The American Privacy Rights Act could undercut state privacy efforts

Last week, federal lawmakers unveiled a first draft of the American Privacy Rights Act, this year’s attempt to legislate national data privacy protections. Along with establishing a framework of data privacy rights for Americans, it also promises to eliminate the patchwork of state data privacy laws that have been passed in absence of a federal mandate.

While some data privacy experts have repeatedly called for a federal law to regulate the practices of online data brokers — which collect and sell massive amounts of consumer data with little mitigation — some say that eliminating the patchwork of state privacy laws might do more harm than good.

The American Privacy Rights Act of 2024, or APRA, is the successor to the American Data Privacy and Protection Act, or ADPPA, that was introduced in 2021. The new bill was introduced by Senate Commerce Committee Chair Maria Cantwell, D-Wash., and House Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash.

The latest proposal follows ADPPA’s failure to make its way out of committee. Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, said that legislation’s failure created a bit of pessimism within the data privacy community regarding hopes of getting a federal law on the books. But, with the bipartisan and bicameral APRA, Zweifel-Keegan said, the mood in Washington might be changing.

“Overall the temperature is warming up to the idea that there could be a path, given the amount of political will behind this, particularly with the chairs of both committees being fully on board with this current draft, and having negotiated this between themselves,” he said. “So that could mean that there is a path to passage. There will just be a lot of moving pieces to make that happen.”

For data collection, APRA sets as its standard a practice called data minimization, only collecting as much data is as necessary to accomplish a certain task. Keir Lamont, director of the Future of Privacy Forum’s U.S. legislation team, called the addition of a data minimization standard APRA’s “primary innovation and strongest attribute.”

“This approach seeks to deemphasize, opt-in or opt-out rights — individual consent — and instead place limits on what data can be collected and how it can be used by covered entities,” Lamont said, comparing the proposed legislation to the failed ADPPA.

Other key additions to APRA include a right to opt out of automated decision-making for “consequential decisions,” a stronger private right of action — the right of individuals to pursue legal action against organizations that break the law — and an expansion of the definition of “sensitive data” to include cross-site tracking data and social media tracking data, both of which the advertising industry heavily relies upon for targeted advertising.

But despite the broad protections it would afford consumers, the American Privacy Rights Act does not cover the data collection of federal, state, tribal, territorial or local government entities.

Eliminating state-level protections

Regardless of the positive reception in Washington, some privacy experts expect that APRA’s broad authority and its inclusion of a private right of action will preempt or render ineffective many state privacy laws.

“This [law] would have the effect of getting rid of most of those state-level protections for consumers. But it also tries to carve out and retain some of the sectoral protections, including protections related to employee data and some of the heightened protections around biometrics,” Zweifel-Keegan said, noting laws such as the Illinois Biometric Information Privacy Act and Washington’s My Health My Data Act.

Lamont said having myriad state-level protections is confusing and that a federal law like APRA could avoid complications the patchwork of laws created for individuals seeking to understand and exercise their rights and organizations attempting to build out national compliance programs. As of this week, 15 states have at least one data privacy law on the books, according to IAPP, and they are all unique in some way.

Without a single, federal standard for consumer privacy, some research shows that state privacy laws are largely ineffective. One report published in February evaluating state data privacy laws found that most don’t efficiently protect consumer data privacy because they lack “data minimization” obligations. The report also notes that state privacy laws usually lack a private right of action, which experts argue is the most effective way to deter companies from violating the regulations.

But APRA’s introduction hasn’t stopped state efforts. Maryland lawmakers this week passed a data privacy bill with strong prohibitions on the sale of sensitive data and data-minimization requirements similar to those found in APRA.

Although APRA may render some state laws invalid, it would still leave states and their designated enforcement agencies with the power to enforce any state or federal data privacy law.

Pros of the patchwork

Geoffrey Manne, president and founder of the International Center for Law and Economics, said there’s an advantage to having a diversity of law. In a paper published last month by the American Enterprise Institute, he proposes preserving that diversity through a federal “choice of law” statute.

The “choice of law” statute, if added to APRA, would allow states to keep their privacy laws and prevent the federal law from preempting state authority. Businesses would be allowed their choice of which state’s privacy law they must follow.

“The idea was very much modeled on the state incorporation law, where the corporation picks the state in which it’s going to be incorporated, and it’s internal governance is governed by the laws of that state, no matter where it’s doing business, around the country,” Geoffrey Manne, an author of the paper and founder of the International Center for Law and Economics, told StateScoop.

An added benefit of the statute, Manne said, would be its encouragement of competition among states over their privacy statutes and among businesses over their privacy practices. This would also allow the more tailored privacy laws — such as the Illinois BIPA or the Washington My Health My Data Act — to make operating within certain states more appealing to the covered businesses.

Manne said he’s not in favor of undoing state efforts to regulate data privacy, but he’s skeptical of a federal privacy law that isn’t flexible enough to meet the varying needs of states.

“Neither all consumers nor all businesses have the same kind of privacy risks and preferences,” Manne said. “As a practical matter, it’s very hard to to prescribe rules that are optimal for 330 million people. And that’s true with all law. Instead, you could end up with a lot of different sort of much more tailored privacy regimes, and the opportunity for companies to kind of match their needs with privacy regimes being offered.”