American Privacy Rights Act of 2024: A Renewed Push for a Comprehensive National Privacy Framework

Little more than two years from the last significant attempt to modernize our national privacy law in the failed American Data Privacy and Protection Act (ADPPA), US House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-WA, and Senate Committee on Commerce, Science and Transportation Chair Sen. Maria Cantwell, D-WA released a “discussion draft” of the American Privacy Rights Act of 2024 (APRA) along with a section-by-section summary.

APRA seeks to address the evolving concerns related to data privacy in the modern digital era, particularly given the rise of new AI systems trained on large data sets. It aims to provide a comprehensive national framework for consumer data privacy and security, including ensuring consumers have greater control over their personal information. Noteworthy provisions include:

Limits on the types of consumer data companies can collect, retain, and use to operate their services.
The right for users to opt out of targeted advertising and have the ability to view, correct, delete, and download their data from online services.
Creates a national registry of data brokers with an opt-out mechanism.
Prohibition on using personal data to discriminate against individuals.
The ability to opt out of algorithmic decision-making in sensitive areas such as housing, employment, healthcare, credit, education, and insurance, among others.

One of the most contentious issues in previous attempts to pass national privacy legislation has been the preemption of state laws. APRA would supersede existing state privacy regulations, a move that has faced opposition from many Democrats. ADPPA failed to reach a full House vote, in part due to concerns from then-House Speaker Nancy Pelosi, and other California lawmakers who feared it would weaken their state’s privacy standards.

For online companies serving education systems, one section deems covered entities and service providers in compliance with the related provisions of the APRA as long as they are educational agencies or institutions as defined under the Family Educational Rights and Privacy Act (FERPA) and are in compliance with FERPA.

The APRA extends privacy protections for minors under 17, requiring companies to assess their data practices and ensure compliance. While not as comprehensive as the proposed ADPPA, APRA covers a broader age range than Children’s Online Privacy Protection Act (COPPA). Companies serving both children under 13 and minors between 13-16 must navigate a layered approach, adhering to COPPA’s specific requirements for the former and APRA’s provisions for the latter, potentially updating policies, processes, and consent mechanisms.

One challenging requirement is a provision in APRA that requires large data holders to conduct impact assessments when they pose a “consequential risk” in five categories:

covered minors;
housing, education, employment, health care, insurance, or credit opportunities;
public accommodations based on protected characteristics;
disparate impacts based on race, color, religion, and sex; and
disparate impact based on political party registration.

The impact assessment must describe the covered algorithm’s design process, methodologies, purpose, proposed uses, input data, and outputs. It must also describe the steps taken or planned by the large data holder to mitigate potential harm to individuals or groups, particularly minors.

The requirement for an impact assessment is intended to identify and address potential harms associated with algorithmic systems early in their development and deployment phases. This provision is particularly relevant in light of the ongoing debate surrounding the negative effects of social media and smartphone usage on the mental health and well-being of youth. By mandating an early evaluation of algorithmic impacts, the APRA aims to identify and mitigate these concerns at the outset, rather than attempting to remedy them retroactively after years of widespread use.

In practice, this may prove to be difficult. Algorithms and their applications can evolve significantly between the time an assessment is conducted and when the technology is actually deployed, making it difficult to accurately predict and evaluate potential impacts. And for many general-purpose technologies, anticipating all the diverse ways users might employ them can be nearly impossible until these technologies are released. The long-term consequences of new technologies on individuals and society may not be fully understood or apparent at the time of the impact assessment, only becoming evident after widespread adoption.

APRA represents a renewed effort to establish a comprehensive national framework for consumer data privacy and advances new provisions aimed at addressing the challenges posed by evolving technologies, particularly in relation to AI systems and the protection of minors. This could be the best chance to modernize our privacy laws, particularly since Rep. McMorris Rodgers announced that she would not seek reelection this year. But there are many procedural hurdles ahead, and final passage is far from guaranteed.