Is the Third Time the Charm? Analyzing APRA 3.0

Federal data privacy and security legislation has become a frustrating policy topic to follow. In principle, few people disagree with the need for federal action. Indeed, even members of Congress, including Democrats and Republicans alike, agree that a comprehensive package is needed. But like many policy areas, support unravels when it gets to the substance. The need for relief is more vital now than ever with the number of states with data privacy and security frameworks increasing and starting to diverge, Americans remaining without consistent protections, and data largely left unprotected and accessible to bad actors.

The third version of legislation trying to chart this course, the discussion draft of the American Privacy Rights Act (APRA), is now available in advance of a full committee markup on June 27. It is led by House Energy and Commerce Chair, Rep. Cathy McMorris Rodgers (R-Wash.), and Senate Commerce Committee Chair, Sen. Maria Cantwell (D-Wash.). Notably, Rep. Frank Pallone (D-N.J.) is reportedly supporting this draft. The challenge of reaching a compromise was on display during the first and second drafts, where groups targeted specific provisions for often opposing reasons.

APRA 3.0 makes several notable changes from prior iterations and the American Data Privacy and Protection Act (ADPPA) from last Congress. This non-exhaustive analysis focuses solely on key changes without evaluating areas that may need further revision or highlighting existing strengths.

1. Algorithms and Civil Rights. APRA originally contained sections that prohibited the collection and use of data in a manner that discriminates, required impact assessments for covered algorithms, and algorithm design evaluations. There were large shifts between the two drafts, but this version brought the largest departure. These sections are no longer present in the bill, along with consequential decision opt-outs being removed (former sections 113 and 114).

2. Preemption. A new section was added to revise preemption when it comes to laws or rules offering protections for children and teens, which would only be preempted when they conflict with APRA and states would be able to provide greater protections. This section will likely continue to be a source of contention as some claim a federal law should allow states to go further with protections and others claim preemption should be further tightened.

3. Private Right of Action. The Private Right of Action (PRA) originally permitted a person to bring a civil action against an “entity,” but APRA 3.0 clarified this to allow actions against covered entities and service providers. However, the right to cure a violation was extended from 30 days to 60 days, notice around actual damages was increased from 30 days to 60 days, and a new section was added around “bad faith” actions, where an action is brought without providing notice to the entity when required to do so. However, “bad faith” claims are dismissed without prejudice and can be brought to court again. A PRA is a provision many, including ourselves, would prefer to not have, but it has widely been seen as a compromise measure to have some version of a PRA.

4. Children’s Privacy. The APRA 2.0 discussion draft merged portions of the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) into the draft under Title II. However, it was criticized for not incorporating enough of the standalone bill because it lacked the “actual knowledge” standard. The latest version broadens the actual knowledge standard to match COPPA 2.0 by including “knowledge fairly implied [based on] objective circumstances.” However, this current draft adds language to clarify that it does not require covered entities to collect new age data on children or teens beyond its existing practices or to implement an age-gating or age-verification mechanism. R Street has raised concerns about those types of measures, including around data security and cybersecurity, and broader children-specific measures when they might lead to a de facto age-verification requirement.

5. Data Minimization. In the original and APRA 2.0 discussion drafts, there were concerns that the permitted purposes’ narrow scope could harm medical research. The latest version expands how medical researchers process de-identified data, including improving safety, enabling effective delivery, and monitoring health care products and patient treatment. In addition, it adds a permitted purpose that allows covered data to be processed to conduct medical research in compliance with Health and Human Services regulations that protect human subjects in research. Broader calls around identifying a way to add future permitted purposes will continue since the list settles on 17 purposes.

6. Sensitive Data. The definition has expanded to include information that reveals an individual’s status as an Armed Forces member, which some advocated was important for national security purposes. It also adds neural data under its definition, which has recently been protected by state privacy laws. Further, it replaces the broad language, “information revealing [a person’s] online activities over time and across [unaffiliated] websites…” with the term, “an online activity profile.” An online activity profile is defined as, “…covered data that identifies [a person’s] online activities over time and across third party websites…and [used for extrapolating a person’s behaviors or characteristics].”

7. Advertising. The targeted advertising definition has been revised—it shifts from the advertisement being selected for an individual based on information inferred “over time and across websites,” to “known or predicted preferences.” It also excludes contextual and first-party advertising, but those are separately revised. Notably, the permitted purposes for all three have been revised. For example, targeted advertising is permitted, but it cannot utilize sensitive data and an “online activity profile” is considered sensitive, whereas APRA 2.0 had an exception for “data collected over time and across websites.” Assessing how this would play out in practice is critical.

Like the last two drafts and the ADPPA of the prior Congress, there is still a long path ahead for there to be a comprehensive privacy law in the United States and there will almost certainly be additional changes, especially as key House leaders have raised concerns. However, failing to make attempts and aim for consensus is a guaranteed way for the status quo to continue. Actually, it is destined to get worse, and there will be more and more state laws and international policies prevailing.