What is the American Privacy Rights Act (APRA)?

In the labyrinth of digital privacy, the recent unveiling of the American Privacy Rights Act (APRA) serves as a beacon for what could be the next era of data protection in the United States. At Ketch, the surprise release (a classic Friday privacy news drop, of course) stirred a pot of mixed emotions, from cautious optimism to skeptical curiosity about the possibility of US federal privacy legislation.

APRA's introduction– a surprise to many

The American Privacy Rights Act's emergence was unexpected, keeping in line with the tradition of significant announcements catching everyone off guard at the week's end. 

What is the American Privacy Rights Act (APRA)?

The American Privacy Rights Act (APRA) is a proposed US federal privacy law designed to restrict data collection, ensure access and deletion rights for users, enable opting out of data sales, and prioritize informed consent. It emphasizes limited, necessary data usage by companies, prioritizing consumer control.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said Rep. Rodgers, who chairs the House Energy & Commerce Committee, and Sen. Cantwell, who chairs the Senate Commerce Committee, in a joint statement.

This new US federal privacy law has sparked a wide range of reactions within the privacy community, including ours at Ketch. The memory of the last US federal privacy bill, which failed to pass, looms large over APRA's prospects. We find ourselves pondering the tight timing and extensive components of the bill, contemplating whether it will indeed cross the legislative finish line this time.

I sat down with Alysa Hutnik, Partner at Kelley Drye, during a recent episode of the Privacy Huddle to discuss immediate APRA reactions in the privacy community. 

‍

The essence of APRA

At its core, APRA seeks to unify the fragmented landscape of state privacy laws under a single federal standard, reminiscent of comprehensive laws like the California privacy regulations (CCPA/CPRA) but on a national scale. The legislation zeroes in on consumer data, particularly focusing on areas such as first-party data, targeted advertising, and the sharing and transferring of data to third parties. It’s evident that privacy is moving towards a highly regulated domain, a shift we at Ketch have been closely monitoring and preparing for with our suite of privacy tools.

‍APRA's framework: A closer look

The bill incorporates familiar principles like data minimization and transparency, echoing the themes seen across various global privacy frameworks. However, a standout feature of APRA is the potential it holds for litigation, introducing a multitude of enforcers from the FTC to private rights of action. This aspect brings a dual-edged sword: on one hand, it empowers consumers with more control and protection over their data; on the other, it raises concerns for businesses about the increased risk of litigation.

Despite its imperfections and the uncertainty of its passage, APRA provides a reference point for businesses to align their data practices with federal expectations. This comes as a relief, especially given the dynamic and often confusing state of state laws. If APRA can become the privacy standard 1.0 for companies across the US, it would greatly aid in compliance efforts, providing a clearer benchmark for privacy practices nationwide.

‍

‍

Implications for businesses– navigating the APRA landscape

For businesses and brands, new privacy bills often bring concern. Amidst the sheer volume of privacy regulations in the last 5-10 years, business privacy leaders and owners have become increasingly weighed down by the complexity across different laws and regulations. At-a-glance, a few standout topics for businesses to be aware of in the APRA include: 

• Focus on data minimization. The APRA places high importance on data minimization. Data minimization means collecting only as much data as is necessary to do the job. APRA also would afford consumers with data subject rights, including the right to view, correct, export, or delete their data. 

• Exemption for small businesses. The introduction of a small business exemption signals a thoughtful consideration within APRA, aiming to alleviate the compliance burden on smaller entities. Companies under $40MM annual revenue or 200,000 visitors won’t be subject to APRA compliance. Yet, for growing businesses and those on the cusp, this bill isn’t something to ignore. Ultimately, adhering to responsible data practices isn’t just about the regulations–it’s about respecting consumer data and doing the right thing. 

• Increase in private right of action (PRA) rights. Private right of action has been a source of significant debate in privacy legislation. Private right of action is the right of individual consumers to take legal action against businesses that break the law. The potential for consumer empowerment is high, but so is the concern over the diversion of resources towards litigation rather than innovation and customer service. As we look back at certain areas of privacy law, such as biometrics and pixels, we see extensive class action lawsuit activity, and therefore a lot of money going to plaintiffs’ lawyers. While consumer rights are critical, many are concerned with a waste of resources. 

Ketch's take on APRA

‍

APRA represents a significant step towards the standardization of privacy laws across the US. Its focus on simplifying the compliance landscape and enhancing consumer protections is a move in the right direction. While its passage is not guaranteed, its introduction is a crucial conversation starter about the future of privacy legislation in the US.

Jonathan Joseph, Head of Solutions, Ketch

‍

At Ketch, we view the APRA through a lens of cautious optimism. The bill's focus on consumer data protection aligns with our vision: to provide data dignity for all, beginning with tools to support business ability to honor consumer data choices across the data ecosystem. The Ketch platform, including products like consent management and DSR automation, is designed to help businesses navigate these regulations effectively.

In summary, APRA represents a significant step towards the standardization of privacy laws across the US. Its focus on simplifying the compliance landscape and enhancing consumer protections is a move in the right direction. While its passage is not guaranteed, its introduction is a crucial conversation starter about the future of privacy legislation in the US.

As we continue to monitor APRA's progress, our commitment to enabling businesses to meet these new challenges remains steadfast. The journey towards a more privacy-centric business environment is complex, but with tools and strategies aligned with regulations like APRA, it's a journey that can lead to stronger consumer trust and business resilience in the digital age.