An Examination of the Working Draft for a Federal Data Privacy Solution

A federal comprehensive data privacy solution may be on the horizon, but as of now it falls short of what is needed to create a workable regulatory landscape for businesses. Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA) issued the working draft of the bill. Like all comprehensive data privacy legislative proposals of late, the American Privacy Rights Act of 2024 (APRA) establishes national consumer data privacy rights and creates standards for data security. APRA would place the Federal Trade Commission at the helm of regulating and enforcing data privacy and security.  

While the draft language is a laudable attempt at a uniform federal solution that would prevent the compliance nightmare of 50 separate data privacy regimes, there are still issues with the bill that need to be addressed.

1. As a federal law, APRA should pre-empt state data privacy laws. But the draft bill includes various exceptions including data breach notification, civil rights, privacy rights of employees, privacy rights of students, and more, leaving plenty of unresolved areas for states to regulate. Moreover, the APRA also provides carveouts for California's Consumer Privacy Act and Illinois' Biometric Information Privacy Act, so those laws will still be in full force. 

2. Enforcement is spread across three different groups – the FTC, state's attorneys general, and consumer protection agencies and consumers. The most troubling is the private right of action. Section 19 allows individuals to bring a civil action against an entity for violations of portions of the act. Individual plaintiffs may petition for actual damages, injunctive relief, declaratory relief, and reasonable attorney's fees and costs. There is no cap on the actual damages. 

3. APRA has both opt-in and opt-out. For sensitive data, consumers must opt in to their data being transferred to a third party. But the same consumers opt out of non-sensitive data uses and algorithm use. 

4. The FTC has a lot of power to regulate within the scope of the bill. Particularly noteworthy is the FTC's ability to promulgate rules expanding the definition of sensitive data, which is given a heightened standard of care and protection. Other areas where the FTC has the power to promulgate include data security assessments, and approval of handling data by "covered entities that are not large data-holders or data brokers." 

5. APRA would stunt the implementation and innovation of artificial intelligence. Sections 13 and 14  would regulate 'covered algorithms' which is defined in a way to include AI. Section 13 disallows discrimination within an algorithm and requires an assessment of the algorithm's impact. Meanwhile, Section 14 requires entities to create an opt-out provision for 'consequential decisions' made by an algorithm in the areas of "housing, employment, education enrollment or opportunity, healthcare, insurance or credit opportunities." While not an out-right ban, this interferes with businesses' implementation of processes that could decrease consumer costs and speed processes up.

Other things about the draft legislation to note 

A "covered entity" is defined as any entity that determines "the purposes and means" of handling data and is subject to the FTC, is a common carrier, or not a nonprofit. The definition then goes on to exclude small businesses, governmental entities, and service providers for governmental activities. A small business is specifically defined as an entity whose annual gross revenue for the previous three years did not exceed $40,000,000, did not handle data of 200,000 individuals, and did not transfer data to a third party for profit. The act has specific provisions relating to data being handled by a "high impact social media company" and "large data holders." 

APRA also provides heightened measures for sensitive data. There are 18 categories of sensitive data listed in the definition, but the FTC has the explicit rulemaking authority to modify the definition. Currently, sensitive data includes government-issued identifiers, health information, genetic information, financial information, biometric information, geolocation, private communications, log-in credentials, viewing information, information about race, private calendars, photos and videos, information about minors, and information reveling online activities.

So, while it is encouraging to see federal legislation on this topic, this bill falls short of the mark (at least in its current form). The stakes are high because state-by-state legislation will be costly. Some estimate that compliance for businesses could surpass $1 trillion in 10 years. But if the federal option includes things like a private right of action, an opt-in for some aspects, and weak pre-emption, then the business community may need to brace for large compliance impacts.