Light Dark
May 1, 2024 By Jennifer Gregory 3 min read
News

After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations.

With the American Privacy Rights Act of 2024, the U.S. government established the first national privacy policy establishing national consumer data privacy rights and also set standards for data security. Specific entities are excluded from the legislation, including small businesses, governments, entities working on behalf of governments and the National Center for Missing and Exploited Children (NCMEC). Fraud nonprofits are only required to follow the data security standards. As part of the Act, the Federal Trade Commission (FTC) will establish a new bureau to enforce violations, which will be treated as an unfair or deceptive practice under the FTC Act.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) in the press release. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

APRA replaces disparate state laws

One of the key parts of the Act is that it replaces the current disparate state privacy laws, referred to as preemption. Because companies had to follow the laws in the state in which the customer resided, it was challenging to ensure compliance with different laws in many states.

However, states can still pass their own privacy laws in some instances, such as civil rights and consumer protections. When crafting the APRA, lawmakers preserved standards from key states, such as California, Illinois and Washington.

The 140-page draft APRA details specific standards and processes regarding data privacy. Here are five key parts of the new bill.

1. Individuals harmed by data breaches can sue corporations

Lawmakers used the language from the California Consumer Privacy Rights Act (CCPA) that gave individuals harmed by a data breach the power to sue corporations. From the lawsuit, consumers can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs. California residents can also receive statutory damages based on the CCPA.

2. Companies are limited in the type of data they can collect and use

Organizations will be required to have a privacy policy that details data collection processes and how consumers can opt-out. The Act also restricts the collection and transfer of specific types of data, such as biometric or genetic information, without the individual’s affirmative express consent unless expressly allowed by a stated permitted purpose.

3. Americans gain greater control of their data

The APRA gives Americans the ability to stop companies and data brokers from transferring or selling their data. Consumers can also opt out of targeted advertising. Additionally, the Act requires consent from the consumer for companies to transfer sensitive data to a third party.

4. A national registry of data brokers will be created

As part of the legislation, the FTC will maintain a data broker registry. All data brokers will also need to keep a public website that identifies themselves as a data broker. Consumers, including individuals with disabilities, must be able to control data and opt-out from collection on the website using a “do not collect” mechanism.

5. Companies must designate a privacy or data security officer

While most companies can appoint either a privacy or data officer, large data holders must designate both along with following additional requirements such as filing with the FTC annually. Companies are not required to create a standalone position but can add these responsibilities to an existing role.

Next steps with the APRA

Because the Act is still in discussion draft, the next steps are not yet set. There is not an official date set for voting or approving the bill into law. Because of the implication for both companies and consumers, Americans should carefully follow the discussions, and companies should begin preparing to follow the regulations if passed, which would go into effect 180 days after approval.

 |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
September 4, 2024

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

August 30, 2024

Warren Buffett’s warning highlights growing risk of cyber insurance losses

3 min read - The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.As noted by the Fitch Ratings report, "segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward." While this is good news for…

August 28, 2024

New CISA guidance for organizations adopting Single Sign-On

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption. SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO's security benefits, while others are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature