After years of gridlock and failed attempts, the US Congress may finally be poised to pass a comprehensive federal privacy law, decades after it became necessary.

On April 5, Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) unveiled a bipartisan, bicameral proposal called the American Privacy Rights Act (APRA) – a sweeping piece of legislation that aims to establish national standards for how companies can collect, use, and share consumer data.

The introduction of APRA marks a significant milestone in the longstanding effort to bring consumer data privacy protections to the United States at the federal level.

For years, privacy advocates have pushed for Congress to act as mega-corporations pilfer the data of hundreds of millions of Americans for profit. However, intense lobbying from the tech industry and partisan divides have repeatedly stalled any meaningful progress. Now, with this new bipartisan compromise, there is cautious optimism that lawmakers may finally break the gridlock.

What is the American Privacy Rights Act (APRA)?

US senator maria cantwell supporter of the new federal privacy bill
US Senator Maria Cantwell (D-Washington)

APRA is a 53-page draft bill that would, for the first time, grant U.S. consumers broad rights over their personal data. Some of its key provisions include:

Data Minimization: The bill would require companies to only collect, process, retain, or transfer consumer data that is “necessary, proportionate, or limited” to provide a product or service requested by the individual.

Consumer Rights: APRA would give consumers the right to access, correct, delete, and download their personal data. It would also allow them to opt out of targeted advertising and the sale of their information to data brokers.

Data Broker Registry: The legislation would mandate the creation of a national registry of data brokers, requiring these companies to allow consumers to opt out of having their data sold.

Enforcement: The bill empowers the Federal Trade Commission (FTC), state attorneys general, and private citizens to take enforcement action against companies that violate the law. It includes granting rights to individuals to sue companies for damages.

Preemption: A significant compromise, the APRA would preempt more than a dozen existing state privacy laws, including the landmark California Consumer Privacy Act (CCPA). However, it carves out exceptions for state laws regulating civil rights, consumer protections, and other specific domains.

Small Business Exemption: Companies with less than $40 million in annual revenue or that collect data on fewer than 200,000 individuals would be exempt from most of the APRA’s requirements.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information”, Cantwell and McMorris Rodgers said in a joint statement.

“It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress.”

A Compromise Born of Past Failures

The introduction of APRA comes on the heels of previous failed attempts to pass federal privacy legislation. The latest project that the House attempted to push forward was the American Data Privacy and Protection Act (ADPPA), a sprawling privacy bill that garnered bipartisan support but ultimately stalled in the Senate.

A key sticking point with the ADPPA was the issue of federal preemption. Many Democrats, particularly those from states with existing privacy laws like California, objected to provisions that would have overridden state-level protections. Cantwell, who chairs the Senate Commerce Committee, was among those who criticized the ADPPA, saying it had “major enforcement holes.”

The APRA appears to be a direct response to those concerns. By carving out exceptions for state laws in certain domains, the new proposal aims to strike a balance that can garner support from both parties and state-level policymakers.

Also read: Data Compliance Survey: How Seriously Are Businesses Taking Data Privacy Laws?

“I think we have threaded a very important needle here”, Cantwell highlighted in an interview with The Spokesman Review. “We are preserving those standards that California and Illinois and Washington have.”, she stressed.

Another key difference is the inclusion of a private right of action – a provision long sought by Democrats but opposed by many Republicans (and Big Tech, obviously). The APRA would allow individuals to sue companies for violating their data privacy rights, a change that Cantwell has called a “night and day” improvement over the previous House bill.

The Road Ahead for APRA is Not Free of Riddles

Despite the bipartisan backing and apparent compromise, the path forward for the APRA remains uncertain. As a “discussion draft,” the bill will likely undergo further negotiations and revisions before being formally introduced.

Additionally, with the November 2024 elections approaching fast, the legislative calendar is tight. McMorris Rodgers, a key architect of the deal, is set to step down from Congress in January, adding a sense of urgency to the process.

“A deadline is a good thing”, Cantwell candidly commented.

Certain aspects of the APRA, such as the preemption of state laws, may also face pushback from state leaders and privacy advocates. Frank Pallone Jr. (D-NJ), the top Democrat on the House Energy and Commerce Committee, has already called for the bill to be “strengthened”, particularly when it comes to children’s privacy.

“From our perspective—in an ideal world—it would not preempt state laws, it would allow states to pass stronger laws”, said Caitriona Fitzgerald, the deputy director at the Electronic Privacy Information Center. “We recognize that compromise is necessary and that this is a big sticking point.”

Despite these concerns, there is a sense that the political landscape may be more favorable for federal privacy legislation now than in the past. The rise of issues like AI governance, data transfers to foreign adversaries, and children’s online safety have raised the profile of data privacy as a policy priority. Big Tech’s lobbying efforts seem to be having diminishing effects nowadays.

“It’s cool to want to do digital policy work in those areas, but if you don’t have privacy legislation as a baseline, as a foundational support, you’re kind of putting the cart before the horse.”, said Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP).

Moreover, the fact that the APRA has the backing of the chairs of the most important congressional committees with jurisdiction over privacy issues suggests a level of seriousness and commitment that has been lacking in previous efforts.

There’s a lot of evidence “[to] suggest that this bill has legs, that it’s viable”, Hughes said in a blog post published by the IAPP earlier this week. “It would not be introduced unless there were very good reasons to think that we might see national privacy legislation in the U.S.”

The Tech Industry Remains Relatively Quiet

While the APRA has garnered praise from some industry leaders, the tech sector’s response has been more measured. Microsoft’s Chief Privacy Officer, Julie Brill, commented: “Generally speaking, we have advocated for a federal privacy bill for two decades, and we believe all Americans deserve the comprehensive privacy protections that so many other jurisdictions across the globe now enjoy.”

She added: “I’d like to see consistent and robust protections for individuals and clarity for organizations who have otherwise faced varying obligations across state lines.”

Meanwhile, Brad Smith, Global President at Microsoft (MSFT) called the proposal a “good deal” that would provide “clarity by establishing a national standard” on privacy.

However, the digital advertising and social media industries, which rely heavily on the collection and use of consumer data, are likely to view the APRA with more trepidation. The bill’s provisions around data minimization, opt-outs for targeted advertising, and the creation of a data broker registry could significantly disrupt well-established business models.

“This could have massive implications for the adtech ecosystem and have a disproportionate impact on social media ad networks versus [digital platforms] operated by other companies”, said Marci Rozen, a data security attorney. If these ad agencies can no longer get their hands on so much user data, ad targeting will worsen, lowering returns across the board.

APRA Has a Fatal Flaw

Arielle Garcia, a privacy consultant and former chief privacy officer at UM Worldwide, warned that the broad definition of “sensitive data” in the APRA could lead to industry workarounds, as companies seek to find ways around the new restrictions.

“This will likely revive the ‘everyone is a service provider’ approach that adtech companies took to avoid honoring opt-outs before the California Consumer Privacy Act closed the loophole”, Garcia highlighted.

At the moment, tech companies have to comply with the strictest state privacy regulations, namely California’s, for users there. They also sometimes apply these regulations uniformly across their entire userbase in the US rather than treating users in each state differently. Because APRA would preempt all state privacy laws (with a few exceptions listed above), citizens in California and a handful of other states will actually lose privacy rights that they had under state legislation.

This is partially why some experts believe that the tech industry may ultimately prefer the clarity and consistency of a federal privacy law over the current patchwork of state regulations.

“Online advertisers may actually find that even with a higher hurdle to clear, that a consistent national standard that is predictable, understandable, and provides strong guardrails and rules of the road for them to operate, is a vastly preferable situation than the current unease and the really complex risk environment that they operate in today.” IAPP’s Hughes said.

A Renewed Push for Federal Privacy Protections

The introduction of the APRA marks a significant moment in the long-running effort to establish federal privacy protections in the United States. After years of inaction and failed attempts, the bipartisan compromise struck by Cantwell and McMorris Rodgers has reignited hopes that a national standard may finally be within reach.

However, the road ahead is far from smooth. With the clock ticking toward the 2024 elections and a range of stakeholders with competing interests, APRA will face intense scrutiny and debate in the coming weeks and months. Privacy advocates will push to ensure that the final bill is as strong as possible while industry lobbying groups and some lawmakers will seek to water down its provisions.

Nonetheless, the fact that this proposal has emerged at all represents a significant breakthrough. The growing appetite for digital privacy protections, coupled with the political will of key congressional leaders suggests that the stars may finally be aligning for federal privacy legislation in the United States.

As the process unfolds, the American people will be watching closely, eager to see if their long-held desire for robust data privacy safeguards will finally be realized. The stakes are high, and the outcome of this debate will have far-reaching implications for the digital age and the future of personal data rights in the country.