April 8, 2024 MDG

Draft: Data Privacy Legislation – Deep Dive

A look at the features and intentions of the American Privacy Rights Act of 2024

House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell (D-WA) unveiled the American Privacy Rights Act.

Here is a full breakdown with first a top-level framing and then actual language for a deeper look.

Elated to see bipartisan legislation starting to find inertia but cautious as always knowing the devil is in the details or data if you will…  these were my red flags after my first reading :

  • We need to ensure that there are not narrowly defined terms for personal and sensitive data, which may exclude certain data types from protection.
  • The mechanisms for obtaining consent, particularly around “affirmative express consent,” may leave room for interpretation, providing maneuvering room, not ideal.
  • Exemptions for small businesses or specific data processing activities, if too broad or vaguely defined, can serve as unintended backdoors for lesser privacy protections. Carve a proper lane between need and burden here.
  • The act’s stipulations on data minimization, retention, and the responsibilities of third parties and service providers are crucial; loopholes in these areas could lead to more extensive data collection, retention, and sharing practices than intended.
  • The requirements for entities to implement technical and organizational security measures need to be explicit and stringent to avoid varied interpretations that could weaken data security practices.
  • International data transfer provisions need to set clear and high standards to prevent data protection from being undercut by transfers to jurisdictions with lesser privacy safeguards.
  • Make sure the rights of individuals to sue or if prohibitions on arbitration clauses are strong, ensuring individuals’ avenues for redress and enforcement of their privacy rights.

 


The Act Establishes Foundational Uniform National Data Privacy Rights for Americans:

 

  • Control of Personal Data: The Act places individuals in control of their personal data, offering rights to access, correct, delete, and export their data, as outlined in Section 5 (Individual Control Over Covered Data).

    SEC. 5. INDIVIDUAL CONTROL OVER COVERED DATA.

(a) Access to, and Correction, Deletion, and Portability of, Covered Data.—Subject to subsections (b), (d), and (e), after receiving a verified request from an individual, a covered entity shall provide the individual with the right to:

  • Access
    • (A) in a format that can be naturally read by a human, the covered data of the individual (or an accurate representation of the covered data of the individual if the covered data is no longer in the possession of the covered entity or a service provider acting on behalf of the covered entity) that is collected, processed, or retained by the covered entity or any service provider of the covered entity;
    • (B) the name of any third party or service provider to whom the covered entity has transferred the covered data of the individual, as well as the categories of sources from which the covered data was collected; and
    • (C) a description of the purpose for which the covered entity transferred the covered data of the individual to a third party or service provider.
  • Correct any inaccuracy or incomplete information with respect to the covered data of the individual that is collected, processed, or retained by the covered entity and, for covered data that has been transferred, notify any third party or service provider to which the covered entity transferred such covered data of the corrected information;
  • Delete covered data of the individual that is collected, processed, or retained by the covered entity and, for covered data that has been transferred, request that the covered entity notify any third party or service provider to which the covered entity transferred such covered data of the individual’s deletion request; and
  • Export covered data (except for derived data if the export of such derived data would result in the release of trade secrets or other proprietary or confidential data) of the individual that is collected, processed, or retained by the covered entity without licensing restrictions that limit such transfers, in:
    • (A) a format that can be naturally read by a human; and
    • (B) a portable, structured, interoperable, and machine-readable format.

(b) Frequency and Cost.—A covered entity:

  • shall provide an individual with the opportunity to exercise each of the rights described in subsection (a); and
  • with respect to:
    • (A) the first 3 times that an individual exercises any right described in subsection (a) during any 12-month period, shall allow the individual to exercise such right free of charge; and
    • (B) any time beyond the initial 3 times described in subparagraph (A), may charge a reasonable fee for each additional request to exercise any such right during such 12-month period.

National Privacy Standard: It aims to unify the patchwork of state laws by setting a robust national privacy standard, as stated in the overall structure and enforcement sections, including Sections 17 to 19 (Enforcement by the FTC, States, and Individuals).

SEC. 17. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

(a) Unfair or Deceptive Acts or Practices.—A violation of a regulation promulgated under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(b) Powers of Commission.—

  • The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
  • Any entity that violates a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

SEC. 19. ENFORCEMENT BY INDIVIDUALS.

(a) Civil Actions.—

  • Any individual who suffers material or non-material, physical or non-physical harm as a result of a violation of this Act may institute a civil action to recover damages.
  • In actions brought under this subsection, the courts are authorized to award relief, including actual damages, statutory damages, punitive damages, injunctive relief, and reasonable attorney’s fees and costs.

Data Minimization: The legislation mandates that companies minimize the data they collect, retain, and use, focusing only on what is necessary for providing products and services, detailed in Section 3 (Data Minimization).

SEC. 3. DATA MINIMIZATION.

(a) In General.—Subject to subsections (b) and (c), a covered entity, or a service provider acting on behalf of a covered entity, shall not collect, process, retain, or transfer covered data:

  • beyond what is necessary, proportionate, and limited to provide or maintain:
    • (A) a specific product or service requested by the individual to whom the data pertains, including any associated routine administrative, operational, or account-servicing activity such as billing, shipping, delivery, storage, or accounting; or
    • (B) a communication by the covered entity to the individual reasonably anticipated within the context of the relationship; or
  • for a purpose other than those expressly permitted under subsection (d).

(b) Sensitive Covered Data.—

  • In General.—Except as expressly provided under subsection (d), a covered entity, or a service provider acting on behalf of a covered entity, shall not transfer sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains.
  • Withdrawal of Affirmative Express Consent.—
    • (A) In General.—A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual with respect to the transfer of the sensitive covered data of the individual.
    • (B) Requirements.—The means to withdraw affirmative express consent described in subparagraph (A) shall be clear and conspicuous; and as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.

(c) Additional Protections for Biometric Information and Genetic Information.—

  • In General.—A covered entity, or a service provider acting on behalf of a covered entity, shall not collect, process, or retain biometric information or genetic information without the affirmative express consent of the individual to whom such information pertains, unless such collection, processing, or retention is essential for a purpose expressly permitted under paragraphs (1) through (4) or paragraphs (9) through (13) of subsection (d).
  • Retention.—A covered entity, or service provider acting on behalf of a covered entity, shall not retain biometric or genetic information beyond the point for which a purpose that an individual provided affirmative express consent under paragraph (1) has been satisfied or within 3 years of the individual’s last interaction with the covered entity or service provider, whichever occurs first, unless such retention is essential for a purpose expressly permitted under paragraphs (1) through (4) or paragraphs (9) through (13) of subsection (d).
  • Transfer.—A covered entity, or service provider acting on behalf of a covered entity, shall not transfer biometric information or genetic information to a third party without the affirmative express consent of the individual to whom such information pertains, unless such transfer is essential for a purpose expressly permitted under paragraphs (2), (3), (4), (8), (9), (11), or (12) of subsection (d).

(d) Permitted Purposes.—A covered entity, or service provider acting on behalf of a covered entity, may collect, process, retain, or transfer covered data for the following purposes, provided

that the covered entity or service provider can demonstrate that the collection, processing, retention, or transferring is necessary, proportionate, and limited to such purpose: [List of permitted purposes including security, compliance with legal obligations, investigations, and others].

Control Over Personal Information: It provides individuals with the ability to restrict the transfer or selling of their data and to opt out of data processing upon changes in privacy policy, emphasized in Sections 6 (Opt-out Rights and Centralized Mechanism) and Section 5 (Individual Control Over Covered Data).

SEC. 6. OPT-OUT RIGHTS AND CENTRALIZED MECHANISM.

(a) In General: Covered entities must provide individuals with clear and conspicuous means to opt out of the transfer of their covered data and from the processing of their data for targeted advertising, with the ability to exercise these opt-out rights through a centralized mechanism.

(b) Centralized Consent and Opt-out Mechanism: The Federal Trade Commission (FTC), in consultation with the Secretary of Commerce, is tasked with establishing a privacy-protective, centralized mechanism for individuals to exercise their opt-out rights. This mechanism should be user-friendly, require minimal additional information from the individual, and apply neutrally across entities. The design of this mechanism must ensure that opt-out preferences are clearly represented, accessible in all languages in which the covered entity provides products or services, and usable by individuals with disabilities.

The centralized mechanism aims to simplify the process for individuals to manage their privacy preferences across different platforms and services by providing a single interface for expressing their opt-out decisions. This approach is intended to enhance user autonomy and control over personal data while streamlining compliance for covered entities.

Protections for Sensitive Data: The Act requires affirmative express consent for transferring sensitive data to third parties, as highlighted in Section 3(b) (Sensitive Covered Data).

SEC. 3. DATA MINIMIZATION.

(b) Sensitive Covered Data.

  • In General: Except as expressly provided under subsection (d), a covered entity, or a service provider acting on behalf of a covered entity, shall not transfer sensitive covered data to a third party without the affirmative express consent of the individual to whom such data pertains.
  • Withdrawal of Affirmative Express Consent.
    • (A) In General: A covered entity shall provide an individual with a means to withdraw affirmative express consent previously provided by the individual with respect to the transfer of the sensitive covered data of the individual.
    • (B) Requirements: The means to withdraw affirmative express consent described in subparagraph (A) shall be clear and conspicuous; and as easy for a reasonable individual to use as the mechanism by which the individual provided affirmative express consent.

Gives Americans the Ability to Enforce Their Data Privacy Rights:

  • Right to Sue: Individuals are granted the right to initiate legal action against entities that violate their privacy rights, allowing for the recovery of damages, as specified in Section 19 (Enforcement by Individuals).
  • Arbitration Clause Prohibition: It disallows mandatory arbitration in cases of substantial privacy harm, enhancing legal recourse options for individuals, found within the broader framework of Section 19.

SEC. 19. ENFORCEMENT BY INDIVIDUALS.

(a) Civil Actions.

  • Any individual who suffers material or non-material, physical or non-physical harm as a result of a violation of this Act may institute a civil action to recover damages.
  • In actions brought under this subsection, the courts are authorized to award relief, including actual damages, statutory damages, punitive damages, injunctive relief, and reasonable attorney’s fees and costs.

Protects Americans’ Civil Rights:

  • Discrimination Prohibition: The legislation prevents discriminatory practices based on personal information, securing civil rights protections, outlined in Section 13 (Civil Rights and Algorithms).

Section 13 (Civil Rights and Algorithms) of the American Privacy Rights Act of 2024 (a) Civil Rights Protections

  • General Prohibition: Discriminatory practices in handling covered data that impede equal enjoyment of goods or services based on protected characteristics are prohibited.
  • Exceptions: Certain activities, such as self-testing for discrimination prevention, diversification efforts, and targeted economic opportunity advertising for underrepresented or protected groups, are exempt from these prohibitions. (b) FTC Enforcement Assistance
  • The Federal Trade Commission (FTC) is tasked with aiding enforcement against violations of subsection (a) by transmitting relevant information to appropriate executive agencies and providing a summary report to Congress on these transmissions and their relation to federal civil rights laws. The FTC may also offer technical assistance to these agencies. (c) Covered Algorithm Impact and Evaluation
  • Impact Assessment Requirements: Large data holders using algorithms with a significant risk of harm must conduct annual impact assessments. These assessments should detail the algorithm’s design, purpose, data inputs, outputs, necessity, proportionality, and steps taken to mitigate potential harms, especially those related to discrimination or adverse impacts on protected classes.
  • Algorithm Design Evaluation: Before deploying covered algorithms, covered entities or service providers must evaluate these algorithms to minimize risks of harm, focusing on design, structure, and inputs.
  • Focus and Availability: Assessments and evaluations should prioritize algorithms posing the greatest risk of harm. Summaries of these assessments may be made publicly available, with provisions to protect trade secrets.
  • Limitation on Enforcement: Information disclosed to the FTC for compliance with this section cannot be used for enforcement purposes other than those specified in this Act, with certain exceptions.
  • Guidance and Rulemaking: The FTC, in consultation with the Secretary of Commerce, will publish guidance on compliance and may establish processes for submitting impact assessments and exemptions for low-risk algorithms.
  • Study and Report: The FTC is to conduct a study reviewing submitted assessments and evaluations, reporting to Congress on best practices and methods to reduce algorithm-related harms.

Opt-Out of Algorithmic Decisions: Individuals can opt out of decisions made by algorithms in critical areas, with Section 14 (Consequential Decision Opt Out) detailing these provisions.

Section 14 (Consequential Decision Opt Out) of the American Privacy Rights Act of 2024 stipulates that entities employing covered algorithms for making or facilitating consequential decisions must adhere to the following requirements: (a) General Provisions

  • Entities must notify individuals subjected to the use of a covered algorithm and provide them an opportunity to opt out of such usage.
  • Entities are obligated to respect any opt-out decision made by an individual. (b) Notice Requirements
  • The notice provided to individuals must be:
    • Clear, conspicuous, and not misleading.
    • Informative about how the covered algorithm facilitates consequential decisions, including the range of potential outcomes.
    • Available in all languages in which the entity provides its products or services or conducts related activities.
    • Accessible and usable by individuals with disabilities. (c) Guidance for Compliance
  • The Federal Trade Commission (FTC), in consultation with the Secretary of Commerce, is tasked with publishing guidance on compliance with this section within two years from the enactment of the Act. (d) Definition of a Consequential Decision
  • A consequential decision is defined as any determination or offer, including through advertisements, that uses covered data and relates to:
    • An individual’s or a class of individuals’ access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance, or credit opportunities.
    • Access to, or restrictions on the use of, any place of public accommodation.

Algorithmic Accountability: Requires annual algorithmic reviews to prevent harm or discrimination, particularly focusing on protecting youth and other vulnerable populations, as mentioned in Section 13.

Holds Companies Accountable and Establishes Strong Data Security Obligations:

  • Data Security Standards: It mandates robust data security measures to prevent unauthorized access or data breaches, thus reducing identity theft risks, outlined in Section 9 (Data Security and Protection of Covered Data).

Section 9 (Data Security and Protection of Covered Data) of the American Privacy Rights Act of 2024 mandates that covered entities and service providers establish, implement, and maintain reasonable data security practices. These practices are aimed at safeguarding the confidentiality, integrity, and accessibility of covered data, as well as protecting such data from unauthorized access. Here’s a breakdown of the specific requirements and considerations outlined in this section:

(a) Establishment of Data Security Practices

  • General Requirement: Covered entities and service providers are required to have data security practices in place that are suitable to their size, complexity, the nature and scope of their operations, the volume and sensitivity of the covered data they handle, and current technological capabilities. (b) Specific Requirements
  • Vulnerability Assessments: Regular identification and assessment of risks and vulnerabilities within systems that handle covered data are required, including plans to address unsolicited vulnerability reports.
  • Preventative and Corrective Action: Entities must take actions to mitigate identified risks or vulnerabilities, adjusting these actions as necessary based on changes in technology or the operational landscape.
  • Information Retention and Disposal: Covered data that is no longer necessary or legally required to be kept must be disposed of in a way that makes it permanently unreadable or indecipherable.
  • Retention Schedule: A schedule for the disposal of covered data must be developed and adhered to, ensuring data is not kept longer than necessary.
  • Employee Training: Training for employees on safeguarding covered data is required, with updates as necessary to reflect new threats or best practices.
  • Incident Response: Procedures for detecting, responding to, and recovering from data security incidents must be implemented. (c) Regulations
  • The Federal Trade Commission (FTC), in consultation with the Secretary of Commerce, is authorized to promulgate additional regulations to enforce this section, ensuring that the guidelines remain technology-neutral and process-based.
  • Executive Responsibility: Company executives are required to ensure compliance with the Act’s data protection mandates, reinforcing corporate accountability, suggested within the general enforcement and compliance guidelines of the Act.

Transparency in Data Transfers: Ensures individuals are informed about data transfers to foreign adversaries, enhancing transparency, as seen in Section 4 (Transparency).

Section 4 (Transparency) of the American Privacy Rights Act of 2024 mandates covered entities and service providers to maintain a publicly accessible privacy policy that transparently outlines their data handling practices. Here’s a summary of the key requirements and stipulations:

(a) General Requirement for Privacy Policies

  • Covered entities and service providers must ensure their privacy policy is public, clear, not misleading, easy to read, and readily accessible, detailing their data collection, processing, retention, and transfer activities. (b) Privacy Policy Content
  • The privacy policy must include:
    • The identity and contact information of the entity and any affiliates to which data may be transferred.
    • The types of covered data collected, processed, or retained, along with the purposes for processing each data category.
    • Information on data transfers, including categories of recipients and the purposes of such transfers.
    • The retention period for each data category or the criteria used to determine it.
    • Descriptions of how individuals can exercise their rights under sections 5 and 6.
    • A general overview of the entity’s data security practices.
    • The effective date of the privacy policy.
    • Disclosures regarding data transfers to or accessibility by foreign adversaries. (c) Language Requirements
  • The privacy policy must be available in all languages in which the entity provides products or services or carries out related activities. (d) Accessibility
  • Disclosures must be accessible and usable by individuals with disabilities. (e) Material Changes
  • Entities must notify affected individuals of any material changes to the privacy policy, providing a clear means to opt out of new data processing or transfer practices.
  • Direct notification of policy changes should be made where possible, in all languages the policy is available. (f) Additional Requirements for Large Data Holders
  • Retention and Publication of Privacy Policies: Large data holders must retain and publish past versions of their privacy policy for at least 10 years, along with a log of material changes.
  • Short-form Notice: A concise, clear notice summarizing data practices must be provided, with guidance and templates to be issued by the FTC.

Focuses on the Business of Data, Not Mainstreet Business:

  • Exemptions for Small Businesses: Small businesses not engaged in selling customers’ personal information are exempt, minimizing the regulatory burden on small-scale operations,
    indicated by the definitions and exemptions laid out in the initial sections, including Section 2 (Definitions).
, , , ,