Archiving & Capture Tech Trends

The Quest for a Comprehensive Federal Privacy Law: ADPPA vs APRA

by Bill Tolson

SUBSCRIBE TO BLOG

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Table of Contents

1. The origins of the ADPPA
2. Key provisions of the ADPPA
3. The emergence of the APRA
4. How are APRA and ADPPA different?
5. ADPPA and APRA address data privacy concerns differently
6. Where the two bills currently stand
7. Resolving competing interests
8. Compromise is needed in data privacy legislation
9. Effects on information management and archiving

The legal need for robust data privacy regulations has become increasingly evident in today's changing data privacy landscape. The complication of emerging (and differing) state data privacy laws further underscores the need for comprehensive federal privacy laws. This is an inflection point for information management and data security that we cannot afford to overlook.

As consumers become more conscious of how their personal information is collected, shared, stolen, sold, and utilized, federal policymakers face a daunting challenge. They must craft a comprehensive federal privacy law that strikes a delicate balance between protecting consumers and safeguarding business interests.

Two proposed bills, the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA), have emerged as potential solutions. Each bill brings a unique approach, sparking interest in its implications and possible impact on data privacy regulations.

The origins of the ADPPA

The ADPPA traces its roots back to 2019 when a bipartisan group of lawmakers introduced the Consumer Data Privacy and Security Act (CDPSA). This initial bill aimed to establish a national data privacy and security standard, preempting the growing patchwork of state laws that had begun to emerge. However, the CDPSA faced criticism from consumer advocacy groups and privacy experts, who argued that it did not go far enough in protecting individuals' rights.

In 2022, the ADPPA was introduced as a revised version of the CDPSA, marking a significant evolution in the legislation. It incorporated feedback from various stakeholders and addressed concerns raised about its predecessor, demonstrating a commitment to improving data privacy and security at the federal level.

Key provisions of the ADPPA

The ADPPA seeks to achieve several goals, including:

  • Data minimization and purpose limitation: The bill requires companies to collect and use data only for specified purposes and to minimize the collection of personal information to what is reasonably necessary.
  • Consumer rights: The ADPPA grants consumers many rights, such as the right to access, correct, delete, and port their personal data, as well as the right to opt out of targeted advertising and the sale of their personal information.
  • Data security requirements: Companies must implement reasonable measures to protect personal information from unauthorized access, use, or disclosure.
  • Enforcement and oversight: The Federal Trade Commission (FTC) would be granted expanded authority to enforce the ADPPA's provisions, including seeking civil penalties for violations.
  • Preemption of state laws: One of the most contentious aspects of the ADPPA is its preemption clause, which would override most state privacy laws, creating a uniform national standard.

The emergence of the APRA

In 2024, while the ADPPA was gaining attention, another group of lawmakers introduced the American Privacy Rights Act (APRA). APRA is a proposed data privacy law introduced on April 7, 2024, by U.S. Senator Maria Cantwell (D-WA) and U.S. Representative Cathy McMorris Rodgers (R-WA).

If enacted, APRA would establish a comprehensive federal consumer privacy framework, giving American citizens new federal rights regarding the collection, storage and use of data about them.

APRA background and purpose:

APRA aims to establish a nationwide standard for comprehensive data privacy and security regulation. It acknowledges individual data controls for consumers and the associated responsibilities of various corporations.

It provides the right to opt out of targeted advertising and specific algorithms. APRA also imposes additional requirements on significant stakeholders in the data landscape, including data brokers and “large data holders.”

How are APRA and ADPPA different?

APRA builds upon previous congressional efforts and includes elements from ADPPA (H.R. 8152), which the House Energy and Commerce Committee advanced during the 117th Congress. While APRA shares some similarities with ADPPA, it differs in several key areas:

  • Broader definition of personal information: APRA defines personal information more broadly, including not only traditional identifiers like names and addresses but also biometric data, geolocation information and online activity data.
  • Stronger consent requirements: Unlike ADPPA, which allows for implied consent in certain circumstances, APRA requires explicit, affirmative consent for the collection and use of personal information.
  • Private right of action: One of the most significant differences between the two bills is that APRA grants individuals a private right of action, allowing them to sue companies directly for law violations.
  • No preemption of state laws: While ADPPA aims to establish a national standard by preempting state laws, APRA takes a different approach, allowing state laws to remain in effect alongside federal law.
  • Broader coverage: APRA applies to a wider range of entities, including non-profit organizations and common carriers, while ADPPA includes some exemptions for certain types of organizations.

ADPPA and APRA address data privacy concerns differently

While both the ADPPA and APRA aim to address data privacy concerns, they differ in several key areas:

Preemption of state laws

ADPPA's preemption clause has been a point of contention, with some arguing that it undermines states' efforts to protect their residents' privacy. In contrast, others argue that a national standard is necessary for businesses operating across state lines. Conversely, APRA allows state laws to coexist with federal law, potentially creating a more complex regulatory landscape.

Consent requirements

APRA's stricter consent requirements have been praised by privacy advocates but criticized by some businesses as overly burdensome and potentially hindering innovation.

Definition of personal information

APRA's broader definition of personal information has been lauded by those who argue that it better reflects the evolving nature of data collection and use. However, it has also raised concerns among businesses about potential compliance challenges.

Enforcement and oversight

While both bills grant the FTC enforcement authority, APRA's inclusion of a private right of action introduces an additional layer of oversight and potential consequences for non-compliance.

A private right of action is a legal tool often found in federal and state laws that grants an individual or private party the authority to file a civil lawsuit against another party or a business for alleged harm. The inclusion of this limited private right of action was a compromise between consumer advocates who wanted stronger enforcement mechanisms and business groups concerned about excessive litigation. Key differences of the private right of action between the ADPPA and the APRA include:

  • Scope: APRA provides a broader private right of action, allowing lawsuits for any violation, while ADPPA limits it to specific types of sensitive data.
  • Notice and cure: ADPPA includes a 45-day notice and cure period before lawsuits can be filed, which APRA does not require.
  • Damages: APRA allows for statutory damages, while ADPPA only permits recovery of actual damages.
  • Covered entities: ADPPA's private right of action exempts smaller businesses and non-profits, while APRA applies to all covered entities.

APRA allows for broader lawsuits and damages against a wider range of entities, taking a more impactful approach to the private right of action. On the other hand, ADPPA's private right of action is more limited in scope and potential impact, reflecting a compromise aimed at reducing excessive litigation risks for businesses.

Where the two bills currently stand

As of June 2024, neither ADPPA nor APRA has been passed into law.

ADPPA was approved by the House Committee on Energy and Commerce in 2022 but has failed to advance to the House or Senate for a full vote, primarily due to the California delegation’s issue with its preemption provision.

A draft of APRA was introduced in April 2024 by the Senate Commerce Committee Chair and House Energy and Commerce Committee Chair. It's seen as a potential successor to the ADPPA and is currently under consideration.

Both bills aim to establish a federal framework for data privacy protections in the US. They share some similarities but also have key differences, such as the scope of coverage and the level of protection afforded to minors. APRA builds upon past congressional efforts and incorporates elements from ADPPA.

Resolving competing interests

As ADPPA and APRA continue to navigate the legislative process, stakeholders from various sectors have been actively engaged in shaping the outcome. Consumer advocacy groups, privacy experts, and civil liberties organizations have been vocal in their support for stronger privacy protections. In contrast, businesses and industry groups have advocated for a balance that allows for innovation and growth.

Due to the state data privacy law landscape, companies face a costly future. Many states have already passed their own privacy laws that differ from those of other states. A critical provision of all state data privacy laws (so far) is the concept of an extra-jurisdictional or long-arm application of the law.

These terms mean "application outside the jurisdiction" and convey that the data privacy law reaches beyond the state's borders (i.e., an organization in any other state that collects that state’s citizens’ personally identifiable information).

Due to this extensive new regulatory liability, businesses now face an increasingly complex data privacy regulatory environment.

Finding common ground between these competing interests has proven challenging so far. The urgency of addressing data privacy concerns has only increased as high-profile data breaches and privacy scandals continue to make headlines. ADPPA and APRA represent significant efforts to tackle this complex issue, but their differences highlight the ongoing debate about the appropriate balance between consumer protection and business interests.

Ultimately, the success of any federal privacy law will depend on its ability to address the concerns of all stakeholders while providing a clear and consistent framework for data privacy and security. As the legislative process continues and whether ADPPA, APRA — or a separate compromise bill — will emerge as the foundation for a comprehensive federal privacy law in the United States remains to be seen. Until then, businesses must stay informed about the evolving data privacy law landscape.

As the political debate surrounding data privacy, ADPPA and APRA continues, it has become evident that finding a legislative solution satisfying all stakeholders will require compromise and adaptation to emerging trends in data privacy.

Compromise is needed in data privacy legislation

One possible compromise could involve the preemption clause in ADPPA. Although a consistent national standard is attractive for businesses that operate across state lines, there might be an opportunity for a mixed approach that allows certain aspects of state laws to exist alongside the federal framework. This could mean allowing stronger state laws to continue in specific areas, such as biometric data privacy or data breach notification requirements.

Another possible compromise could involve the private right of action in APRA. Consumer advocates support this provision as it empowers individuals. Still, businesses may prefer a limited private right of action that applies only to specific types of violations or data rather than a broad private enforcement mechanism.

As the legislative process progresses, policymakers must also stay aware of emerging trends and technologies that may impact data privacy considerations. For example, the growing use of artificial intelligence and machine learning in data analysis and decision-making processes raises questions about the ethical use of personal data and the need for algorithmic transparency.

Beyond the specific regulations of the ADPPA and APRA, a wider discussion is developing about the importance of data privacy in the digital economy. As more areas of our lives become connected to digital technologies, there is an increasing acknowledgment that data is an asset that should be handled with responsibility and ethics.

Some experts have suggested moving towards a "data rights" paradigm, where individuals would have more control and say over their personal information, like property rights. This might include ways for individuals to profit from their data or to participate in the economic advantages resulting from its use.

Effects on information management and archiving

The proliferation of new (differing) state data privacy laws across the United States will significantly impact how organizations manage and govern their information. Some of the key ways these state laws will affect corporate information management practices include:

  • Data mapping and inventory: Companies must carefully map and inventory the personal data they collect, process and store to understand their obligations under various state laws. This includes identifying what data qualifies as personal information, where it is located, how it moves and who can access it.
  • Data governance frameworks: Robust data governance frameworks will become essential to ensure compliance with varying state requirements concerning data collection, use, retention, security and consumer rights such as access, deletion and opt-outs. Companies must establish policies, processes, and controls aligned with each state law or wait for a preempting federal law to be passed.
  • Consumer rights management: With many states granting expanded consumer rights, corporations will need mechanisms to efficiently handle data subject access requests related to data access, portability, deletion, opt-outs from sales/sharing and other privacy rights across different jurisdictions.
  • Data security enhancements: Most state laws require companies to implement reasonable data security practices corresponding to the risks. This may involve enhancing security controls, conducting risk assessments, designating data protection officers and implementing processes like data protection impact assessments.
  • Third-party risk management: Companies must closely evaluate and monitor data sharing/processing with third parties to ensure compliance with state laws.
  • Recordkeeping and documentation: State laws often require detailed recordkeeping and documentation related to data processing activities, consumer requests, risk assessments and data protection impact assessments to demonstrate compliance.
  • Employee training: Due to varying privacy requirements across states, comprehensive employee training on data handling, consumer rights, incident response and compliance processes are essential.
  • Regulatory reporting and breach notifications: Different state laws have varying data breach notification requirements. Corporations need streamlined processes to assess incidents and notify regulators and consumers within mandated timeframes across jurisdictions.
  • Internal investments: Corporations will likely invest in privacy management technology, automation tools and skilled personnel to implement compliance across various state privacy regulations efficiently.

Considering the varied state data privacy laws, corporations must adopt a centralized and rigorous approach to data governance. This approach should encompass consistent practices, documentation, and controls while still accommodating the specific requirements of each state in which they operate.

ADPPA and APRA are significant efforts to establish a comprehensive federal privacy law in the United States. However, their differences highlight the ongoing challenges of balancing consumer protection and business interests in the digital age.

As the legislative process continues, stakeholders from various sectors will need to engage in constructive dialogue and seek areas of compromise. Although finding a perfect solution that satisfies all parties may be elusive, the urgency of addressing data privacy concerns and providing a clear regulatory framework cannot be overstated.

Ultimately, the success of any federal data privacy law will depend not only on its specific provisions but also on its ability to adapt to emerging technologies and evolving societal attitudes toward data privacy. By recognizing the cultural changes, policymakers can create a foundation for responsible data stewardship that fosters data subject trust and innovation while protecting individual rights and upholding democratic values.

featured guide icon

FEATURED WHITE PAPER

Data Lifecycle Management

Introducing a tiered approach to data management

Read Now

Share this post!

Bill Tolson
Latest posts by Bill Tolson (see all)
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

CONTACT US

FEATURED CONTENT

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work
CONTACT SALES

More Resources

glass office conference room meeting 2 featured img
XLoD Global – London 2024: Key Insights and Takeaways from Smarsh
by Smarsh
on November 22, 2024
Read more
wiw video cc government
Georgia Public Records: A Guide to Meeting Open Records Requirements and Improving Transparency
by Smarsh
on November 04, 2024
Read more
blue technology network security data featured img
The AI Balancing Act: 2024 FINRA AI Guidance on Juggling Innovation and Compliance
by Tiffany Magri
on November 01, 2024
Read more

Contact Us

Tell us about yourself, and we’ll be in touch right away.