Controversial US privacy bill rewritten again, but path still unclear

The already controversial American Privacy Rights Act of 2024 (APRA), which was originally introduced in April by U.S. Senate Commerce Committee Chair, Sen. Maria Cantwell, and House Energy and Commerce Committee Chair, Rep. Cathy Rodgers, was reintroduced by Rodgers in the House on June 25 as H.R. 8818, and both expands and compromises on the comprehensive federal consumer privacy framework that was outlined in the first draft of the legislation.
Significant are the special requirements for biometric and genetic data, which are further refined. Collecting such data would now require express consent, without exception.
Noticeably absent is the “civil rights and algorithms” section that would have prohibited the use of personal data in a manner that discriminates based on protected characteristics, and the “opt-out rights for consequential decisions.”
A subsequent draft of the bill had been circulated on June 20 proceeding a scheduled June 27 markup by the House Committee on Energy and Commerce. But that meeting which was unceremoniously cancelled at the last-minute following stakeholder pushback and Republican disagreement over the June 20 draft.
Rodgers told Axios following the cancellation that the committee isn’t done with the bill, and that they needed to “regroup.”
“There’s been a lot of confusion and misrepresentation of what the bill does, unfortunately,” Rodgers said. “We’re gonna need some more time to provide that clarity.” She added: “Everyone knows someone who has suffered because of the current state of the online ecosystem. We cannot continue down this path. The American people are asking Congress to step up and pass a privacy bill. It is foundational to our future and the next generation.”
Rodgers comments followed her pre-markup statements, in which she declared that, “At its core, the massive commercial surveillance of data is fueling the problem. Nearly every data point imaginable is being collected on us with no accountability. They are using our data against us, sowing division, manipulating truth, and diminishing our personal identities.”
The path forward for the bill, though, is murky, as the current draft – the one Rodgers introduced on June 25 – proves to be just as contentious. The House Committee on Energy and Commerce faces a time crunch with Congress’ August recess looming and the undoubtedly consequential elections in November that could change the balance of power, and with it, legislative priorities and thinking.
“Unfortunately, the fact that the American Privacy Rights Act is both bipartisan and bicameral does not ensure smooth sailing through the legislative process. We don’t like to be privacy pessimists, but the congressional summer recess is looming, and the fact that it’s an election year makes it that much more difficult to get any legislation, much less a groundbreaking privacy bill, passed,” commented the New York-based law firm, Loeb & Loeb LLP.
Still, with co-sponsorship of HR 8818 by Ranking Committee member Rep. Frank Pallone (D-NJ), Rep. Gus Bilirakis (R-FL), and Rep. Janice Schakowsky (D-IL), all four major players on the relevant committees are onboard to at least “give the bill a fighting chance,” said Cobun Zweifel-Keegan with the International Association of Privacy Professionals.
The July 22 summary of the bill says it “sets clear, national data privacy rights and protections for Americans,” and “eliminates the existing patchwork of state comprehensive data privacy laws and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.”
But, as a Congressional Research Service (CRS) Legal Sidebar prepared for members and committees of Congress pointed out in late May, should APRA become law, “there may be litigation over its constitutionality and scope,” noting that “the U.S. Supreme Court has said that ‘the creation and dissemination of information are speech within the meaning of the First Amendment.’”
The CRS Legal Sidebar said, “litigants have challenged laws that restrict the sale or use of data collected from customers and laws that restrict certain targeted advertisements under the First Amendment,” and thus it’s possible, if not likely, “that similar challenges may be raised against some of the APRA’s provisions that restrict the dissemination of customer data or the targeting of advertisements.”
“There may also be litigation over the scope of the APRA’s preemption provisions,” the CRS Legal Sidebar said. “For instance, questions may arise as to whether the APRA preempts state privacy laws that regulate entities not covered by the APRA.” And “the expansive reach of the APRA’s savings clauses, too, may give rise to litigation, as potential challengers of the law might seek to clarify whether various state laws qualify as one of the categories of statutes exempt from preemption.”
Opposition to various provisions of the bill has been far and wide, and includes the U.S. Chamber of Commerce, Small Business and Entrepreneurial Council’s Main Street Privacy Coalition, California Privacy Protection Agency, American Bankers Association, America’s Credit Unions, Bank Policy Institute, Consumer Bankers Association, Independent Community Bankers of America, Mortgage Bankers Association, and the Securities Industry and Financial Markets Association.
Praise for the bill, though, has been equally as widespread, and has garnered bipartisan support from various interest groups, commentators, and technology companies such as the Center for Democracy and Technology, the Washington Post’s editorial board, and Microsoft.
The current version of the bill would require covered entities to be transparent about how they use consumer data, and would give consumers the right to access, correct, delete, and export their data, as well as to opt out of targeted advertising and data transfers.
The measure also would establish standards for data minimization that would allow companies to collect and use data only for necessary and limited purposes and would prohibit the transfer of sensitive covered data to third parties without the consumer’s affirmative express consent.
Under the bill, when covered entities seek “affirmative express consent” for the collection, processing, retention, or transfer of biometric information or genetic information, the request must include the length of time the covered entity or service provider intends to retain biometric and genetic information, or, if it is not possible to identify the length of time, then the criteria used to determine the length of time the covered entity or service provider intends to retain the biometric information or genetic information must be clear.
The bill also provides protections for the use of biometric and genetic information. A covered entity may not collect biometric or genetic information or direct a service provider to collect biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains.
A covered entity may not process biometric or genetic information or direct a service provider to process biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains, except as provided for in other portions of the bill.
A covered entity also cannot retain biometric information or direct a service provider to retain biometric information beyond the point at which the purpose for which an individual provided affirmative express consent has been satisfied or beyond the date that is three years after the date of the last interaction of the individual with the covered entity or service provider, whichever occurs first, unless for a purpose permitted under other segments of the legislation.
Further, a covered entity may not transfer biometric information or genetic information to a third party or direct a service provider to transfer biometric or genetic information to a third party without the affirmative express consent of the individual to whom such information pertains, unless for a purpose permitted elsewhere in the bill, and, a covered cannot transfer biometric or genetic information to a third party, or direct a service provider to transfer biometric or genetic information to a third party for payment or other valuable consideration regardless of the purpose of the transfer, and as stipulated elsewhere in the legislation.
The bill is very clear that “affirmative express consent” to an act or practice by covered entities “may not be inferred from the inaction of an individual or the continued use by an individual of a service or product provided by” a covered entity.
A “covered entity” is conditioned as “any entity that determines the purpose and means of collecting, processing, retaining, or transferring covered data and which is subject to the FTC Act, including common carriers and certain nonprofits. Small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and, except for data security obligations, fraud-fighting non-profits are excluded.”
Covered entities are defined as:
- High-impact social media company that provides any internet-accessible platform that generates $3,000,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such covered entity; has 300,000,000 or more global monthly active users for not fewer than three of the preceding 12 months; and constitutes an online product or service that is primarily used by users to access or share user-generated content.
- Large data holder that, in the most recent calendar year, had an annual gross revenue of not less than $250,000,000 and collected, processed, retained, or transferred the covered data of more than 5,000,000 individuals; more than 15,000,000 portable connected devices that identify or are linked or reasonably linkable to one or more individuals; or more than 35,000,000 connected devices that identify or are linked or reasonable linkable to one or more individuals; or the sensitive covered data of more than 200,000 individuals; more than 300,000 portable connected devices that identify or are linked or reasonable linkable to one or more individuals; or more than 700,000 connected devices that identify or are linked or reasonably linkable to one or more individuals.
- Small business that has an average annual gross revenues for the period of the three preceding calendar years (or for the period during which the entity has been in existence, if such period is less than three calendar years) not exceeding $40,000,000, indexed to the Producer Price Index reported by the Bureau of Labor Statistics, and on average did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product; and did not transfer covered data to a third party in exchange for revenue or anything of value, except for purposes of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product or facilitating web analytics that are not used to create an online activity profile.
Article Topics
American Privacy Rights Act | biometric data | biometric identifiers | biometrics | data privacy | legislation | U.S. Government | United States
Comments