The American Data Privacy and Protection Act (ADPPA), proposed in 2022, is no more. The relay race of proposed federal privacy legislation has now entered its final leg with the American Privacy Rights Act (APRA).

Emerging from a bi-partisan agreement between Senate Commerce Committee Chair Maria Cantwell (D-Wash.) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash), APRA is a more viable version of the prior bill and, depending on the November election, could be in place by 2025. The run will likely still be uphill in Congress. APRA’s proposed private cause of action, like ADPPA’s, will likely meet resistance from corporate interests (even those who purport to support a federal privacy bill), and the proposed consolidation of enforcement power within the FTC could rankle other federal agencies.

It is important to note that both of the bill’s sponsors hail from Washington state, which has taken the lead on protection of consumer health information at the state level. However,  California with its newly minted Privacy Protection Agency and large congressional delegation likely remains the biggest hurdle for APRA. Indeed, California Attorney General Rob Bonta is leading a multistate coalition of 15 attorneys general urging the removal of APRA’s preemption language.

The final draft of APRA could be jostled, nit-picked, and amended in the coming months; accordingly predicting best practices for businesses is difficult at this juncture We should expect, however, that a final version of the proposed APRA will be at least as restrictive as its current language today. Companies should monitor the following topic areas in the proposed APRA as they prepare themselves for the eventual dawning of a  new age in American privacy regulation:

  • Preemption. APRA is, in many ways, stronger and more restrictive than current state privacy laws that it would supplant, such as the California Consumer Privacy Act (CCPA). Where APRA is not more restrictive than an applicable state law, that state law would remain in effect. For example, the employee data and job applicant provisions of the CCPA would survive, as would the onerous health data protections of Washington state’s My Health My Data Act. The patchwork of U.S. state and territory data breach and wiretapping laws would remain in place as well. Organizations should bear in mind this reality as these “extra” laws, in some form at least, are likely here to stay.
  • Scope. APRA’s stated goal is to standardize privacy regulation. The bill proposes to eliminate state thresholds and entity-level exemptions for entities subject to GLBA or HIPAA—though it would have exemptions for data sets subject to those laws. It would also eliminate nonprofit and common-carrier exemptions. Notably, even affiliates of covered entities would be considered full “covered entities” under the current proposed language.
  • Data Minimization. At the core of APRA are restrictions on the collection, processing, and disclosure of covered data. This would end the data collection free-for-all that is currently permitted by disclosures in privacy policies that prohibit the collection or processing of data beyond what is “necessary, proportionate, and limited” to (1) fulfilling business transactions and (2) communications reasonably anticipated within the context of the relationship. Some exceptions in the bill would allow online advertising—but the minimization principle remains. Additionally, if an organization wants to qualify as a “small business” and thus avoid many of APRA’s more onerous obligations, it must (1) drastically limit its data collection practice outside of providing its goods and services and then (2) delete (or deidentify) that information within 90 days.
  • Enforcement and Private Cause of Action.For the most part, organizations struggling with compliance have been able to avoid serious issues by staying under the radar of the few entities today that have regulatory power to enforce privacy requirements. Under APRA, however, the FTC and all states would be deputized to enforce the law. Further, individuals would be able to seek damages and injunctions against covered entities and service providers for basic compliance violations, such as failures to honor consumer rights, to engage in appropriate data minimization, or to utilize appropriate diligence in disclosing data to service providers and third parties.
  • Executive Responsibility: There are explicit requirements in the proposed bill for designating data privacy and security officers (depending on the size of an organization), as well as obligations to conduct privacy impact assessments every other year. If an entity is a Large Data Holder as defined under APRA, it would have the obligation to submit annual certifications to the FTC regarding compliance with the internal control and reporting obligations of APRA.
  • Minors. Special protection for children is one area where APRA may likely be strengthened even further before a final draft is put before Congress for a vote. Affirmative consent, risk assessments, and extremely restricted use will most likely be issues on the table for further review and debate. A key issue to note as well is that APRA defines a “minor” as aged 17 or younger (as opposed to 16 years old under the CCPA and 13 years old under the federal COPPA and most other state privacy laws).

With this latest evolution of federal privacy legislation on deck, but not likely to cross the finish line before next year, how should organizations best prepare for the “someday” of eventual federal privacy legislation?

  1. Don’t simply watch the asteroid heading toward you. Assume that APRA will eventually impact your organization in some way or form. The ADPPA stumbled on preemption issues that the proposed APRA sidesteps. With public sentiment being hostile to commercial data collection, states have responded with an explosion of privacy legislation, and that patchwork has only intensified the call for consistency via a form of federal legislation. There are requirements in the proposed APRA for privacy and security roles—as well as executive-level involvement in privacy and security. Budgets should be adjusted accordingly for 2025.
  2. Continue your current efforts. The draft APRA standardizes and enhances the privacy rights, protections, and related obligations that are already found in existing comprehensive state legislation, such as the CCPA. Organizations should continue to develop and maintain their privacy programs to meet the obligations of existing state laws since those obligations will continue (if not also get more restrictive and onerous) going forward.
  3. If your organization is in an industry that has escaped state data privacy legislation so far, that will not be the case for much longer. APRA’s proposed obligations scale drastically along with an organization’s size and scope of data collection. Due to the short grace period that is proposed following enactment (180 days), organizations should begin due diligence efforts now (especially concerning data of minors) to understand where they will likely fall under APRA’s various categories of regulated entities. Compliance efforts will need to begin in earnest if and when APRA finally becomes law.