Overview

The American Privacy Rights Act (APRA) of 2024 is a proposed legislation introduced by Cathy McMorris Rodgers, Chair of the House Committee on Energy and Commerce (R-WA), and Maria Cantwell, Chair of the Senate Committee on Commerce, Science, and Transportation (D-WA) in the United States of America. This draft legislation aims to safeguard data privacy for US persons by replacing fragmented state-level privacy laws with a comprehensive national data privacy law.

The act empowers U.S. persons by granting them comprehensive control over their personal data. It mandates that covered entities must allow U.S. persons to manage, correct, delete, and restrict the sale or transfer of their personal data. Notably, the APRA categorises entities with over $3 billion in global revenue and 300 million monthly active users as “high-impact social media companies”, highlighting the need for oversight of these platforms (Khattar, 2024). It also mandates data minimization, collection limitation, and enhances protections for sensitive information (Khattar, 2024). Additionally, the legislation allows for legal actions against privacy violations and enables individuals to opt out of targeted advertising (Khattar, 2024).

Global Relevance

Historically, the U.S. has addressed data protection and privacy by preventing specific harms in targeted sectors rather than adopting a comprehensive data protection and privacy law (Bellamy, 2023). In contrast, the European Union’s General Data Protection Regulation (GDPR) takes a “rights-based approach” (Bellamy, 2023), in which individuals own their personal data and, consequently, exercise control over it. This approach has inspired many U.S. states, including California, Connecticut, Virginia, Colorado, and Utah, to either enact or consider GDPR-influenced legislation, signalling a philosophical shift in the U.S. approach to data protection and privacy regulation (Bellamy, 2023). In this evolving context, the APRA, which has garnered bipartisan support, emerges as a significant piece of draft legislation (Khattar, 2024). The APRA reflects this shift at the federal level in the U.S. Moreover, APRA also provides a useful point of comparison with other international privacy laws, such as India’s Digital Personal Data Protection Act, 2023 (DPDP)

Brief Comparison with the Indian data protection law

Both the APRA and India’s DPDP Act emphasise the importance of consumer consent, data minimisation, and the right of individuals to manage their personal data. These acts also demand transparency from data fiduciaries or controllers regarding their data processing activities.

However, there are notable differences. 

  • Broader Scope:  The APRA broadens the definition of sensitive data to include details about an individual’s online activities across various websites or services, especially those operated by high-impact social media companies (Senate and House of Representatives of the United States of America in Congress, 2024). 
  • Enforcement Entities: It establishes a specific bureau within the Federal Trade Commission to enforce its provisions, in contrast to India’s Data Protection Board, which is part of the Ministry of Electronics and Information Technology (Government of India, 2023) (Senate and House of Representatives of the United States of America in Congress, 2024). 
  • Exemptions: The APRA explicitly exempts federal, state, tribal, territorial, or local government entities and service providers to these entities and small businesses with annual revenues under $40 million from certain regulations (Senate and House of Representatives of the United States of America in Congress, 2024). Whereas, the DPDP Act provides the right to the Central Government to exempt any entity of the state in the interest of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these” (Government of India, 2023). 

References

  1. Bellamy, F. D. (2023, January 12). U.S. data privacy laws to enter new era in 2023. Reuters. https://www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era-2023-2023-01-12/ 
  2. Government of India. (2023). The Digital Personal Data Protection Act,.
  3. Khattar, P. (2024, April 9). The American Privacy Rights Act of 2024 Explained: What Does the Proposed Legislation Say, and What Will it Do? | TechPolicy.Press. Tech Policy Press. Retrieved April 22, 2024, from https://www.techpolicy.press/the-american-privacy-rights-act-of-2024-explained-what-does-the-proposed-legislation-say-and-what-will-it-do/ 
  4. Senate and House of Representatives of the United States of America in Congress. (2024). American Privacy Rights Act [Draft Legislation].

Banner image source: DALL – E