data privacy federal consumer apra adppa

New Federal Privacy Bill Gains Momentum

Bipartisan Federal Privacy Bill Introduced

Last week, a bipartisan coalition in Congress introduced the American Privacy Rights Act (“APRA”), a draft federal privacy bill. The APRA represents the latest effort to create a federal consumer data privacy law after its predecessor, the American Data Privacy and Protection Act (“ADPPA”), stalled out. The bill would, if passed, provide a federal privacy law framework, pre-empting the various state privacy laws that have proliferated in the absence of a federal statute.

For businesses that were already complying with state data privacy laws, the APRA would represent a potential streamlining of privacy compliance obligations. The APRA’s pre-emption provisions would render the sixteen (16) competing state-level privacy laws obsolete. For businesses that were not already taking the necessary steps to comply with those state laws, however, the APRA would establish entirely new compliance requirements. Given the complexity of the compliance requirements, and their broad applicability, it is essential that businesses retain attorneys who have experience in privacy law matters.

Please note that the APRA is likely to undergo further amendment as it proceeds through the legislative process. This blog details the requirements set forth in the most current version of the APRA available at the time of posting.

What Compliance Requirements Does the APRA Contain?

Many of the APRA consumer data privacy requirements mirror those already contained in existing state laws. However, there are some key differences. It should be noted, if the current iteration of the bill passes, it would specifically preempt all existing state data privacy laws. Among other things, the APRA would require businesses to draft a privacy policy that discloses the following (which is not intended as an exhaustive list):

· The categories of information collected;

· The length of time each category of data is kept and the criteria used to determine when to delete that data;

· The names of any third parties to whom data is shared/sold;

· The categories of data transferred to third parties;

· The purpose of any such transfers to third parties; and

· A description of how consumers may exercise their privacy rights.

In connection with the foregoing, the APRA would require businesses to provide consumers with the following privacy rights (which is not an exhaustive list):

· The right to access data collected or processed, to know the name of any third party or service provider to which the data was transferred and the purpose of the transfer;

· The right to correct inaccurate or incomplete data;

· The right to delete consumer data; and

· The right to opt out from the sale/sharing of data.

In addition to the foregoing, the APRA establishes additional, stricter, obligations for entities referred to as “Large Data Holders.” Large Data Holders are defined as entities that: (a) earn $250,000,000 or more in annual revenue; and (b) collect, process, retain, or transfer: (i) data of more than 5,000,000 individuals (or 15,000,00 portable devices or 35,000,000 connected devices that are linkable to individuals); or (ii) sensitive data of more than 200,000 individuals (or 300,000 portable devices or 700,000 connected devices).

Why Do Federal Privacy Law Requirements Matter to Your Business?

Congress’ goal in introducing the APRA is to create a single set of uniform rules for businesses to follow. If the APRA passes, this would circumvent the patchwork of state requirements that is in place today. These changes will not be onerous for those businesses that are already compliant with existing state laws. However, the APRA would still require those businesses to adjust their existing practices to some extent. Further, for many businesses that were exempt from state data privacy laws, the APRA would require the implementation of a new assortment of compliance policies and procedures.

It is important to note that the APRA diverges from some state data privacy laws in that it establishes a private right of action for citizens in cases of a data breach. This could result in increased exposure to liability for businesses that fail to comply with the requirements of the APRA. As such, it is advisable to obtain guidance from attorneys experienced with privacy law compliance. Please note, the above offers only a brief overview of some of the legal issues involved in connection with APRA compliance.

If you need assistance with consumer privacy law compliance matters, please email us at or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Photo by Ian Hutchinson on Unsplash

Similar blog posts: Coming Soon: A Federal Privacy Policy Mandate

New FTC Data Privacy Laws?

Proposed Federal Privacy Law Hearing Reveals Progress And Sticking Points


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

TCPA vicarious tcpa law woman holding cellphone telemarketing laws

TCPA Vicarious Liability

An Illinois federal district court judge recently held that State Farm Mutual Automobile Insurance Company (“State Farm”) may be vicariously liable for alleged Telephone Consumer

Read More »