Privacy Bill Faceoff: Comparing the APRA and ADPPA

The federal privacy debate unexpectedly came out of hibernation on April 5, 2024 when Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA) released a discussion draft of their bipartisan, bicameral privacy bill, the American Privacy Rights Act (APRA). The bill is the first major attempt to reach a compromise on comprehensive federal data privacy legislation since the American Data Privacy and Protection Act (ADPPA), introduced by Reps. Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA) and Sen. Roger Wicker (R-MS) in 2022.

After making more progress than any privacy bill before it, the ADPPA lost steam due to opposition from Californian lawmakers, who compared the bill unfavorably to the much stricter California Consumer Privacy Act (CCPA), and Sen. Cantwell, who advocated for a stronger private right of action. With Sen. Cantwell as a cosponsor and language borrowed from the CCPA, the APRA may stand a better chance of advancing, though it will likely face Republican opposition as a result of those very same changes.

The APRA and ADPPA share many similarities, especially compared to previous attempts at federal privacy legislation. Both would give consumers the right to access, port, rectify, and delete their personal data. Both require affirmative or opt-in consent for the collection and transfer of sensitive data—including biometric and genetic information, in the APRA, and teenagers’ data, in the ADPPA—and allow consumers to opt out of the collection and transfer of non-sensitive data. This reflects a compromise between the privacy rights of consumers and the benefits of data collection for innovation.

The APRA and ADPPA both instruct the Federal Trade Commission (FTC) the authority to establish a centralized opt-out mechanism that would allow individuals to opt out of all covered data transfers. This type of universal opt-out would likely encourage consumers to broadly restrict data sharing without considering the societal implications of their decision or the more granular controls available to them by different organizations.

Both the APRA and ADPPA include data minimization requirements, which require organizations to collect no more data than is necessary to meet specific needs. These requirements are popular in privacy legislation, even though they limit innovation by reducing access to data, limiting data sharing, and constraining the use of data. Other obligations data holders would have to abide by under the APRA or ADPPA include hiring and retaining data privacy and security officers and conducting privacy audits. “Large data holders” face additional requirements, such as conducting privacy impact assessments.

The APRA defines large data holders as those with an annual gross revenue of at least $250 million that process the data of over 5 million individuals, 15 million mobile connected devices, or 35 million connected devices or the sensitive data of over 200,000 individuals, 300,000 mobile connected devices, or 700,000 connected devices. The ADPPA’s definition is only slightly narrower, encompassing data holders with an annual gross revenue of at least $250 million that process the data of over 5 million individuals or the sensitive data of over 200,000 individuals.

Neither the APRA or ADPPA take a “duty of care” approach to privacy, exemplified by Sen. Brian Schatz’s (D-HI) Data Care Act introduced in 2021, which would have required data holders to take “reasonable” steps to secure data from unauthorized access. That bill also included a duty of confidentiality limiting the ways in which data holders can disclose or sell individual identifying data, and a duty of loyalty, which restricted or prohibited certain data practices. The ADPPA has a narrow duty of loyalty, but the APRA does not use this language.

Other similarities between the APRA and ADPPA include civil rights protections for consumers and transparency and data security requirements for data holders. Notably, one of these transparency requirements is a requirement to disclose whether any covered data is transferred to or stored in certain countries, including foreign adversaries, a provision that is especially relevant given the current discourse surrounding TikTok and China.

Neither bill includes new data breach notification requirements for data holders, relying instead on a hodgepodge of existing requirements at the state and federal level. Finally, both bills prohibit online services from retaliating against users for exercising their privacy rights by denying them service, charging different prices or rates, or providing a different level of quality. This prohibition could create a freeloader problem wherein users still reap the benefits of data sharing even if they have opted out of their data being shared.

The two controversial issue areas related to federal privacy legislation, and the issue areas most likely to stymie attempts to pass such legislation, are preemption of state laws and a private right of action. Currently, 15 states have their own comprehensive data privacy laws. These laws impose significant compliance costs, not only on businesses in those states but also on businesses in other states with consumers in those states. ITIF found in 2022 that the cost of these multiple, duplicative rules could exceed $1 trillion over a 10-year period of all 50 states passed their own privacy laws.

In order to keep compliance costs and confusion low and ensure all Americans have equal protection, federal privacy legislation should preempt state laws and set a single national standard. The ADPPA would have preempted state privacy laws except for a long list of excluded laws and topics, including part of the CPRA, Illinois’ Biometric Information Privacy Act (BIPA), and broad topics such as facial recognition, non-consensual pornography, data breach notification, and more. This fundamentally undermines the purpose of state preemption, and the special carve-outs for California and Illinois give these states an unfair advantage over the many others that have passed privacy legislation.

Unfortunately, the APRA has similar problems. It would also preempt state privacy laws…except for a different long list of excluded topics, including consumer protection, civil rights, privacy rights for employees and students, data breach notification, non-consensual pornography, financial or health information, and more. The APRA also includes provisions from the CPRA and BIPA as a compromise, though once again, many other states that have passed privacy legislation did not receive the same treatment.

The ADPPA’s private right of action was very limited. In addition to giving enforcement powers to the FTC and state attorneys general, the ADPPA would have allowed individuals to bring civil actions seeking compensatory relief or injunctive relief against data holders starting four years after the law went into effect. To limit duplicative enforcement, individuals would have to first notify their state attorney general and the FTC of their intent to bring suit, and if one of those agencies initiated an action, individuals could not file their own lawsuit. The bill would also establish a limited opportunity to cure, whereby if a data holder successfully addresses an alleged problem within 45 days, they could seek dismissal of a demand for injunctive relief.

Though this attempt at compromise is better than a broad, unrestricted private right of action, which would cost the U.S. economy billions per year, it still leaves the door open for expensive, frivolous lawsuits. Worse, since individuals could only proceed with lawsuits that neither the FTC nor their state attorney general decides to pursue, these individual lawsuits would likely be meritless.

By comparison, the APRA’s private right of action is broader, though still restricted in some important ways. Like the ADPPA, the APRA gives enforcement power to the FTC and state attorneys general, as well as state consumer protection officers. Individuals may bring suit against data holders for violating certain provisions of the APRA, and if their suit is successful, the court may award injunctive and declaratory relief, as well as the sum of any actual damages and reasonable attorney’s fees and litigation costs. The APRA gives data holders a 30-day opportunity to cure, except when individuals are filing an action for injunctive relief as a result of substantial privacy harm. The APRA also invalidates any pre-dispute arbitration agreements for claims involving substantial privacy harm or minors. Finally, the APRA’s private right of action includes a carveout for BIPA violations, which have led to multiple multimillion-dollar lawsuits as the Illinois courts have ruled in favor of plaintiffs in most class action suits.

Recent history has demonstrated that any federal privacy bill faces an uphill battle toward becoming law. However, the vast similarities between the APRA and ADPPA are cause for cautious optimism. Although a few particularly controversial issues remain unresolved, lawmakers have reached effective compromises on many key privacy-related issues. Congress should use the APRA discussion draft as an opportunity to refocus its efforts and make privacy a top priority for the remainder of 2024.

Table 1: Comparing APRA to ADPPA