Table of Contents:

• What is the American Privacy Rights Act (APRA)?
• What Kind of Data Does the American Privacy Rights Act Protect?
• Who Does The American Privacy Rights Act Apply to?
• Key Provisions of the American Privacy Rights Act

Note: The American Privacy Rights Act (APRA) has not been enacted into law at the time of writing.

In a groundbreaking bipartisan effort, the American Privacy Rights Act (ARPA) was introduced on April 7, 2024, marking a significant milestone in the United States’ approach to data privacy and protection. Spearheaded by Congresswoman Cathy McMorris Rodgers and Senator Maria Cantwell, this legislation seeks to empower US citizens with control over their personal data, while imposing stringent data protection standards on entities that handle this data. Similar to other privacy frameworks like GDPR in Europe, ARPA, if enacted would give US citizens similar rights and protection against entities that are non-compliant with the federal law. This would be the first federal law that provides a comprehensive national framework for data privacy.

What is the American Privacy Rights Act (APRA)?

The American Privacy Rights Act (ARPA) is a comprehensive federal data protection framework enacted to enhance privacy rights and secure personal data against misuse. The Act outlines requirements for data collection, processing, and security, granting U.S. citizens control over their personal information, defining what covered data and covered entities are, rules for enforcement, and more.

What Kind of Data Does the American Privacy Rights Act Protect?

What is Covered Data?

Covered data refers to any information that can identify a person or is connected to a device that can be linked to one or more individuals, either on its own or when combined with other information.

What Doesn’t Count as Covered Data?

There are a few exceptions to what is considered covered data:

• De-identified Data: Information that has been stripped of personal identifiers, making it impossible to trace back to an individual.
• Employee Information: Details about employees that are used for internal company processes.
  Publicly Available Information: Information that anyone can access publicly, like details available in media or online databases.
• Inferences from Public Information: Judgments or assumptions made from public data that don’t disclose sensitive personal details or are mixed with covered data.
• Information Held by Libraries, Archives, or Museums: Data that is part of a collection open to the public or available to researchers not associated with these institutions, as long as:
  • The institution serves the public.
  • It has professional staff or volunteers.
  • All materials are legally obtained and comply with any licensing rules.

Who Does The American Privacy Rights Act Apply to?

The American Privacy Rights Act (ARPA) defines which organizations are and are not covered by the law. These covered organizations include:

• Any organization that decides on its own or with others how to collect, process, keep, or share data covered by the law.
  Organizations that are regulated by the Federal Trade Commission.
• Common carriers, which are companies like phone and internet providers, are regulated under the Communications Act of 1934.
• Nonprofit organizations that are not set up to make a profit for themselves or their members.
• Any organization that has control over, is controlled by or is under the same corporate control as another organization covered by this law, or that shares the same brand with another covered organization.

Excluded organizations are as follows:

• Federal, state, tribal, territorial, or local government bodies such as authorities, boards, bureaus, commissions, districts, agencies, or any political subdivisions of these governments.
• Any service provider that handles data on behalf of a government entity
• Small businesses; The criteria for a small business as outlined in the Act:
  • Revenue: If a business has made $40 million or less per year over the last three years, or for however long it’s been open if it’s less than three years, it’s considered a small business under this law.
  • Handling Personal Data: A small business can only handle the personal data of up to 200,000 people each year for basic business activities like processing orders or customer service. They must delete or anonymize this data within 90 days unless they need to keep it longer for things like fraud investigations or honoring returns and warranties.
  • Data Transfer: The business cannot sell or trade personal data for money or any other benefit.
• The National Center for Missing and Exploited Children.
• Nonprofit organizations that focus mainly on preventing, investigating, or deterring fraud, or those that train anti-fraud professionals or educate the public about various types of fraud, such as insurance, securities, and financial fraud. This exemption applies as long as these nonprofits are handling data in a way that supports their main mission to combat fraud.

Key Provisions of the American Privacy Rights Act

The Act covers four key areas, each with a subset of categories outlined below:

Affirmative Express Consent and Definitions

Consent: The Act introduces the concept of “affirmative express consent,” requiring clear and explicit consent from individuals before their data can be collected or processed. This consent must be informed, freely given, and specific to distinct processing activities, ensuring that individuals are fully aware of how their data will be used.

Sensitive Covered Data: Special attention is given to sensitive data, including biometric, health, and geolocation information. The Act imposes stricter requirements on how such data is handled, requiring additional protections to prevent misuse.

Individual Rights

Access, Correction, Deletion, and Portability: Individuals can access their data, request corrections, opt for deletion, and even move their data to another service provider. These rights empower consumers by giving them control over their personal information.

Opt-Out Rights: The Act provides mechanisms for individuals to opt-out of data processing for purposes not essential to the services provided, such as targeted advertising.

Transparency and Accountability

Privacy Policies: Entities must maintain transparent operations by disclosing their data practices in detailed, easy-to-understand, and accessible privacy policies.

Updates and Disclosures: Privacy policies must be regularly updated to keep individuals informed about any significant changes in data use.

Enforcement and Compliance

Federal Trade Commission (FTC): The FTC plays a crucial role in enforcing the Act, equipped with the authority to impose penalties on entities that fail to comply with the data protection standards.

State and Individual Rights: States can take action through their attorney generals, and individuals also have the right to bring private legal actions against non-compliant entities.

Implications for Businesses

Businesses must adapt to the new regulations by revising their data handling and processing practices. This involves updating privacy policies, implementing stronger data security measures, and ensuring transparent communication with customers. Companies must also be prepared for potential audits and compliance checks by regulatory bodies. Utilizing current security frameworks like SOC 2 or ISO 27001 can prepare your business to meet the standards of the American Privacy Rights Act if it becomes a law.

How Carbide Turns Compliance into a Competitive Advantage

For businesses navigating the complexities of compliance, the American Privacy Rights Act presents both challenges and opportunities. Carbide’s suite of solutions, including the Trust Center and AI Security Assistant, offers businesses the best tools needed to align with the industry standards like SOC 2, ISO 27001, and more. By leveraging Carbide’s expertise, organizations can not only achieve compliance but also turn data protection into a competitive advantage. Talk with our team today.