Light Dark
May 1, 2024 By Jennifer Gregory 3 min read
News

After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations.

With the American Privacy Rights Act of 2024, the U.S. government established the first national privacy policy establishing national consumer data privacy rights and also set standards for data security. Specific entities are excluded from the legislation, including small businesses, governments, entities working on behalf of governments and the National Center for Missing and Exploited Children (NCMEC). Fraud nonprofits are only required to follow the data security standards. As part of the Act, the Federal Trade Commission (FTC) will establish a new bureau to enforce violations, which will be treated as an unfair or deceptive practice under the FTC Act.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) in the press release. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

APRA replaces disparate state laws

One of the key parts of the Act is that it replaces the current disparate state privacy laws, referred to as preemption. Because companies had to follow the laws in the state in which the customer resided, it was challenging to ensure compliance with different laws in many states.

However, states can still pass their own privacy laws in some instances, such as civil rights and consumer protections. When crafting the APRA, lawmakers preserved standards from key states, such as California, Illinois and Washington.

The 140-page draft APRA details specific standards and processes regarding data privacy. Here are five key parts of the new bill.

1. Individuals harmed by data breaches can sue corporations

Lawmakers used the language from the California Consumer Privacy Rights Act (CCPA) that gave individuals harmed by a data breach the power to sue corporations. From the lawsuit, consumers can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs. California residents can also receive statutory damages based on the CCPA.

2. Companies are limited in the type of data they can collect and use

Organizations will be required to have a privacy policy that details data collection processes and how consumers can opt-out. The Act also restricts the collection and transfer of specific types of data, such as biometric or genetic information, without the individual’s affirmative express consent unless expressly allowed by a stated permitted purpose.

3. Americans gain greater control of their data

The APRA gives Americans the ability to stop companies and data brokers from transferring or selling their data. Consumers can also opt out of targeted advertising. Additionally, the Act requires consent from the consumer for companies to transfer sensitive data to a third party.

4. A national registry of data brokers will be created

As part of the legislation, the FTC will maintain a data broker registry. All data brokers will also need to keep a public website that identifies themselves as a data broker. Consumers, including individuals with disabilities, must be able to control data and opt-out from collection on the website using a “do not collect” mechanism.

5. Companies must designate a privacy or data security officer

While most companies can appoint either a privacy or data officer, large data holders must designate both along with following additional requirements such as filing with the FTC annually. Companies are not required to create a standalone position but can add these responsibilities to an existing role.

Next steps with the APRA

Because the Act is still in discussion draft, the next steps are not yet set. There is not an official date set for voting or approving the bill into law. Because of the implication for both companies and consumers, Americans should carefully follow the discussions, and companies should begin preparing to follow the regulations if passed, which would go into effect 180 days after approval.

 |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
November 18, 2024

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

October 28, 2024

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature