On Sunday 7 April 2024, Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Cathy McMorris Rodgers (R-WA) released a discussion draft for a bipartisan proposal for the American Privacy Rights Act (APRA), which could result in the first national comprehensive data privacy framework in the United States.
The proposal marks a breakthrough in the long-standing stalemate on developing a national online privacy standard, even as lawmakers and industry groups alike have regularly discussed the need for such a law. Until now, the impasse has remained deadlocked while the European Union passed the landmark General Data Protection Regulation (GDPR) in 2018, which has become the de-facto standard worldwide.
Critically, the law may solve an enduring challenge that has stood in the way of a national privacy standard: the patchwork of state laws on privacy that have emerged in the absence of a national standard. APRA would “preempt” – in other words, take precedence over – state privacy laws in case of conflict. However, it would allow state regulation on more specific issues such as health or financial data, civil rights, and consumer protection.
The proposal includes several consumer data privacy provisions, including limiting the types of consumer data companies can collect, retain, and use to what they need to operate their services. Users would also be allowed to opt out of targeted advertising and could view, correct, delete, and download their data from online services.
The APRA applies to any information is directly linked or somehow linkable to individuals, which is similar to the concept of “personal data” defined under the GDPR. It also includes a section specific to Data Minimization, a principle that mandates organizations should not collect or process data beyond what is necessary for the intended purpose, which shows a certain alignment with the GDPR in some key respects. Nonetheless, it also differs with the GDPR significantly in some ways, such as not exhaustively listing types of sensitive data and classifying calendar information and information revealing individuals’ online activities as such.
Additionally, the APRA would create a national registry of data brokers, a term which refers to businesses that aggregate, process, and license data to other organizations. It would force such companies to allow users to opt out of having their data sold.
Moreover, the regulation gives the Federal Trade Commission (FTC) the jurisdiction over much of the enforcement of the law, requiring the agency to create a new bureau focused on privacy and issue fines to companies for privacy violations. Individuals could also pursue civil lawsuits for financial damages if companies fail to fulfil data deletion requests or to obtain express consent before collecting sensitive data.
In a bid to protect small businesses from compliance costs, it exempts companies with less than $40 million in annual gross revenue from its requirements and places higher obligations, such as a requirement to conduct regular privacy review, on “larger data holders” with more than $250 million in annual gross revenue.
The APRA is not an Artificial Intelligence (AI)-specific legislation, but its enactment could have profound implications for AI. Its broad domain as the main federal privacy legislation inadvertently covers AI systems that process personal data, which is a baseline practice for AI. In particular, the data minimization principle could affect the development of AI by restricting the volume of datasets available to AI developers.
In addition to this general application, the APRA makes two specific references to AI. Firstly, it explicitly provides that, as an exception to its general pre-emptive nature, it does not pre-empt State criminal laws regarding intimate and non-consensual AI-generated images, commonly known as deepfakes. This specificity underscores the APRA’s targeted approach to curb the misuse of AI in generating privacy-infringing content.
Secondly, the APRA counts AI among the covered algorithms, which are defined as:
“a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision-making by using covered data, which includes determining the provision of products or services or ranking, ordering, promoting, recommending, amplifying, or similarly determining the delivery or display of information to an individual.”
Given the explicit reference to AI, this will have practical implications for AI developers and deployers since entities using covered algorithms are subjected to a set of obligations under the APRA, such as conducting impact assessments, informing and providing opt-out options to the users when the use poses consequential risk, or evaluating the design of algorithms when they are used in interstate commerce. The APRA, hinting at the risk-based approach, grants the FTC the authority to introduce exemptions from these obligations for algorithms deemed to pose minimal or low risk.
Industry leaders and key lawmakers have responded positively so far to the version released. Nonetheless, some lawmakers are disappointed in the lack of protections for minors, such as prohibiting companies from targeting minors with ads. A few have caveated their support for the APRA with the condition that either additional provisions or complementary legislation on child safety are also passed. This could include the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), introduced by Senator Ed Markey (D-MASS) and Senator Bill Cassidy (R-LA), which would update the original 1998 legislation to address social media platforms. Additionally, lawmakers may reconsider the Kids Online Safety Act (KOSA), introduced by Senator Richard Blumenthal (D-CT) and Representative Marsha Blackburn (R-TN), which would require platforms like TikTok and Instagram to mitigate online risks through design changes or opt-outs of algorithm-based recommendations, among other measures.
There is no official date yet for formally introducing the bill. It is likely that Senator Cantwell and Representative McMorris Rodgers will circulate the text to colleagues over the coming weeks in the hopes of sending it to committee this month. At this stage, it is unclear whether it will receive the necessary support for approval. If passed, it would be effective 180 days after enactment.
The specific provisions for algorithms and AI in the APRA highlights the fact that many existing privacy and other laws still apply to the use of AI and algorithms and do not create a loophole for compliance. Schedule a demo with our experts to find out how Holistic AI’s Governance Platform can help you maximise legal compliance and embrace AI with confidence.
DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.
Schedule a call with one of our experts