May 1, 2024 By Jennifer Gregory 3 min read

After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations.

With the American Privacy Rights Act of 2024, the U.S. government established the first national privacy policy establishing national consumer data privacy rights and also set standards for data security. Specific entities are excluded from the legislation, including small businesses, governments, entities working on behalf of governments and the National Center for Missing and Exploited Children (NCMEC). Fraud nonprofits are only required to follow the data security standards. As part of the Act, the Federal Trade Commission (FTC) will establish a new bureau to enforce violations, which will be treated as an unfair or deceptive practice under the FTC Act.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) in the press release. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

APRA replaces disparate state laws

One of the key parts of the Act is that it replaces the current disparate state privacy laws, referred to as preemption. Because companies had to follow the laws in the state in which the customer resided, it was challenging to ensure compliance with different laws in many states.

However, states can still pass their own privacy laws in some instances, such as civil rights and consumer protections. When crafting the APRA, lawmakers preserved standards from key states, such as California, Illinois and Washington.

The 140-page draft APRA details specific standards and processes regarding data privacy. Here are five key parts of the new bill.

1. Individuals harmed by data breaches can sue corporations

Lawmakers used the language from the California Consumer Privacy Rights Act (CCPA) that gave individuals harmed by a data breach the power to sue corporations. From the lawsuit, consumers can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs. California residents can also receive statutory damages based on the CCPA.

2. Companies are limited in the type of data they can collect and use

Organizations will be required to have a privacy policy that details data collection processes and how consumers can opt-out. The Act also restricts the collection and transfer of specific types of data, such as biometric or genetic information, without the individual’s affirmative express consent unless expressly allowed by a stated permitted purpose.

3. Americans gain greater control of their data

The APRA gives Americans the ability to stop companies and data brokers from transferring or selling their data. Consumers can also opt out of targeted advertising. Additionally, the Act requires consent from the consumer for companies to transfer sensitive data to a third party.

4. A national registry of data brokers will be created

As part of the legislation, the FTC will maintain a data broker registry. All data brokers will also need to keep a public website that identifies themselves as a data broker. Consumers, including individuals with disabilities, must be able to control data and opt-out from collection on the website using a “do not collect” mechanism.

5. Companies must designate a privacy or data security officer

While most companies can appoint either a privacy or data officer, large data holders must designate both along with following additional requirements such as filing with the FTC annually. Companies are not required to create a standalone position but can add these responsibilities to an existing role.

Next steps with the APRA

Because the Act is still in discussion draft, the next steps are not yet set. There is not an official date set for voting or approving the bill into law. Because of the implication for both companies and consumers, Americans should carefully follow the discussions, and companies should begin preparing to follow the regulations if passed, which would go into effect 180 days after approval.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today