• Platform
    • The Osano Platform Overview

      Get an overview of the simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline and automate the DSAR workflow

    • assessments primary 200

      Efficiently manage assessment workflows using custom or pre-built templates

    • Unified Consent primary 200
      Unified Consent & Preference Hub

      Streamline consent, utilize non-cookie data, and enhance customer trust

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Features & Integrations

      Key Features & Integrations

    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
  • Solutions
    • By Regulation
    • CPRA

      Discover how Osano supports CPRA compliance

    • CCPA

      Learn about the CCPA and how Osano can help

    • GDPR

      Achieve compliance with one of the world’s most comprehensive data privacy laws

    • By Organization Type
    • Icon (10)

      Don’t let data privacy compliance get in the way of growth

    • Icon (11)

      Preserve your competitive edge

    • Icon (12)

      Manage data privacy at scale

    • By Use Case
    • Path
      Consent Management

      Manage consent without the complexity

    • Icon (14)
      DSAR Automation

      Never miss a DSAR deadline again

    • Icon (15)
      Vendor Risk Management

      Regain insight and control over your customers’ data

    • Icon (16)
      Privacy Program Management

      Build and grow an end-to-end privacy program

  • Resources
    • View All Resources
    • book-open-01

      Expert insights on all things privacy

    • Icon (25)
      Resource Center

      Key resources to further your data privacy education

    • globe icon primary 200
      U.S. Data Privacy Laws

      A guide to data privacy in the U.S.

    • Icon (17)

      Research the most essential privacy topics

    • hand a heart icon primary 200
      Customer Stories

      Meet some of the 5,000+ leaders using Osano to transform their privacy

    • Icon (30)

      Upcoming webinars and in-person events designed for privacy professionals

    • envelope icon primary 200

      Subscribe and become a Privacy Insider

    • Icon (21)
      Product Updates

      What’s the latest with Osano?

    Latest Blog post

    How AI is Changing Data Privacy Forever

    Episode 2: How AI is Changing Data Privacy Forever In this episode of...

    Read Now
  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)

      Become an Osanian and help us build the future of privacy!

    • Icon (26)

      We’re eager to hear from you

    • 
      Our Pledge

      No fines, no penalties

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    • Icon (28)
      Osano Swag Store

      Increase Trust. Stay Compliant. Get Cool Swag.

    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

  • Pricing
  • Sign In Book a Demo
U.S. Federal Privacy Law

The American Privacy Rights Act (APRA): What to Expect? 

The U.S. is taking another swing at a federal data privacy law with the American Privacy Rights Act, or APRA. While there’s no guarantee that the APRA will become the law of the land, it’s still worthwhile to study in order to see what requirements organizations may be subject to as well as what potential future data privacy laws may resemble. Here, we’ll cover the law’s basic requirements as well as its likelihood of passage.

In this Guide

Need help complying?

Schedule a Demo

What Is the American Privacy Rights Act (APRA)? 

On April 7th, Congress unveiled a bipartisan, bicameral comprehensive data privacy rights bill—the APRA.  

Specifically, the APRA was put forth by House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science, and Transportation Chair Maria Cantwell (D-WA). In essence, the law: 

  • Would serve as a federal comprehensive data privacy law, preempting most state laws (more on that later). 
  • Create privacy rights and protections for ALL Americans—not just those living in key states, participating in certain industries, or belonging to certain groups. 
  • Establish robust enforcement mechanisms to hold violators accountable, including enforcement via the Federal Trade Commission (FTC), state attorneys general, and—notably—a private right of action for individuals. 

Who Does the APRA Apply To? 

Covered entities under the APRA include any entity that collects, processes, retains, or transfers personal data (or has it done for them) and who is subject to the FTC Act. So, the APRA would be quite broad; however, it does have some major exemptions. 

APRA Exemptions 

Unlike most state data privacy laws, the APRA does not apply to small businesses, which it defines as those businesses:  

  • With $40M or less in annual revenue; 
  • That collect, process, retain, or transfer the covered data of 200,000 or fewer individuals; and 
  • That do not earn revenue from transferring covered data to third parties (i.e., data brokers). 

In addition to small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and fraud-fighting non-profits are excluded.  

If you’re compliant with certain federal laws like the Gramm-Leach-Bliley Act and HIPAA, then congratulations; the APRA already considers you to be compliant. 

Furthermore, the APRA only covers data that can be reasonably linked to an individual or device. That excludes de-identified data, employee data, publicly available information, and so on. 

Primary APRA Requirements 

Organizations will recognize that the APRA tracks the basic requirements of most data privacy laws, but there are some notable departures. We’ll cover the major features below. 

Data Subject Rights 

For the most part, the APRA provides a set of data subject rights that maps to other U.S. privacy laws, including: 

  • The right to know what data has been collected. 
  • The right to access that data. 
  • The right to correct data. 
  • The right to delete data. 
  • The right to receive that data in a portable format. 
  • The right to opt out of targeted advertising and profiling. 

New “Large Data Holder” Category 

Arguably the most interesting aspect of the APRA is its distinct category for “Large Data Holders.” Large Data Holders are defined as those organizations that: 

  • Have $250 million or more in annual revenue;  
  • Collect, process, retain, or transfer the covered data of more than 5 million individuals (or 15 million portable devices or 35 million connected devices that are linkable to an individual); or  
  • Collect, process, retain, or transfer the sensitive data of more than 200,000 individuals (or 300,000 portable devices or 700,000 connected devices). 

Large Data Holders are subject to stricter requirements under the APRA, including: 

  • Publishing the last 10 years of their privacy policies and offering a short form of their policies. 
  • Providing a report to the FTC on their subject rights requests processing. 
  • Retaining a data privacy officer and a data security officer on staff. 
  • Filing an annual report to the FTC regarding their internal controls. 
  • Conducting privacy impact assessments at least once every two years. 
  • Conducting privacy impact assessments on their algorithms and providing both the public and the FTC with those assessments. 

Sensitive Data 

Like most data privacy regulations, the APRA includes a separate category for sensitive data. Unlike most regulations, its definition is fairly broad. It includes: 

  • Government identifiers;  
  • Health information;  
  • Biometric information;  
  • Genetic information;  
  • Financial account and payment data;  
  • Precise geolocation information;  
  • Log-in credentials;  
  • Private communications;  
  • Information revealing sexual behavior;  
  • Calendar or address book data, phone logs, photos, and recordings for private use; 
  • Any medium showing a naked or private area of an individual;  
  • Video programming viewing information;  
  • An individual’s race, ethnicity, national origin, religion, or sex, in a manner inconsistent with a reasonable expectation of disclosure;  
  • Online activities over time and across third-party websites, or over time on a high-impact social media site;  
  • Information about a covered minor; and  
  • Other data the FTC defines as sensitive covered data by rule. 

If you’re familiar with other state privacy laws, you’ll notice a few standout items. Notably, third-party tracking is explicitly called out, as well as “private communications,” which could conceivably cover any number of messages. As for the reference to “video programming viewing information,” that may be a reference to the VPPA, a decades-old law that protects video viewing habits and which has been used recently by the plaintiffs’ bar to sue any number of businesses that feature video content on their website. 

Sensitive data is, as is usually the case, limited to certain use cases under the APRA. Furthermore, consumers must affirmatively opt into its collection and use. Non-sensitive covered data can be collected and processed so long as consumers are given notice and the ability to withdraw consent. 

Required Data Privacy/Security Officer 

In contrast to many U.S. data privacy laws, the APRA takes a leaf from the GDPR’s book and requires businesses to establish a data privacy and/or security officer role. This role isn’t exactly comparable to the GDPR’s data privacy officer role, at least not in the draft’s current form—it doesn’t specify what these officers’ duties would be. 

All covered entities are required to have a data privacy officer OR a security officer, but entities that qualify as Large Data Holders must have both. 

Data Broker Registration 

In a fairly novel requirement for data privacy regulations, the APRA would regulate data brokers specifically. 

The APRA empowers the FTC to create a data broker registry, which requires annual registration for data brokers that “affect” the data of more than 5,000 individuals. On this site, consumers can withdraw their consent for data brokers’ data collection. 

Under the APRA, data brokers will need to maintain a website that identifies themselves as data brokers, provides a tool for subject rights and opt-out requests, and links to the FTC’s data broker registry. 

Multi-Pronged Enforcement With a Private Right of Action 

There are a few different mechanisms for the APRA to be enforced. It could be enforced: 

  • Via the FTC, which will treat violations as unfair or deceptive trade practices. 
  • Via states attorneys general, who may seek injunctive relief; civil penalties, damages, restitution, or other consumer compensation; attorneys’ fees and other litigation costs; and other relief, as appropriate. 
  • Via private citizens, who may sue organizations that violate their rights under the act. 

Of these three, the last route of enforcement is by far the least common. There’s a good chance that this private right of action will become a focus during committee discussions. 

Will the APRA Become Law? 

It’s difficult to say, but we can say with certainty that there is a long legislative journey for the APRA. 

Some may be familiar with the American Data Privacy and Protection Act, or ADPPA—it was similar to the APRA in several ways and had made it much farther along the legislative process. Ultimately, it failed to pass and remains inactive as of this writing. 

For the unfamiliar, the U.S. legislative process flows like so: 

  1. A representative of the House or Senate sponsors a bill 
  2. The bill is then studied in an appropriate committee (e.g. the House Energy and Commerce Committee or the Senate Commerce, Science, and Transportation Committee). 
  3. The bill is then brought to the House or Senate floor for a vote. 
  4. If it passes, then the bill moves to the opposite body—that could be the Senate or the House, depending upon which body introduced the bill. 
  5. It’s studied and voted on again in the opposite body. 
  6. A committee of House and Senate members meets to work on any differences between the House and Senate versions of the bill. 
  7. The bill returns to the House and Senate for final approval. 
  8. The President signs the bill into law or vetoes it. 

The ADPPA had made it all the way to step three but was never brought up for a vote—and that was considered a big deal for a comprehensive data privacy law. 

In contrast, the APRA has only gotten to step one as of this writing. So, while it’s appropriate to be excited about its potential, it’s important to be realistic about its chances and what fate it’ll face in committee. 

Crucially, the APRA suffers from the same fatal flaw that stalled the ADPPA; preemption. The whole point of a federal comprehensive data privacy law is that it replaces (i.e. preempts) the mishmash of state privacy laws. But it also replaces laws that offer arguably stronger consumer protections, such as the CCPA/CPRA.  

Californian privacy stakeholders have already voiced concern that the bill strips protections away from Californians. California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani said in a statement:  

Americans shouldn’t have to settle for a federal privacy law that limits states’ ability to advance strong protections in response to rapid changes in technology and emerging threats in policy – particularly when Californians’ fundamental rights are at stake. Congress should set a floor, not a ceiling. 

California swings a lot of weight in Congress, so this could be a significant challenge for the bill. 

Whether the APRA becomes the law of the land as-is, undergoes significant changes, is replaced by a future bill, or never passes at all, organizations will need to find efficiencies in their compliance efforts. Data privacy platforms like Osano enable you to automate, streamline, and manage your privacy program without extraneous time and effort. Find out whether Osano can prepare your organization for U.S. data privacy regulations—schedule a demo today. 

Expert insights

Key Resources on All Things Privacy

Discover actionable compliance tips straight from our team of legal and privacy experts through our blogs, webinars, eBooks, guides, and more.

US Data Privacy Laws

U.S. Data Privacy Laws: A Guide to the 2024 Landscape

With 12 comprehensive data privacy laws enacted and many more in progress, staying...

Read now
U.S. Data Privacy Compliance Checklist: 10 Steps to Prepare for 2024

U.S. Data Privacy Compliance Checklist: 10 Steps to Prepare for 2024

With a patchwork of U.S. state privacy laws, there’s a lot of uncertainty about what...

Read now
Data Privacy Laws: What You Need to Know in 2024

Data Privacy Laws: What You Need to Know in 2024

Virtually every country has enacted some sort of data privacy law to regulate how...

Read now

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.