Momentum Builds for Federal Data Privacy Standard Amidst State Patchwork

On April 7, 2024, U.S. Senator Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science and Transportation, and U.S. Representative Cathy McMorris Rodgers (R-WA), Chair of the House Committee on Energy and Commerce, released a discussion draft of the American Privacy Rights Act (APRA). This bipartisan, bicameral draft legislation seeks to unify the fragmented landscape of sectoral-based and state-specific data privacy laws in the United States.

If passed, the APRA would rival the EU General Data Protection Regulation (GDPR), establishing the U.S. as a leader in global privacy standards. At an Energy and Commerce (E&C) subcommittee hearing on April 17, the sentiment among lawmakers was clear: there is a strong drive to finalize comprehensive privacy legislation. All five expert witnesses unanimously agreed that this bill represents Congress's best chance to enact a national privacy standard.

The Case for a Comprehensive U.S. Privacy Law

The current U.S. privacy law landscape is characterized by a patchwork of regulations varying by industry, data type, and jurisdiction. This fragmented approach creates uncertainty for businesses and confusion for consumers. The European Union set a high bar with the GDPR in 2018, prompting many U.S. states to pass their own privacy, cybersecurity, and consumer protection laws in response.

However, the lack of a national framework has left a regulatory gap that both industry leaders and civil advocacy groups have long urged Congress to fill. As the 2024 election approaches, passing a comprehensive privacy law may seem ambitious, but with the right momentum and bipartisan support, it is within reach.

It's significant that both Committee chairs introducing the APRA hail from Washington, a state that has been proactive in privacy protections, especially regarding health data. Washington’s My Health My Data Act (MHMDA), which took effect on March 31, 2024, offers extensive protections for consumer health data, surpassing those provided by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Other states, particularly California, have also enacted strong privacy laws. The California Consumer Privacy Act (CCPA), implemented in 2020, was a landmark in consumer protection, imposing significant compliance costs on businesses. California's aggressive stance on privacy continued with the establishment of the California Privacy Protection Agency (CPPA), the first state agency dedicated solely to privacy. In recent communications, California officials have expressed concerns about federal preemption, urging Congress to allow states to maintain higher standards.

Following California's example, over a dozen other states have now enacted their own sweeping data privacy laws set to take effect from 2023-2026, including Virginia, Colorado, Connecticut, Delaware, Kentucky, Utah, Iowa, Oregon, Tennessee, Texas, Indiana, Nebraska, New Hampshire, New Jersey, Minnesota, Montana, and Maryland.

This has increased pressure on Congress to strike a federal deal that would preempt the current patchwork with one national standard. However, repeated efforts have stalled amid partisan divisions over issues like private rights of action and preemption of state laws. With more states set to join the fray, the business community and privacy advocates alike are renewing calls for Congress to finally pass a unified federal privacy law to replace the inconsistent state-by-state approach. But breaking the political stalemate remains an uphill battle.

Differences Between the APRA, ADPPA, and CCPA

The APRA builds upon the foundation laid by the American Data Privacy Protection Act (ADPPA), which passed the House Committee on Energy and Commerce in 2022 but did not advance further. The APRA incorporates elements from existing laws like the CCPA but introduces its own unique provisions and requirements.

Definitions and Scope:

• Covered Data: The APRA defines covered data more broadly than the ADPPA but still lacks a definition for "inference," a point of contention highlighted by the CPPA.
• Sensitive Data: The APRA includes a more expansive definition of sensitive data, encompassing information like calendar entries and device log-in credentials, which traditionally were not classified as sensitive.

Consumer Rights and Business Obligations:

• Affirmative Express Consent: The APRA requires businesses to obtain explicit consent before transferring sensitive data, a stricter standard than the CCPA's opt-out approach.
• Global Opt-Out: The APRA mandates the Federal Trade Commission (FTC) to clarify this requirement, giving entities two years to comply.
• Non-Discrimination: The APRA prohibits retaliation against individuals exercising their privacy rights, with exceptions for targeted advertising to protected classes.

Enforcement and Compliance:

• Data Brokers: The APRA introduces a "Do Not Collect" registry for consumers, though it has been criticized for allowing data brokers to retain and sell information under certain conditions.
• Executive Responsibility: Large data holders must designate privacy and data security officers, with annual FTC certifications required.
• Private Right of Action: The APRA permits broad civil litigation for privacy violations, extending beyond data breaches.

Challenges Ahead

The APRA faces significant hurdles, particularly regarding preemption and enforcement. California officials and privacy advocates argue that the federal law should set a baseline, allowing states to implement stricter standards. This is a crucial issue as preemption could potentially undermine robust state laws like the CCPA.

Senator Ted Cruz (R-TX) and other lawmakers have expressed cautious support, emphasizing the need for careful scrutiny to avoid the pitfalls of previous bills like the ADPPA. Texas, with its comprehensive privacy law set to take effect in July, highlights the varying standards across states and the challenges in creating a unified national framework.

The House E&C subcommittee on innovation, data, and commerce (IDC), which conducted the April 17 hearing, is expected to continue deliberations and markup the bill. There is a sense of urgency among lawmakers, with key figures like E&C Committee Ranking Member Frank Pallone expressing optimism about passing comprehensive privacy legislation.

As the APRA progresses through the legislative process, it represents a critical opportunity for the United States to establish a cohesive national privacy standard. The coming months will be pivotal in determining whether this landmark legislation can garner the necessary support to become law.

The American Privacy Rights Act aims to address the complexities of the current U.S. privacy landscape by introducing a unified, comprehensive framework. With bipartisan support and significant backing from various stakeholders, the APRA stands as a strong candidate for establishing a national privacy standard. As discussions continue, the focus will be on balancing federal and state interests, ensuring robust consumer protections, and navigating the legislative hurdles that have stymied previous efforts.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.