Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

U.S. House Unveils the Latest Attempt at a U.S. Privacy Law: The American Privacy Rights Act

By Gary A. Kibel of Davis+Gilbert LLP, Richard Eisert of Davis+Gilbert & Zachary Klein of Davis+Gilbert on May 1, 2024
Email this postTweet this postLike this postShare this post on LinkedIn

The United States is among the minority of large economies in the world without a comprehensive national privacy law. In the absence of such a law, numerous states are filling the void with a complex assortment of often inconsistent privacy laws.

However, unexpected legislative developments in the U.S. House of Representatives will potentially resolve the challenges raised by the current patchwork of conflicting state laws. On April 7, 2024, House members announced a draft bill for the American Privacy Rights Act (APRA). The bill still has many hurdles to overcome and may ultimately share the same fate as prior failed attempts at a federal privacy law. But if enacted, the APRA would upend the U.S. privacy landscape.

Preemption of State Laws by APRA

The APRA’s intent is to “establish a uniform national data privacy and data security standard in the United States.” As such, it would expressly preempt state laws that cover the same requirements as the APRA. This means that comprehensive privacy laws, such as the California Consumer Privacy Act (CCPA), Colorado Privacy Act, Connecticut Data Privacy Act (CTDPA) and others, would be preempted, in whole or in part, in exchange for the federal law. State data broker laws in Vermont, California, Texas and Oregon would also likely be neutralized, since the APRA sets rules and requirements for data brokers, including the establishment of a national data broker registry.

There are, however, some notable exemptions to the APRA’s preemption standard that would preserve certain portions of states’ frameworks. Most important is the law’s exception for “provisions of laws that protect the privacy of health information, healthcare information, medical information, medical records, HIV status, or HIV testing.” This would allow the stringent requirements of the Washington My Health My Data Act and Nevada S.B. 370 to survive APRA’s passage. Recent amendments to the CTDPA that extend the law’s scope to “consumer health data” and “consumer health data controllers” would, in theory, also largely remain intact. Additionally, the APRA exempts “provisions of laws that address the privacy rights or other protections of employees or employee information,” which means that much of the CCPA could be salvaged to the extent that it applies to employee data.

APRA’s Threshold Requirements

The APRA applies to “covered entities,” which means any entity that determines the purposes of processing and is subject to the Federal Trade Commission (FTC) Act, including common carriers and certain nonprofits. Entities are exempt from the APRA, though, if they meet the criteria of a “small business,” expressly defined as an entity:

  1. with less than $40 million in annual revenue,
  2. that annually processes the covered data of 200,000 individuals or less (with exceptions relating to payment processing) and
  3. that did not transfer covered data to a third party in exchange for revenue or anything of value.

The combination of the $40 million revenue and 200,000 individual thresholds would, in theory, exempt many businesses from the law’s scope. However, the additional criteria regarding transferring covered data to third parties “in exchange for revenue or anything of value” likely means that any online service that conducts targeted advertising would potentially fall within the law’s scope, no matter its size.

APRA’s Legal Obligations

The APRA imposes obligations on covered entities with respect to “covered data,” defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals.” These obligations include, but are not limited to:

  • Data minimization — Processing of covered data is generally prohibited unless it is necessary, proportionate and limited to specific products or services or communications expected by the individual or falls under one of the law’s enumerated purposes.
  • Transparency — Covered entities are required to publish a privacy policy, and material changes to such a policy requires advance notice to individuals and the means to opt out of further processing of any previously collected data that would be subject to those changes.
  • Consumer rights — Covered entities are required to offer individuals the rights of access, deletion and correction with respect to their data. Individuals also have the right to opt out of data transfers generally, as well as the right to opt out of targeted advertising.
  • Service providers and third parties — The APRA appears to have adopted the CCPA’s business/service provider/third-party approach in lieu of the controller/processor model followed by most comprehensive privacy laws. Covered entities must exercise due diligence in selecting service providers and in deciding whether to transfer covered data to a third party.
  • Data brokers — The FTC is empowered to develop a national data broker registry, and data brokers processing the data of 5,000 or more individuals must register annually. Data brokers are also required to have a public website that includes tools for individuals to exercise their privacy rights.

Additional obligations apply to covered entities that are “large data holders,” which are covered entities that have $250 million or more in annual revenue and process large amounts of covered data of individuals and devices (as statutorily defined). Large data holders are required to:

  • publicly post all privacy versions from the past 10 years,
  • publish annual transparency reports,
  • provide CEO-signed certifications of compliance to the FTC,
  • appoint data privacy and data security officers,
  • conduct biennial audits and privacy impact assessments and
  • submit impact-risk assessments to the FTC for certain algorithmic decision-making activities.

Sensitive Data

The APRA sets heightened rules for processing “sensitive covered data.” While the law’s definition of “sensitive” shares many similarities with the CCPA, CTDPA and other laws, such as government-issued identification numbers, race/ethnicity and health data, there are some surprising departures from the established norm at the state level. Sensitive-covered data under the APRA includes:

  • Precise geolocation information, which is defined not only to include accuracy up to 1,850 feet or less, but also information that reveals “street-level location information of an individual or device;”
  • Calendar information, address book information, phone or text logs, photos, audio recordings or videos intended for private use;
  • A photograph, film, video recording or other similar medium that shows the naked or undergarment-clad private area of an individual;
  • Certain transfers of information revealing the extent or content of any individual’s access, viewing or other use of video programming with respect to an individual’s vision or hearing impairment;
  • Certain information that reveals the video content requested or selected by an individual and
  • Information revealing an individual’s online activities over time and across websites or online services that do not share common branding or over time on any website or online service operated by a covered high-impact social media company.

This last element may be the most significant for the advertising industry since it would turn common-place retargeting on the internet into the processing of sensitive data. As a result, cookie banners may become much more prevalent as companies constantly seek consent from consumers to use their browsing data in this manner. While not required by law in the United States, cookie banners are already advisable due to the significant rise in class action lawsuits alleging violations of decades-old privacy laws (such as the Video Privacy Protection Act and California Invasion of Privacy Act) that require consent in certain cases.  

The APRA’s consent obligations for sensitive data are less stringent than most of the state comprehensive privacy laws on the books. Although opt-in consent is required for any collection of biometric or genetic data, all other types of sensitive-covered data only require opt-in consent for transfers of such data to a third party.

APRA Enforcement

The APRA would be enforced by the FTC, which would be empowered to create a new bureau to carry out its authority under the law. Violations would be treated as a per se unfair or deceptive practice under Section 5 of the FTC Act. The APRA is also enforceable by state attorneys general, who must notify the FTC prior to initiating a civil action in federal court.

Critically, the APRA would provide individuals with a private right of action for violations concerning:

  • opt-in consents to collect or transfer sensitive data,
  • making material changes to a privacy policy without providing notice and the ability to opt out,
  • an individual’s data access, deletion, correction or opt-out rights, including retaliation against an individual for exercising such rights,
  • data breaches caused by failure to adopt reasonable security practices,
  • failure to conduct reasonable due diligence over service providers and third parties that receive covered data,
  • discrimination based on protected characteristics and
  • certain obligations relating to algorithmic decision-making.  

The Bottom Line

  • If passed, the APRA would largely supersede the intricate patchwork of state privacy laws, and set sweeping new standards for privacy regulation in the U.S.
  • While the law would simplify privacy compliance by reducing the number of laws to follow, it would also make compliance more challenging in some respects.
  • The APRA is still a long way from passage, and its survival is far from certain. Additional hearings and feedback from key stakeholders are expected in the coming months.
Photo of Gary A. Kibel of Davis+Gilbert LLP Gary A. Kibel of Davis+Gilbert LLP

For companies operating at the intersection of digital media, advertising, technology and consumer privacy, the legal landscape is rapidly evolving. Gary Kibel provides much-needed direction to clients involved in both emerging businesses and well-established companies engaging new technologies. While most of his clients…

For companies operating at the intersection of digital media, advertising, technology and consumer privacy, the legal landscape is rapidly evolving. Gary Kibel provides much-needed direction to clients involved in both emerging businesses and well-established companies engaging new technologies. While most of his clients are, broadly speaking, in the marketing industry, his deep knowledge of privacy and data security issues makes him a sought-after counselor to companies in the technology, e-commerce, financial services and employment sectors as well.

In the digital media space, where entire industries can rise and fall seemingly overnight, he helps his clients confidently navigate uncharted terrain. They count on him for guidance in complying with — and helping to shape — the best practices that must serve their industry in the absence of legal precedents. For more mature companies, he helps clients incorporate new concepts into existing infrastructures.

Much of Gary’s time is spent staying current in this fast-paced environment. Whether through his representation of key industry clients, his active involvement in trade associations or his recognized thought leadership, he is deeply immersed in the issues facing tech-forward companies. Clients call on him, literally every day, to provide crucial perspective on cutting-edge issues with enormous consequence to their business.

In the privacy space, where laws are rapidly evolving as well, Gary keeps his clients moving forward in a manner designed for compliance, taking care not to impede their progress. Part of his approach is to ensure that regulatory compliance, far from being a debilitating obstacle, can be turned to a strategic advantage by companies that can incorporate the right policies into their commercial platforms. For clients who may be targets of privacy complaints, he suggests timely and practical options, assuring that their disclosures and processes will be both comprehensive and well thought out.

Gary co-leads a team focused on the CCPA, GDPR, and other enacted and pending state and federal legislation, as well as self-regulatory regimes. In addition, he regularly advises clients regarding the burgeoning industry of CBD/cannabis marketing practices.

Read more about Gary A. Kibel of Davis+Gilbert LLPEmailGary's Linkedin Profile
Show more Show less
Photo of Richard Eisert of Davis+Gilbert Richard Eisert of Davis+Gilbert

Richard Eisert’s practice sits squarely at the crossroads of technology, advertising and marketing, e-commerce, intellectual property and privacy law. With clients ranging from start-ups to global leaders in the technology, online commerce, new media and advertising industries, Richard offers canny counsel on all…

Richard Eisert’s practice sits squarely at the crossroads of technology, advertising and marketing, e-commerce, intellectual property and privacy law. With clients ranging from start-ups to global leaders in the technology, online commerce, new media and advertising industries, Richard offers canny counsel on all aspects of marketing, promoting and selling goods and services.

As a former intellectual property litigator and as counsel to hundreds of businesses, Richard knows that “no risk” solutions rarely exist. He collaborates with client business and legal teams to find solutions with acceptable risk, often functioning like in-house counsel, but with a broad perspective that reflects his experience in multiple client engagements. His thinking and approach are constantly informed by how best to navigate the legal and practical ramifications of a given scenario.

Richard’s technology law practice reflects his broad array of client matters, and includes negotiating platform and licensing deals, technology agreements and media buys involving industry behemoths, advising on financing options for startups, and handling leading-edge deals for data providers, ad tech/proptech and other technology companies. He views his clients’ opportunities, quandaries and ideas with a positive outlook, even in contested and boundary-testing situations such as behavioral advertising and CRM onboarding, location and non-cookie-based targeting. Then he devises a goal-focused plan.

Industry-leading businesses turn to Richard for day-to-day advice on specific legal and regulatory issues impacting their e-commerce and online advertising, including claim substantiation, FTC endorsement and native advertising issues, targeted advertising, and intellectual property ownership and infringement matters. He skillfully navigates complex advertising and promotional issues in highly regulated and cutting-edge areas.

Richard has advised on digital advertising and e-commerce since their inception. In some cases, he helped create the legal infrastructure in which these industries operate. He played a key role in negotiating the industry-standard Interactive Advertising Bureau terms and conditions that serve as the backbone for many online advertising deals and remains active in ongoing industry initiatives. Richard’s efforts have forestalled or addressed regulatory action against companies, kept marketing and sales channels flowing, and preserved and protected clients’ reputations.

Intricately woven into these areas are data and privacy law challenges. Richard advises on the breadth of privacy, data security and regulatory issues arising online, including targeted and behavioral advertising, social media, mobile marketing, affiliate marketing, and other innovative products and services. From Children’s Online Privacy Protection Act guidance for U.S. and foreign entities to CCPA and CPRA advice, Richard offers clear counsel, best practices, and effective strategies to help his clients accomplish their goals while avoiding risks and maintaining compliance. An advisor early on in connection with the California privacy initiatives that resulted in CCPA’s enactment, Richard readily untangles complex, evolving privacy issues for U.S. and non-U.S. clients.

Read more about Richard Eisert of Davis+GilbertEmailRichard's Linkedin Profile
Show more Show less
Photo of Zachary Klein of Davis+Gilbert Zachary Klein of Davis+Gilbert

For agencies, startups and global brands struggling with the evolving legal landscape surrounding privacy and technology, Zachary Klein’s knowledge, experience and perspective are major assets. He helps the firm’s clients meet their privacy and data security obligations and manage compliance risks without sacrificing…

For agencies, startups and global brands struggling with the evolving legal landscape surrounding privacy and technology, Zachary Klein’s knowledge, experience and perspective are major assets. He helps the firm’s clients meet their privacy and data security obligations and manage compliance risks without sacrificing their business objectives.

Data privacy is Zachary’s passion. He helps organizations prevent or address legal exposure stemming from data security incidents and breach response, vendor selection, technology issues, and allegations of false advertising, misrepresentation or unfair trade practices.

Zachary previously served as a Deputy Attorney General with the New Jersey Attorney General’s Office, where he conducted numerous internet privacy and data security investigations. Drawing on that experience, Zachary scrutinizes company policies, procedures, vendor agreements and data processing activities with a critical eye, ever aware of the factors that can impact a government agency’s decision to open an investigation or pursue an enforcement action.

Zachary participates on conference panels to educate stakeholders about emerging technology and regulatory frameworks.

Read more about Zachary Klein of Davis+GilbertEmailZachary's Linkedin Profile
Show more Show less
  • Posted in:
    Intellectual Property
  • Blog:
    ILN IP Insider
  • Organization:
    International Lawyers Network
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Beyond the First 100 Days
  • In the Legal Interest
  • Cooking with SALT
  • The Fiduciary Litigator
  • CCN Mexico Report™
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo