Light Dark
May 1, 2024 By Jennifer Gregory 3 min read
News

After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations.

With the American Privacy Rights Act of 2024, the U.S. government established the first national privacy policy establishing national consumer data privacy rights and also set standards for data security. Specific entities are excluded from the legislation, including small businesses, governments, entities working on behalf of governments and the National Center for Missing and Exploited Children (NCMEC). Fraud nonprofits are only required to follow the data security standards. As part of the Act, the Federal Trade Commission (FTC) will establish a new bureau to enforce violations, which will be treated as an unfair or deceptive practice under the FTC Act.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) in the press release. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

APRA replaces disparate state laws

One of the key parts of the Act is that it replaces the current disparate state privacy laws, referred to as preemption. Because companies had to follow the laws in the state in which the customer resided, it was challenging to ensure compliance with different laws in many states.

However, states can still pass their own privacy laws in some instances, such as civil rights and consumer protections. When crafting the APRA, lawmakers preserved standards from key states, such as California, Illinois and Washington.

The 140-page draft APRA details specific standards and processes regarding data privacy. Here are five key parts of the new bill.

1. Individuals harmed by data breaches can sue corporations

Lawmakers used the language from the California Consumer Privacy Rights Act (CCPA) that gave individuals harmed by a data breach the power to sue corporations. From the lawsuit, consumers can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs. California residents can also receive statutory damages based on the CCPA.

2. Companies are limited in the type of data they can collect and use

Organizations will be required to have a privacy policy that details data collection processes and how consumers can opt-out. The Act also restricts the collection and transfer of specific types of data, such as biometric or genetic information, without the individual’s affirmative express consent unless expressly allowed by a stated permitted purpose.

3. Americans gain greater control of their data

The APRA gives Americans the ability to stop companies and data brokers from transferring or selling their data. Consumers can also opt out of targeted advertising. Additionally, the Act requires consent from the consumer for companies to transfer sensitive data to a third party.

4. A national registry of data brokers will be created

As part of the legislation, the FTC will maintain a data broker registry. All data brokers will also need to keep a public website that identifies themselves as a data broker. Consumers, including individuals with disabilities, must be able to control data and opt-out from collection on the website using a “do not collect” mechanism.

5. Companies must designate a privacy or data security officer

While most companies can appoint either a privacy or data officer, large data holders must designate both along with following additional requirements such as filing with the FTC annually. Companies are not required to create a standalone position but can add these responsibilities to an existing role.

Next steps with the APRA

Because the Act is still in discussion draft, the next steps are not yet set. There is not an official date set for voting or approving the bill into law. Because of the implication for both companies and consumers, Americans should carefully follow the discussions, and companies should begin preparing to follow the regulations if passed, which would go into effect 180 days after approval.

 |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
March 26, 2025

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature