The American Privacy Rights Act (APRA) is this year's attempt at national data privacy legislation. Introduced in April by Senate Commerce Committee Chair Maria Cantwell, D-Wash., and House Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., this bill would establish a framework of data privacy rights and eliminate the current patchwork of state-level data privacy laws.
While it is similar to the previously proposed American Data Privacy and Protection Act (ADPPA), which failed to make it out of committee, there are some notable differences.
A key feature of this bill is minimizing the amount of data collected to only what is necessary to accomplish a specific task. Director of the Future of Privacy Forum’s U.S. legislation team Keir Lamont states “This approach seeks to deemphasize, opt-in or opt-out rights — individual consent — and instead place limits on what data can be collected and how it can be used by covered entities”. This is a much different stance from the ADPPA which focused more on allowing individual consent and less on the amount of data entities are allowed to collect.
Other important changes include strengthening the private right of action, allowing individuals to take legal action against companies who break the law, and a wider definition of “sensitive data” which would now include cross-site tracking and social media tracking.
This law would also end most state-level protections, but it also would try to retain some protections, including those related to employee data and biometrics.
While most are all for a national framework, some are critical of a blanket approach and feel that a choice of law statute should be added. This would allow states to retain much of their privacy laws and let businesses choose which state to incorporate, which would also allow them to choose which state privacy laws to follow.
Sources:
Commentaires