The American Privacy Rights Act: A Significant Step Forward for U.S. Data Rights

Over the weekend, the privacy community witnessed a seismic shift with the surprise release of "The American Privacy Rights Act," a landmark draft federal privacy bill. Here at Transcend, we’ve always been passionate advocates for privacy rights for all individuals, and this bipartisan effort marks a significant milestone.  

In my discussions with many leaders in the Chief Privacy Officer community, and the privacy community at large, it’s clear most believe a US federal privacy law is needed, and that it’s just a matter of time before one is passed. There’s genuine excitement for this federal movement and many are diving deep into the draft bill’s provisions. 

Of equal importance, most CPOs I’ve spoken with expect an up-hill battle for this draft bill – from states on preemption, big tech lobbyists on private right of action and various operational requirements, and perhaps even from some privacy advocates on items that need additional clarity (such as “how do we trust companies to effectively operationalize data minimization?” and the SMEs exemption). So while this latest attempt at a national privacy law shows promise given its bipartisanship support, we’ve seen bills start and stop before – namely the ADPPA just two years ago. 

What does feel clear in the CPO community is this: Technology governance continues to be pushed forward based on large-scale concerns about Artificial Intelligence. Whether Congress acts further is yet to be seen, but the momentum behind privacy continues to grow alongside AI’s advancements. 

Let’s dive into a quick fact sheet on the draft:

The implications of this new bill are vast, introducing requirements such as explicit consent for the collection of sensitive personal data. It also empowers the Federal Trade Commission (FTC) with enhanced authority to pursue civil penalties, signaling a critical moment for organizations to elevate their privacy programs.

• Introduction of requirements on data minimization, opt-out right for targeted advertising, and access, correction, export, or deletion of personal data. 

• Inclusion of data security provisions, an “executive responsibility” section, and a national data broker registry. 

• Prohibition of mandatory arbitrations in cases of significant privacy harm. 

Under the bill’s provisions on civil rights, companies would be barred from using personal information for discriminatory purposes. Individuals would also have the right to opt out of a company’s use of algorithms for decisions related to various aspects of their lives, including housing, employment, healthcare, credit, education, and insurance. 

The bill seeks to establish uniform online privacy protections across state lines, preempting state privacy laws to ensure consistency and robustness in data privacy regulations nationwide. This move addresses concerns about the proliferation of disparate state laws and aims to set privacy protections that surpass existing state regulations. 

One notable aspect of the bill is its preemptive nature over state privacy laws, although it comes with a few exceptions. While It has been said that this is a progressive move towards a comprehensive U.S. privacy framework, it has also sparked a few debates. Critics argue that its preemption of the California Consumer Privacy Act (CCPA) could dilute the rights available to Californians and others across the nation. As companies grapple with these implications, scrutiny is inevitable.

A significant departure from previous iterations, the American Privacy Rights Act incorporates a private right of action enabling enforcement actions by the Federal Trade Commission, state attorney’s general, and individual citizens. This provision would empower individuals to take legal action against entities that violate their privacy rights, underscoring the bill’s emphasis on accountability and enforcement. 

However, it's crucial to acknowledge the uncertainties surrounding the bill's trajectory. Questions loom over its political viability, particularly in an election year, amidst staunch opposition from tech giants and lobbying efforts. While this development signifies progress, it's essential to tread cautiously, recognizing that the journey toward robust privacy legislation may encounter obstacles along the way.

As our community discussions about the American Privacy Rights Act continue, it's clear that the draft bill is a positive step for data privacy protections in the United States. 

And regardless of what we all collectively see unfold next, we’ll continue to be laser-focused on providing our customers with a future-proofed privacy platform that helps to seamlessly adapt to evolving privacy regulations and navigates complexities with confidence. 

Whether  you’re already a Transcend customer, looking to transition from a legacy system to our next-gen privacy platform, or simply wanting to learn more, join us for our community webinar, Future-Proofing: Unpacking the Breaking American Privacy Rights Act, on Wednesday, April 10 9am PST / 12pm EST. We will dive deep into this bill and its potential implications with regulatory and CPO experts.