As national U.S. data privacy law becomes more likely, critics emerge to point out flaws
The push for comprehensive privacy legislation in the U.S. is gaining momentum, as the proposed American Privacy Rights Act 2024 (APRA) edges closer to realization. The bipartisan legislation aims to set clear, national data privacy rights and protections for U.S. citizens, tidying up a patchwork of state-level privacy laws that often lack coherent regulation. But as the bill moves through the legislative machine, it is triggering concern from some states that their hard-won privacy laws could get shredded in the process.
Modeled on the EU’s General Data Protection Regulation (GDPR), APRA follows the 2021 introduction of the American Data Privacy and Protection Act, or ADPPA – which failed to make it out of committee. There is some hope that this bill could achieve what its predecessor could not. But there are also skeptics who believe it is better to maintain diversity in privacy law, rather than impose a one-size-fits-all approach.
Law would retain some state protections around biometrics
An article in Statescoop looks at various positions on the proposed law. Keir Lamont, director of the Future of Privacy Forum’s U.S. legislation team, points to the principle of data minimization as APRA’s primary innovation and strongest attribute. “This approach seeks to deemphasize opt-in or opt-out rights – individual consent – and instead place limits on what data can be collected and how it can be used by covered entities,” Lamont says.
Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals (IAPP), says that while APRA would render some state laws ineffective, “it also tries to carve out and retain some of the sectoral protections, including protections related to employee data and some of the heightened protections around biometrics.” Besides which, some research shows that, without data minimization obligations, state laws are ineffective at protecting data privacy, anyway.
Geoffrey Manne, president and founder of the International Center for Law and Economics, says that regardless of any individual state law’s quality, there is an advantage to having diversity in law. Manne believes states should be allowed to choose whether their laws would remain in effect, superseding APRA. “Neither all consumers nor all businesses have the same kind of privacy risks and preferences,” Manne says. “As a practical matter, it’s very hard to prescribe rules that are optimal for 330 million people. And that’s true with all law. Instead, you could end up with a lot of much more tailored privacy regimes, and the opportunity for companies to match their needs with privacy regimes being offered.”
EEF wants act to be stronger on government data collection
The Electronic Frontier Foundation (EEF) shares Manne’s concerns. “Federal law should be the floor on which states can build, not a ceiling,” says a statement on its website. “APRA should not preempt existing and future state data privacy laws that are stronger than the current bill. The ability to pass stronger bills at the state and local level is an important tool in the fight for data privacy. We ask that Congress not compromise our privacy rights by undercutting the very state-level action that spurred this compromise federal data privacy bill in the first place.”
The EEF wants APRA to be stronger on private right of action (giving individuals the right to pursue legal action against companies) and broader on its definition of sensitive data. It wants loopholes closed and exceptions narrowed, particularly around the collection of biometric data and de-identified data. And it believes the act should apply to governments as well as private entities; currently, APRA does not cover data collection by any “entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, territorial, or local government entity, to the extent that such entity is acting as a service provider to the government entity.”
Ad industry considers impact of APRA
An explainer from Digiday looks at how APRA would affect the advertising industry, which relies on collecting customer data. “There are certainly some positives to consider,” says the piece. “Standardizing compliance requirements for advertisers across the U.S., akin to what GDPR achieved in Europe, could lighten the compliance load for organizations. This move could benefit both companies aiming to mitigate compliance risks and consumers alike.”
On the other hand, APRA’s three-tier enforcement system involving the FTC, states, and individual actions ramps up compliance risks for advertisers and could lead to inconsistencies in enforcement.
Regardless, the article quotes Lucas Long, head of global privacy strategy at InfoTrust, who says the inclusion of a private right of action could make the legislation tough to get across the finish line. And there is still a long way to go. “For the APRA to become law, it must first be introduced in Congress, undergo review by relevant committees, be debated and voted on in both the House and the Senate, and potentially reconciled if there are differences between versions. Finally, it needs approval from the President.”
APRA or no, states are continuing apace with their own privacy bills. According to the IAPP’s U.S. State Privacy Legislation Tracker, ten U.S. states currently have privacy bills in committee. Two have been passed but await a final signature. Fourteen states have signed laws.
Article Topics
American Privacy Rights Act | biometric data | biometric identifiers | biometrics | data privacy | data protection | legislation | United States
Comments