “determine[] the purposes and means of collecting, processing, retaining, or transferring” such data and are either
- subject to the Federal Trade Commission Act,
- are a common carrier under the Communications Act of 1934, or
- are a non-profit organization.
The law contains a number of categories of exceptions, including for small businesses that satisfy certain criteria. The APRA also creates a separate category of “Large Data Holders,” which appears to intentionally target the nation’s major tech companies and imposes significant additional compliance requirements on such entities.
The APRA would create rights for consumers that mirror many of those afforded by state laws: the right to access the data collected about them, to correct inaccuracies in their data, to have their data deleted, and to receive a portable copy of their data. Consumers would also have the right to know the name of any third party or service provider to which covered data was transferred, as well as the purpose of that transfer, and to opt out of at least some of these transfers. Additionally, consumers would be able to opt out of the use of their personal data for targeted advertising. The APRA would direct the Federal Trade Commission (FTC) to create a universal opt-out mechanism.
Two key and very likely contentious aspects of the APRA are preemption and a private right of action. With regard to preemption, the law would explicitly preempt “any [state] law, regulation, rule, or requirement covered by the provisions of [the bill].” Notably, however, the bill does contain several exceptions to its preemptive scope, including for state consumer protection laws and provisions of laws that address the privacy rights of students. With regard to remedies, unlike any state law to date, with the exception of California’s Consumer Privacy Act (CCPA), the APRA would create a private right of action. Individuals would be able to bring suit under the APRA for privacy-related harms, and the law would entitle them to seek actual damages, injunctive and declaratory relief, and recover their attorneys’ fees and costs. The bill contains no language prohibiting the consolidation of claims into class actions.
LEGISLATIVE PROSPECTS
Federal attempts to produce and enact a comprehensive data privacy framework have remained elusive. In 2022, the ADPPA advanced out of committee in the U.S. House of Representatives but did not receive a floor vote. Yet many industry stakeholders had already written off the possibility of comprehensive federal data privacy legislation ahead of what’s expected to be a contentious 2024 presidential election and an increasingly divided Congress. While APRA’s release represents yet another chance for legislators to implement privacy protections at a federal level, significant hurdles still remain for APRA to become law. Senate Commerce Committee Ranking Member Ted Cruz (R-TX) is signaling early opposition to the proposal, while Chair Rodgers’s counterpart, Rep. Pallone, has indicated that he has a desire to make further refinements to the bill. Other federal lawmakers in the House and Senate, particularly those who were not involved in the early stages of the talks, have indicated a desire to weigh in on the proposal before advancing it any further.
Next week, the House Energy & Commerce Committee plans to hold its first hearing on the discussion draft, an important initial step in the legislative process. At the hearing, lawmakers are expected to hear testimony from industry witnesses regarding the need for a strong federal privacy framework. Chair McMorris Rodgers, who is retiring at the end of the Congress, will likely make a heavy push to pass the bill ahead of her departure. The hearing will also include discussions about the multiple pending proposals regarding online safety for children. Additionally, Chair Cantwell announced her intention to move quickly on a separate proposal to ban the sale of Americans’ sensitive data to foreign adversaries. It is expected that if Congress does not act, states will continue to expand the existing patchwork of data privacy regulation. In the past two weeks alone, the legislatures of both Kentucky and Maryland have passed comprehensive data privacy bills, and several other states seem poised to follow suit.
Daniel Kilburn and Benjamin Mishkin also authored this alert.
About Cozen O’Connor Public Strategies
Cozen O’Connor Public Strategies, an affiliate of the international law firm Cozen O’Connor, is a bipartisan government relations practice representing clients before the federal government and in cities and states throughout the country. With offices in Washington D.C., Richmond, Albany, New York City, Philadelphia, Harrisburg, Chicago, and Santa Monica, the firm’s public strategies professionals offer a full complement of government affairs services, including legislative and executive branch advocacy, policy analysis, assistance with government procurement and funding programs, and crisis management. Its client base spans multiple industries, including healthcare, transportation, hospitality, education, construction, energy, real estate, entertainment, financial services, and insurance.
About Cozen O’Connor
Established in 1970, Cozen O’Connor has over 775 attorneys who help clients manage risk and make better business decisions. The firm counsels clients on their most sophisticated legal matters in all areas of the law, including litigation, corporate, and regulatory law. Representing a broad array of leading global corporations and middle-market companies, Cozen O’Connor serves its clients’ needs through 31 offices across two continents.
Explore Articles and News
See All News-
Illinois Insights: An update from Cozen O’Connor (12/20)
December 20, 2024
Please note that the final edition of Illinois Insights for the year will be sent on Monday, December 23. We will resume our publication...Read More -
Virginia Viewpoint Budget Briefing: First Steps To A Final Budget
December 20, 2024
Budget Briefing: First Steps To A Final Budget In this update: A summary of the Governor’s proposed budget amendments, along with an update on...Read More -
Pennsylvania Perspective for Thursday, December 19, 2024
December 19, 2024
The entire team at Cozen O’Connor and Cozen O’Connor Public Strategies mourns the passing of Steve Cozen, one of the firm’s founders and former...Read More