The American Privacy Rights Act (APRA): Analysis and Compliance Obligations

April 9, 2024

The American Privacy Rights Act of 2024 landed as a draft this week of a US federal privacy bill that reportedly has support in both the House and Senate from Democrats and Republicans. 

This important piece of proposed legislation could create a new era in US privacy law, notably because it is set to preempt the privacy laws of all 15 states that have enacted them: California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon,

Montana, Texas, Delaware, Florida, New Jersey and New Hampshire. 

Which Companies are Required to Comply with APRA?

The American Privacy Rights Act would apply to any company—whether or not based in the US—that acts as a “controller” of data processing, with exceptions for government, banks and small businesses. The small business exception does not follow the usual US Small Business Administration (SBA) definition of an independent business having fewer than 500 employees. That definition includes more than 99% of US business, and nearly half of all US employees.

Large Enterprises Versus Small Businesses

Instead, the APRA defines a small business as one with $40 million or less in average annual revenue over the three prior years, if it processes covered data of 200,000 or fewer individuals (excluding processing of one-off transaction data such as credit card data, if it is deleted within 90 days). In addition, to qualify as a small business, the business must also not have transferred covered data for money or any other source of value. This last point may be a trap for the unwary, or at least an area where regulatory guidance is needed. Imagine the many advertising technology companies that offer free services to their business clients in exchange for the businesses providing a stream of data about the visitors to the website and apps the business provides. Would the “free” service be considered paid for in data? Also, while collecting data of 200,000 individuals may seem like a high bar, consider that an IP address is covered data— accumulating 200,000 IP addresses over time in long files may occur sooner or later. 

However, these standards are still more business friendly that the California CCPA/CPRA that is pegged to gross annual revenue in excess of $25 million or transacting in personal information of 100,000 or more California residents or households. 

It is not only small businesses that will have no obligations under the American Privacy Rights Act or APRA. The APRA also does not regulate “services providers” (akin to “processors” under the GDPR) that do not determine the purpose for data collection and processing data, but rather are hired by a business entity that is covered by APRA. Service providers, as under CCPA, are obligated to follow the instructions of covered businesses regarding data. 

The APRA applies to “covered data,” which largely tracks the most common definition of personally identifiable information found in global privacy laws, including GDPR. It means information that identifies or is relatable to an individual or device. Note this definition does not pick up the CCPA’s definition that also includes “household” data. And it excludes anonymous data, employee data (which came into scope under CCPA only recently), public information, in addition to inferences made based exclusively on public information.

Additional Requirements for Social Media Companies

Special rules apply to social media companies, defined as companies with a primary audience of individual end users consuming user-generated content (UGC) that have both $3 billion in global annual revenue and 300 million monthly active users (MAU). 

What are the APRA requirements?

Transparency and consumer control over data are foundational principles of the APRA. These principles parallel those first espoused by the Digital Advertising Alliance (DAA) in 2010 as the self-regulatory guidelines of “notice and choice” for interest-based ads in response to a 2009 Federal Trade Commission’s (FTC) investigation into internet advertising platforms. Self regulation, it seems, is no longer sufficient to ensure adequate consumer data privacy. 

Transparency under APRA refers to the obligation of covered entities and service providers to provide sufficiently detailed privacy policies. This is consistent with current California law (e.g., requirement to detail the categories of data collected, and categories of service provider and third party transferees) and also largely consistent with national law under current FTC expectations for appropriate disclosure. Interestingly, any data brokers who will receive the data must be explicitly named. 

Businesses must also provide advanced notice of privacy policy changes, and a means of allowing consumers to opt out of any new uses of data proposed under the new privacy policy as it pertains to data collected under the old policy. The latter change is likely to be a significant burden for product managers and software engineers who may effectively be required to fork their products and provide old versions of them for consumers who opt out of new means of data processing. This underscores the need to get a privacy policy right the first time. 

Consumer Rights Under the APRA

In terms of control or choice, businesses covered by the APRA must provide consumers with the following data privacy rights, all of which exist in other data protection laws including CCPA/CPRA and GDPR:

  • Access the covered data and obtain the names of all third parties and service providers it was transferred to and for what purpose
  • correct inaccurate or incomplete data
  • delete the covered data of an individual.
  • Obtain an export of covered data pertaining to an individual to in both human-readable and machine-readable formats (query if a carefully constructed JSON blob or CSV file fulfills both requirements)

A handful of exceptions apply, including if the request is not about the individual making the request (although there is a provision for an authorized agent to make the request on a consumer’s behalf), where it is impossible to comply with the request (e.g., the data was deleted per a retention policy), or if it would require revealing trade secrets

APRA covered businesses generally have 30 days to comply with consumer requests, with larger data brokers being required to act in as little as 15 days. 

Preferred method of contact to satisfy APRA requirements is webform

The APRA webform solution we offer can be embedded inside any website or hosted by us. Your consumer will be able to communicate their request via this webform. The privacy request will then show in your dashboard. Alerts will notify you when a new privacy request has been received. And other alerts will notify you when the deadline is approaching.