FB pixel

Plan for US federal privacy law creeps toward realization but faces hurdles

APRA’s thresholds for data collection much higher than many individual state laws
Categories Biometrics News
Plan for US federal privacy law creeps toward realization but faces hurdles
 

As U.S. Congress considers the proposed American Privacy Rights Act (APRA), which would enshrine online privacy rights for all citizens, observers are looking at what is in the text – and what kinds of data collection practices warrant a sweeping new law. Meanwhile, states continue to pursue and pass laws that do not necessarily align with APRA, complicating the path to centralization.

What would APRA do if passed?

A summary from JDSupra says the text introduced by Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA), would apply to commercial enterprises and nonprofit organizations, plus common carriers regulated by the Federal Communications Commission (FCC). However, APRA exempts small businesses with less than $40 million in revenue and data on fewer than 200,000 consumers, largely targeting “large data holders” and “covered high-impact social media companies,” which could also be subject to algorithm audits and be required to hire privacy officers and file additional reports.

Data minimization is a key principle of APRA, meaning it permits organizations to collect only the data necessary for a specific, given purpose. Users would retain more personally identifiable information (PII) per transaction, only doling out absolutely necessary data. Any transfer of data considered sensitive would require express written consent. It is therefore notable that the Act defines sensitive data as “data related to government identifiers, health, biometrics, genetics, financial accounts and payments, precise geolocation, log-in credentials, private communications, revealed sexual behavior, calendar or address book data, phone logs, photos and recordings for private use, intimate imagery, video viewing activity, race, ethnicity, national origin, religion or sex, online activities over time and across third-party websites, information about a minor under the age of 17, and other data the FCC defines as sensitive covered data by regulation.”

In other words, just about everything.

What is APRA responding to?

In an opinion piece for The Hill, Jonathan Joseph lays out the case for why a federal privacy law is needed. “The average American’s online activities are tracked and sold 747 times per day; in total, our data is tracked 178 trillion times per year,” writes Joseph. “This isn’t the background noise of the internet – it is the internet.”

The list of sources that Big Data has tapped is extensive. Browser history, location data and driving skills are all increasingly monitored. Some automakers collate driving data with additional info like race, genetic information and sexual activity. Childrens’ data, which safeguards are supposed to protect, is more vulnerable than we want to believe: “Dozens of data brokers were recently found to have sold children’s location, health and other data,” writes Joseph. “Google, meanwhile, reportedly allowed personalized ads to be served on YouTube videos made for children.”

And of course there are biometrics. “Biometric data – your features, fingerprints, DNA, retinal patterns and more – is a data goldmine,” says Joseph. “Retailers have been caught using facial recognition technology to monitor shoppers, while Meta got dinged for collecting biometrics on 60 million Facebook users.” And as the tech evolves, it will unearth even more data to mine:  behavioral biometrics, gaze-tracking, physiological markers, neural monitoring, and more.

Although Joseph ultimately espouses the rather idealistic view that “real power will remain in the hands of consumers” he concedes that a single national privacy law is probably not a bad idea, in light of just how vast the data-industrial complex has become.

What could stop APRA from passing into law?

So far, the largest sources of friction in moving the Act forward have been state representatives who object to the federal law’s preemptive clauses, which would override existing state-level laws. APRA’s progression has not hampered individual states’ legislative efforts to enact their own privacy laws – meaning that, as federal authorities push to simplify and centralize data privacy, states continue to add complexity to an already variegated privacy landscape.

Consider current scenarios in Colorado, Maryland, Vermont and Oregon. Each piece of legislation brings its own unique perspectives, restrictions and allowances.

In commentary for Baker Donaldson, David Oberly breaks down Colorado HB 1130, which amends the Colorado Privacy Act (CPA) and is expected to pass into law. The bill would beef up requirements around consent, establish a retention schedule for biometric data, and prohibit certain uses of biometric identifiers.

Calling HB 1130 “a noteworthy development in the biometrics space,” Oberly says the bill “sets forth not only a number of traditional compliance obligations similar to the Illinois Biometric Information Privacy Act (BIPA) but also a range of additional, unique requirements and restrictions that have – until now – been historically confined to broader consumer privacy statutes. This will require many companies to satisfy a detailed set of new obligations pertaining to the use of biometrics.”

The bill’s rather broad definition of “biometric data” would tighten regulatory and compliance strictures for controllers “even where only an amount of biometric data is processed, and no actual biometric identification or authentication is performed.”

What do state-level privacy laws say?

The variety found among different states’ laws could mean a tangled legal road ahead for APRA, if states look to the courts to help block the federal law. Vermont’s H.121, which passed through both the House and Senate this week, contains an age appropriate design code. The National Law Review says Oregon has adopted a more expansive definition of “sensitive data” which includes categories for transgender or non-binary status. Under the Maryland Online Data Privacy Act (MODPA), which was signed into law on May 9, biometric or genetic data is considered sensitive whether or not it is “processed for the purpose of uniquely identifying an individual.”

And the numbers literally do not line up. Both Colorado and Oregon’s laws apply to entities that control or process the personal data of 100,000 or more consumers in a year. In both cases, for businesses that derive revenue from data collection, the threshold sinks to 25,000 customers. Meanwhile, MODPA sets a much lower basic threshold of 35,000 in-state customers – 10,000 for entities that derive more than 20 percent of their gross revenue from the sale of personal data. Compare that to APRA’s 200,000 threshold, and the discrepancies become crystal clear.

So, while APRA slouches through Congress, the patchwork of state legislation grows – meaning the road to a single U.S. federal privacy law is likely to be a bumpy one.

Related Posts

Article Topics

 |   |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics connecting ID and payments through digital wallets, apps and passkeys

Biometrics are connecting with payment credentials, whether through numberless credit cards and banking apps or passkeys, as the concrete steps…

 

Reach of Musk, DOGE’s federal data access sets off privacy, security alarms

Led by tech billionaire Elon Musk and a shadowy team believed to be under his control, the United States DOGE…

 

Mobile driver’s licenses on the cusp of ‘major paradigm shift’

More entities have integrated the California mobile driver’s license (mDL) credential for identity verification. Although just 15 states have introduced…

 

Gesture-based age estimation tool BorderAge joins Australia age assurance trial

Australia’s age assurance technology trial is testing the new biometric tool that performs age estimation based on hand gestures. The…

 

European AI compliance project CERTAIN launches

The pan-European project to create AI compliance tools CERTAIN has kicked off its work, with the goal of making European…

 

Signaturit Group acquiring Validated ID for undisclosed sum

Spain-based digital identity and electronic signature provider Validated ID is being acquired by Signaturit Group, a European company offering identity…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events