FB pixel

Plan for US federal privacy law creeps toward realization but faces hurdles

APRA’s thresholds for data collection much higher than many individual state laws
Categories Biometrics News
Plan for US federal privacy law creeps toward realization but faces hurdles

As U.S. Congress considers the proposed American Privacy Rights Act (APRA), which would enshrine online privacy rights for all citizens, observers are looking at what is in the text – and what kinds of data collection practices warrant a sweeping new law. Meanwhile, states continue to pursue and pass laws that do not necessarily align with APRA, complicating the path to centralization.

What would APRA do if passed?

A summary from JDSupra says the text introduced by Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA), would apply to commercial enterprises and nonprofit organizations, plus common carriers regulated by the Federal Communications Commission (FCC). However, APRA exempts small businesses with less than $40 million in revenue and data on fewer than 200,000 consumers, largely targeting “large data holders” and “covered high-impact social media companies,” which could also be subject to algorithm audits and be required to hire privacy officers and file additional reports.

Data minimization is a key principle of APRA, meaning it permits organizations to collect only the data necessary for a specific, given purpose. Users would retain more personally identifiable information (PII) per transaction, only doling out absolutely necessary data. Any transfer of data considered sensitive would require express written consent. It is therefore notable that the Act defines sensitive data as “data related to government identifiers, health, biometrics, genetics, financial accounts and payments, precise geolocation, log-in credentials, private communications, revealed sexual behavior, calendar or address book data, phone logs, photos and recordings for private use, intimate imagery, video viewing activity, race, ethnicity, national origin, religion or sex, online activities over time and across third-party websites, information about a minor under the age of 17, and other data the FCC defines as sensitive covered data by regulation.”

In other words, just about everything.

What is APRA responding to?

In an opinion piece for The Hill, Jonathan Joseph lays out the case for why a federal privacy law is needed. “The average American’s online activities are tracked and sold 747 times per day; in total, our data is tracked 178 trillion times per year,” writes Joseph. “This isn’t the background noise of the internet – it is the internet.”

The list of sources that Big Data has tapped is extensive. Browser history, location data and driving skills are all increasingly monitored. Some automakers collate driving data with additional info like race, genetic information and sexual activity. Childrens’ data, which safeguards are supposed to protect, is more vulnerable than we want to believe: “Dozens of data brokers were recently found to have sold children’s location, health and other data,” writes Joseph. “Google, meanwhile, reportedly allowed personalized ads to be served on YouTube videos made for children.”

And of course there are biometrics. “Biometric data – your features, fingerprints, DNA, retinal patterns and more – is a data goldmine,” says Joseph. “Retailers have been caught using facial recognition technology to monitor shoppers, while Meta got dinged for collecting biometrics on 60 million Facebook users.” And as the tech evolves, it will unearth even more data to mine:  behavioral biometrics, gaze-tracking, physiological markers, neural monitoring, and more.

Although Joseph ultimately espouses the rather idealistic view that “real power will remain in the hands of consumers” he concedes that a single national privacy law is probably not a bad idea, in light of just how vast the data-industrial complex has become.

What could stop APRA from passing into law?

So far, the largest sources of friction in moving the Act forward have been state representatives who object to the federal law’s preemptive clauses, which would override existing state-level laws. APRA’s progression has not hampered individual states’ legislative efforts to enact their own privacy laws – meaning that, as federal authorities push to simplify and centralize data privacy, states continue to add complexity to an already variegated privacy landscape.

Consider current scenarios in Colorado, Maryland, Vermont and Oregon. Each piece of legislation brings its own unique perspectives, restrictions and allowances.

In commentary for Baker Donaldson, David Oberly breaks down Colorado HB 1130, which amends the Colorado Privacy Act (CPA) and is expected to pass into law. The bill would beef up requirements around consent, establish a retention schedule for biometric data, and prohibit certain uses of biometric identifiers.

Calling HB 1130 “a noteworthy development in the biometrics space,” Oberly says the bill “sets forth not only a number of traditional compliance obligations similar to the Illinois Biometric Information Privacy Act (BIPA) but also a range of additional, unique requirements and restrictions that have – until now – been historically confined to broader consumer privacy statutes. This will require many companies to satisfy a detailed set of new obligations pertaining to the use of biometrics.”

The bill’s rather broad definition of “biometric data” would tighten regulatory and compliance strictures for controllers “even where only an amount of biometric data is processed, and no actual biometric identification or authentication is performed.”

What do state-level privacy laws say?

The variety found among different states’ laws could mean a tangled legal road ahead for APRA, if states look to the courts to help block the federal law. Vermont’s H.121, which passed through both the House and Senate this week, contains an age appropriate design code. The National Law Review says Oregon has adopted a more expansive definition of “sensitive data” which includes categories for transgender or non-binary status. Under the Maryland Online Data Privacy Act (MODPA), which was signed into law on May 9, biometric or genetic data is considered sensitive whether or not it is “processed for the purpose of uniquely identifying an individual.”

And the numbers literally do not line up. Both Colorado and Oregon’s laws apply to entities that control or process the personal data of 100,000 or more consumers in a year. In both cases, for businesses that derive revenue from data collection, the threshold sinks to 25,000 customers. Meanwhile, MODPA sets a much lower basic threshold of 35,000 in-state customers – 10,000 for entities that derive more than 20 percent of their gross revenue from the sale of personal data. Compare that to APRA’s 200,000 threshold, and the discrepancies become crystal clear.

So, while APRA slouches through Congress, the patchwork of state legislation grows – meaning the road to a single U.S. federal privacy law is likely to be a bumpy one.

Related Posts

Article Topics

 |   |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News


Digital identity leaders shepherd wallets into the mainstream

Discussion and debate at the European Identity and Cloud (EIC 2024) conference focused largely on how to achieve trust among…


Suprema, Strata Identity, Gunnebo gain security certifications

Recent certifications for Suprema, Strata Identity, Gunnebo and ISS reflect the broader industry trend towards stringent information security measures, ensuring…


Biometrics entering everyday activities via rising technologies

Biometrics underpin the new technologies that people will soon use on a daily basis for everything from payments to age…


Anticipation for Metalenz and Samsung’s answer to Face ID mounts

After Samsung and Metalenz collaborated to incorporate Samsung’s Isocell Vision 931 image sensor into Metalenz’s Polar ID imaging technology, Mashable…


Germany beefs up border security ahead of UEFA Championship

Germany has been ramping up security measures such as border checks and CCTV surveillance in preparation UEFA European Football Championship…


Inverid and Cybernetica team up to secure digital ID, signatures with biometric MFA

A new partnership has been formed by Inverid and Cybernetica to combine the NFC ID document-scanning capabilities of the former…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events