Congress Re-enters the Debate on Data Minimization with APRA

This week a new federal privacy bill, the American Privacy Rights Act of 2024 (APRA), was announced by Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair Cathy McMorris-Rodgers (R-WA). This bicameral, bipartisan discussion draft builds on Senator Cantwell’s earlier Consumer Online Privacy Rights Act and on the American Data Privacy and Protection Act that Chair Rodgers and Ranking Member Pallone passed out of the House Energy and Commerce Committee in the summer of 2022. 

As we at EPIC review the discussion draft and work with lawmakers to review and give input on the bill, the big question we are thinking about is: Does this law meet the moment in 2024? States have continued to move forward by enacting strong privacy laws and building out their oversight teams. And the rapidly evolving debate around oversight, fairness, and reliability of AI systems has once again put privacy and data governance rules front and center. But meaningful change will only be possible through coordinated action and robust enforcement.

We are encouraged that the House and Senate are taking the call for comprehensive privacy protection seriously. And we look forward to the opportunity to dig in to the specifics and work to ensure that key provisions are strengthened.

At the heart of the APRA is a data minimization provision that would limit the collection and use of personal data to what is necessary and proportionate to provide a product or service, or to serve one of several enumerated permissible purposes. The bill would also further restrict transfers and uses of sensitive data, with even more restrictive rules for biometric and genetic information. Notably, the bill would prohibit targeted advertising based on a person’s activities over time and across websites and online services, or over time on high-impact social media. EPIC supports strong data minimization rules to ensure that companies build and run their services in ways that protect user privacy and limit abusive commercial surveillance practices.

In addition to other standard provisions (e.g. Rights of Access, Correction, Deletion, data security rules and transparency requirements) that are common among other recent comprehensive regulations, the APRA also includes civil rights protections to prohibit discriminatory data uses. The law would create a national data broker registry with a unified “do not collect” request mechanism, and would create a right for individuals to opt out of consequential decisions being made by AI systems.

The provisions that will likely be contentious this time around, as they were in 2022, are the private right of action and preemption sections. Unlike most state privacy laws, the APRA would allow individuals to enforce some of its provisions through private rights of action; however, these rights are subject to some significant limitations. And the tradeoff for these broader remedies would be a displacement of most comprehensive state privacy laws through preemption. 

This tradeoff is especially important to consider as states are starting to ramp up enforcement of their own privacy laws, with new and stronger rules passing every year. The stated goal of this preemptive structure is to create a single national standard, but EPIC Is still evaluating whether ARPA is strong enough, and flexible enough, to make up for what would be lost in the states. While many of the provisions in APRA are as strong or stronger than the state laws we graded in our recent State of Privacy report, states are starting to embrace more robust privacy laws and enforce existing protections now more than ever before. The California Consumer Privacy Agency’s regulations are in force and the agency is starting to bring enforcement actions. Just last week, Maryland passed a new privacy law that integrates key provisions of the American Data Privacy and Protection Act that EPIC has been advocating for in the states, and that bill is awaiting final signature by the Governor. And Maine, Vermont, Massachusetts, and Illinois are all currently considering strong privacy legislation. A federal bill should not advance unless it provides stronger substantive protections and more robust enforcement than the states. EPIC looks forward to working with Congress and other stakeholders to ensure that APRA meets this moment so that all Americans can enjoy strong privacy protections.