The American Privacy Rights Act (APRA): Everything You Need To Know
Maria Cantwell, the Chair of the Senate Commerce, Science, and Transportation Committee and Cathy McMorris Rodgers, the Chair of the House Energy and Commerce Committee, both from Washington, crafted theAmerican Privacy Rights Act suggests an extensive array of new regulations. These regulations would control how companies handle and protect personal information collected from consumers. It includes provisions for the secure storage, handling, and distribution of such data to safeguard individuals' privacy rights.
Will APRA impact my business?
APRA will not apply to all businesses. Similar to the consumer privacy laws at the state level in the US, the proposed federal privacy bill also sets thresholds for its applicability.
It will apply to all businesses subject to the Federal Trade Commission overview that meet all of the following:
- Process at least 200,000 individuals' personal data,
- Have annual revenue below USD 40 million,
- Do not sell any personal data.
What constitutes personal data according to APRA?
Personal data refers to any information that can pinpoint who a person is. This covers basics like names, Social Security Numbers, and emails, as well as less obvious identifiers like shopping habits or social media activity. The suggested federal data protection law goes a step further by specifying sensitive personal information. This broad definition includes things like biometric and health details, private messages, their nationality, religion, gender, passwords, and more.
What You Need to Know About APRA?
The APRA draft represents a refined iteration of the American Data Privacy and Protection Act (ADPPA). While both bills grant privacy rights to consumers, mandate data minimization, promote enhanced security protocols, and empower the Federal Trade Commission (FTC) to establish regulations, there are notable distinctions that require scrutiny:
- Executive Accountability
- Data Transparency
- Data Minimization
- Data Security & Protection
- Private Right of Action
- Privacy Impact Assessments
The ARPA requires a designated data privacy or security officer, but doesn’t need to be a standalone position or new hire.
Privacy policies must encompass precise details, such as the types of data collected, processed, or stored; the objectives behind data processing; duration of data retention; security measures employed; enumeration of third parties involved; and disclosure of any data broker transactions. Additionally, these policies must elucidate procedures for consumers to assert their rights. Noteworthy alterations to the privacy policy necessitate prior notification and avenues for opting out.
There's a strong focus on data minimization, limiting the collection and utilization of data to essential and restricted purposes, with particular attention and consent required for biometric and genetic information.
APRA requires organizations to establish data security standards that are appropriate for the company’s size, the nature and scope of data management, the volume and sensitivity of data, and the technologies used to safeguard data. Organizations must also mitigate risks and assess vulnerabilities to consumer data.
The APRA has introduced a private right of action. The private right of action will allow consumers to file lawsuits and seek compensation against companies that fulfill data privacy rights such as data deletion requests or use personal data without consent.
The APRA mandates privacy impact evaluations for covered algorithms presenting a "significant risk," particularly those concerning:
- Children and minors
- Education, Housing, health care, employment, insurance, or credit
- Public accommodations based on protected characteristics;
- Race, color, religion, and sex
- Political party registration and affiliation.
What responsibilities do companies have to meet under APRA regulations?
APRA lays down stricter rules compared to state privacy laws. These rules include:
- Using only the necessary amount of data (data minimization).
- Implementing data security measures.
- Respecting consumer requests, including honoring global opt-out preferences.
- Avoiding discrimination against consumers who assert their rights.
- Providing consumers with privacy notices.
- Obtaining consent for biometric data or sensitive data transfers.
- Designating a privacy or data security officer.
- Conducting impact assessments in certain situations.
- Establishing written contracts with service providers, detailing data processing instructions.
Is consent necessary for collecting data?
Most of the time, consent isn't needed for data collection. However, there are exceptions:
- Consent is necessary for collecting or sharing biometric and sensitive data.
- For everything else, businesses can process data unless the user decides to opt out within the specified guidelines.
What are the APRA consumer data privacy rights?
Under the APRA, individuals have the right to:
- Access their collected, processed, or retained data upon submitting a verified request
- Receive information on any third party or service provider to which their data was transferred, along with the purpose of the transfer
- Rectify inaccurate or incomplete personal data
- Erase personal data
- Obtain a copy of their personal data
- Not face retaliation for exercising their rights
- Decline data transfers and targeted advertising
- Decline algorithms used for consequential decisions regarding employment, healthcare, education, housing, credit, or insurance
Organizations must adhere to these individual privacy rights within specified timeframes. They reserve the right to refuse requests if they involve accessing someone else's data, interfere with legal proceedings, or violate other laws.
The American Privacy Rights Act (APRA) VS General Data Protection Regulation (GDPR)
The APRA diverges significantly from the GDPR. While they exhibit numerous resemblances, two principal distinctions stand out:
- Opt-in is mandatory under the GDPR, whereas the APRA mandates only opt-out. Europe prohibits data processing without a legal foundation, notably consent. Conversely, in the US, processing is permissible as long as it aligns with the purposes outlined in the law.
- The GDPR encompasses all businesses and safeguards data universally. In contrast, the APRA is applicable solely to select businesses and safeguards consumers.
The American Privacy Rights Act (APRA) VS General Data Protection Regulation (GDPR)
The ARPA's nationwide enforcement could potentially nullify individual state laws, although they may remain relevant for specific issues like consumer protections, civil rights, health, and financial data.
This legislation mirrors existing state laws such as CCPA/CPRA, incorporating comparable provisions for safeguarding genetic and biometric data.
About Ardent Privacy
Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid discovery of data assets and consent management with regional focus for global regulations.