Privacy Laws 2025: Prepare for the 8 Laws Going into Effect
Businesses in the US will be subject to a lot more scrutiny from...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
The U.S. is taking another swing at a federal data privacy law with the American Privacy Rights Act, or APRA. While there’s no guarantee that the APRA will become the law of the land, it’s still worthwhile to study in order to see what requirements organizations may be subject to as well as what potential future data privacy laws may resemble. Here, we’ll cover the law’s basic requirements as well as its likelihood of passage.
Need help complying?
Schedule a DemoOn April 7th, Congress unveiled a bipartisan, bicameral comprehensive data privacy rights bill—the APRA.
Specifically, the APRA was put forth by House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science, and Transportation Chair Maria Cantwell (D-WA). In essence, the law:
Covered entities under the APRA include any entity that collects, processes, retains, or transfers personal data (or has it done for them) and who is subject to the FTC Act. So, the APRA would be quite broad; however, it does have some major exemptions.
Unlike most state data privacy laws, the APRA does not apply to small businesses, which it defines as those businesses:
In addition to small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and fraud-fighting non-profits are excluded.
If you’re compliant with certain federal laws like the Gramm-Leach-Bliley Act and HIPAA, then congratulations; the APRA already considers you to be compliant.
Furthermore, the APRA only covers data that can be reasonably linked to an individual or device. That excludes de-identified data, employee data, publicly available information, and so on.
Organizations will recognize that the APRA tracks the basic requirements of most data privacy laws, but there are some notable departures. We’ll cover the major features below.
For the most part, the APRA provides a set of data subject rights that maps to other U.S. privacy laws, including:
Arguably the most interesting aspect of the APRA is its distinct category for “Large Data Holders.” Large Data Holders are defined as those organizations that:
Large Data Holders are subject to stricter requirements under the APRA, including:
Like most data privacy regulations, the APRA includes a separate category for sensitive data. Unlike most regulations, its definition is fairly broad. It includes:
If you’re familiar with other state privacy laws, you’ll notice a few standout items. Notably, third-party tracking is explicitly called out, as well as “private communications,” which could conceivably cover any number of messages. As for the reference to “video programming viewing information,” that may be a reference to the VPPA, a decades-old law that protects video viewing habits and which has been used recently by the plaintiffs’ bar to sue any number of businesses that feature video content on their website.
Sensitive data is, as is usually the case, limited to certain use cases under the APRA. Furthermore, consumers must affirmatively opt into its collection and use. Non-sensitive covered data can be collected and processed so long as consumers are given notice and the ability to withdraw consent.
Required Data Privacy/Security Officer
In contrast to many U.S. data privacy laws, the APRA takes a leaf from the GDPR’s book and requires businesses to establish a data privacy and/or security officer role. This role isn’t exactly comparable to the GDPR’s data privacy officer role, at least not in the draft’s current form—it doesn’t specify what these officers’ duties would be.
All covered entities are required to have a data privacy officer OR a security officer, but entities that qualify as Large Data Holders must have both.
In a fairly novel requirement for data privacy regulations, the APRA would regulate data brokers specifically.
The APRA empowers the FTC to create a data broker registry, which requires annual registration for data brokers that “affect” the data of more than 5,000 individuals. On this site, consumers can withdraw their consent for data brokers’ data collection.
Under the APRA, data brokers will need to maintain a website that identifies themselves as data brokers, provides a tool for subject rights and opt-out requests, and links to the FTC’s data broker registry.
There are a few different mechanisms for the APRA to be enforced. It could be enforced:
Of these three, the last route of enforcement is by far the least common. There’s a good chance that this private right of action will become a focus during committee discussions.
It’s difficult to say, but we can say with certainty that there is a long legislative journey for the APRA.
Some may be familiar with the American Data Privacy and Protection Act, or ADPPA—it was similar to the APRA in several ways and had made it much farther along the legislative process. Ultimately, it failed to pass and remains inactive as of this writing.
For the unfamiliar, the U.S. legislative process flows like so:
The ADPPA had made it all the way to step three but was never brought up for a vote—and that was considered a big deal for a comprehensive data privacy law.
In contrast, the APRA has only gotten to step one as of this writing. So, while it’s appropriate to be excited about its potential, it’s important to be realistic about its chances and what fate it’ll face in committee.
Crucially, the APRA suffers from the same fatal flaw that stalled the ADPPA; preemption. The whole point of a federal comprehensive data privacy law is that it replaces (i.e. preempts) the mishmash of state privacy laws. But it also replaces laws that offer arguably stronger consumer protections, such as the CCPA/CPRA.
Californian privacy stakeholders have already voiced concern that the bill strips protections away from Californians. California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani said in a statement:
Americans shouldn’t have to settle for a federal privacy law that limits states’ ability to advance strong protections in response to rapid changes in technology and emerging threats in policy – particularly when Californians’ fundamental rights are at stake. Congress should set a floor, not a ceiling.
California swings a lot of weight in Congress, so this could be a significant challenge for the bill.
Whether the APRA becomes the law of the land as-is, undergoes significant changes, is replaced by a future bill, or never passes at all, organizations will need to find efficiencies in their compliance efforts. Data privacy platforms like Osano enable you to automate, streamline, and manage your privacy program without extraneous time and effort. Find out whether Osano can prepare your organization for U.S. data privacy regulations—schedule a demo today.
Discover actionable compliance tips straight from our team of legal and privacy experts through our blogs, webinars, eBooks, guides, and more.
With 12 comprehensive data privacy laws enacted and many more in progress, staying...
Read nowWith a patchwork of U.S. state privacy laws, there’s a lot of uncertainty about what...
Read nowVirtually every country has enacted some sort of data privacy law to regulate how...
Read nowWith Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.