U.S. Senate and House committee chairs took a decisive step toward enacting national data privacy legislation with the release (in draft) of the American Privacy Rights Act (APRA) on March 31. Sen. Maria Cantwell, D-Wash., and Rep. Cathy McMorris Rodgers, R-Wash., collaborated on the bill, which, according to the lawmakers, “… strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress.” The U.S. is one of the few global powers without a national data protection law, resulting in a failure to uniformly protect consumers and complicating domestic and international commerce.
Congress’ repeated failure to reach consensus on a national data privacy law left a vacuum that federal regulators and state legislators hastened to fill with dozens of different laws and regulations. The FTC is in the process of rulemaking on data privacy and frequently engages in related investigative and enforcement activities under Section 5 of the Federal Trade Commission Act (15 USC 45), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Legislatures in 15 states have adopted comprehensive laws to protect the personal data of their own state residents. California, Connecticut, Virginia, Colorado, and Utah laws are in effect; 10 additional laws will become effective by 2026; and at least 18 states have similar laws at various stages of the legislative process. The personal information of residents in 27 states is not protected by a comprehensive state data protection law (and none are pending).
Preemption. With limited exceptions, enumerated in the draft, the APRA preempts state data protection laws, resolving an issue that proved extremely contentious in prior congressional debates on national data protection legislation. However, states are already gearing up to issue regulations (where permitted by state law), monitor compliance, and enforce these laws. California created the California Privacy Protection Agency (CPPA) to develop regulations, educate the public, and enforce the CCPA with the state Attorney General. The CPPA was the first, and thus far is the only, state agency in the U.S. formed solely to fulfill these obligations. As recently as April 2, the CPPA “shared observations with the [CCPA] regulated community” by releasing its first Enforcement Advisory on applying the principle of data minimization to consumer requests submitted under the CCPA. In Connecticut, Virginia, Colorado, and Utah, the state Attorneys General have formed units, appointed regulators, and expended funds to accomplish similar objectives regarding their own laws. If Congress adopts the APRA in its current form, the CPPA and state AGs will be compelled to revisit, reduce, and/or potentially dismantle the newly created infrastructure.
Private Right of Action. Under the APRA, consumers have the right to bring private, civil causes of action seeking damages for violations of the APRA, resolving the second major issue that stalled passage of previous national data protection laws. Consumers also retain the right to seek statutory damages for violations involving the failure to obtain affirmative express consent before collection of biometric and genetic information under the Illinois Biometric Information Privacy Act and the Genetic Information Privacy Act (provided the failure occurs “substantially and primarily” in Illinois). The right of California residents to initiate a private cause of action under the CCPA for violations that arise from a data breach also remains intact.
FTC Activity. The FTC is responsible for enforcing the APRA “…in the same manner, by the same means, and with the same jurisdiction, powers and duties…” as if the FTC ACT were incorporated into the statute. The APRA requires the FTC to establish a new bureau (similar to the FTC’s Bureau of Consumer Protection) to implement its broad responsibilities under the APRA. Further, the APRA directs the FTC to immediately terminate its rulemaking efforts on commercial surveillance and data security as published on August 8, 2022. The APRA specifically leaves intact federal laws that regulate personal information in certain sectors (such as Title V of the Gramm-Leach-Bliley Act) and the federal agencies responsible for their enforcement.
Conclusion. Congressional inaction has resulted in de facto abdication of legislative authority to agencies of the executive branch and state legislatures, to the detriment of consumers and the business community. The APRA reflects bipartisan cooperation on an issue of national importance to all Americans irrespective of political affiliation. It’s too early to predict whether the APRA will ultimately pass both houses of Congress, especially in an election year, but its sponsors plan to move the bill through regular channels starting this month. There is no doubt that one national standard is preferable to dozens, and this may be the year Congress finally achieves consensus.