A bipartisan group of federal lawmakers just unveiled a sweeping proposal to pass the nation’s first data privacy law and hand a significant amount of power to consumers, one that would bring about a massive change in the way that businesses treat customer data. While it would create a consistent framework across the country and eliminate the confusing patchwork of state laws that businesses now have to navigate, it would also expose more businesses to potential litigation and increase compliance obligations for tens of thousands of organizations. What are the 10 things you need to know about the proposal released this past weekend?
- Bipartisan proposal stands a chance of survival.
The proposal to pass the American Privacy Rights Act (APRA) is a bipartisan measure floated by Senate Commerce Committee Chair Maria Cantwell (D-Wash.) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.). Unlike past proposals, this one seems to have initial momentum due to leadership from both parties weighing in. It still will face an uphill battle due to the fractured nature of Congress and election year distractions – but it does at least stand a chance of passing in 2024. - The proposal could mean the end of the CCPA as we know it and other state data privacy laws.
In its current form, the APRA would seemingly destroy most state data privacy laws, including much of California’s landmark CCPA. While it would allow state laws that regulate certain kinds of data (such as financial, health, or employee data), these carve-outs would be few and far between. As you could imagine, the proposal has been met with a frosty reception by many California lawmakers who don’t want to see their sweeping law largely cast into the dustbin. This dynamic could be enough to kill the APRA proposal – more on this later. - Silver lining for employers: no additional workplace obligations.
Despite the many challenges businesses will face if the APRA is enacted, the one piece of good news you can celebrate is that you will not see your workplace obligations increase. As opposed to the broadest of state privacy laws (such as the CCPA), the law will not apply to data employers collect about their workers. There is an open question, however, as to whether California’s CCPA employment obligations would survive the APRA – stay tuned for more on this dynamic as the proposal progresses through Congress. - Consumers would have much more power over their data.
Turning to the proposal itself, the APRA would require businesses to give consumers the right to access, delete, correct, and transport their data between digital services. Consumers would also have the ability to block businesses from transferring or selling their data. Businesses would need to obtain affirmative express consent before they transfer sensitive data to a third party. - Businesses would need to provide opt-out rights to consumers.
Another key component of the APRA would be a provision giving users the right to opt out of certain data practices, including targeted advertising — ads sent to people based on their personal data. - Proposed law would create limitations on data gathering practices.
Next, businesses would be able to gather, retain, and use only as much information as they need in order to offer specific products and services to consumers under the proposed law. That would be a big shift from the current system that requires consumers to scroll through privacy agreements and respond to website pop-ups asking for data use and tracking permission. Further, companies that buy and sell personal data would have to register with the Federal Trade Commission (FTC). - Proposed law will create anti-discrimination and other protections.
The APRA would prohibit businesses from using data they collect to discriminate against protected classes (such as race, gender, national origin, etc.). It would also allow consumers to opt out of a businesses’ use of algorithms to make decisions about housing, employment, healthcare, credit opportunities, education, insurance, or access to places of public accommodation. - Businesses will need to beef up their data protection practices.
Companies would also need to take affirmative steps to bolster their data privacy practices. First, they would need to appoint executive officers to their leadership teams deemed responsible for ensuring APRA compliance within the organization. They would also need to implement strong data security standards to prevent data from being hacked or stolen. - Small businesses would be excluded from coverage.
Companies with under $40 million in annual gross revenue would be exempt from the proposed law. But companies with more than $250 million would face heightened obligations – such as the need to conduct regular privacy reviews. - Expect to see a flood of new litigation.
Perhaps most troubling for businesses, people would have the power to file lawsuits against businesses that violate the law – and collect civil damages if they prevail. This would be a big change, as many state laws only allow for state officials to take action against alleged violations. Significantly, the law would also prevent arbitration agreements from being used to push many APRA disputes into arbitration settings. Among those excluded from arbitration: those with at least $10,000 in alleged damages, physical or mental injuries that require medical treatment, highly offensive intrusions into privacy, or alleged discrimination based on race, religion, or other protected classes. You can expect to see a cottage industry of plaintiffs’ attorneys spring up to file lawsuits for privacy rights violations if the law is passed in its current form. The proposed law would be regulated by a yet-to-be-developed bureau within the FTC, removing some power from the Federal Communications Commission.
What’s Next?
- There’s no need to panic – quite yet. After all, it is currently just a “discussion draft” that will allow the two committee chairs to gather feedback from their colleagues and third parties before it is formally introduced as a bill. And the proposal will face myriad obstacles.
- For example, as noted above, California lawmakers may fight against it to retain their state’s own powerful law. You can also expect business advocacy organizations to fight against the proposal for going too far. And as earlier described, Congress may be too fractured and distracted by election year developments to pass such meaningful legislation.
- It also faces time pressure. Representative McMorris Rodgers plans on leaving Congress in January 2025, giving the APRA a small window of time to get pushed through with current leadership.
- That being said, we expect to see a formal bill introduced in the coming weeks. While some provisions may be reworked before introduction – for example, several lawmakers have already called for stronger protections for children – the final version will most likely appear very similar to the current proposal.
- One final warning: the time to comply with the proposed law would come rather soon if it is passed. As opposed to prior iterations of federal data privacy proposals, the APRA would take effect just six months after passage.
What Should You Do?
While this is the most significant development in the privacy rights arena in quite some time, there are no immediate steps for you to take other than to monitor the situation for more details as they evolve. You may also want to participate in advocacy efforts with your local business advocacy groups or industry-specific associations given the need for feedback about the practical impact of this proposal.
Conclusion
We will continue to monitor these developments and provide the most up-to-date information directly to your inbox, so make sure you are subscribed to Fisher Phillips’ Insight System. If you have questions, contact your Fisher Phillips attorney, the authors of this Insight, or any attorney in our Privacy and Cyber Group or Government Relations Team.
About the authors:
Risa Boerner is a partner in the Philadelphia office. She is the Chair of the firm’s Privacy and Cyber Practice Group. Risa is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Manager (CIPM) and has counseled clients on issues relating to state and federal data protection laws, responding to security breaches, surveillance of employees’ electronic communications, workplace investigations and searches, social media and electronic communication policies, and the protection of trade secrets and confidential information.
Risa also regularly litigates and counsels clients on issues pertaining to the hiring and termination of employees, compliance with employment discrimination laws, negotiating and drafting employment agreements, covenants not to compete, confidentiality agreements, employee raiding, unfair competition, and related matters.
Benjamin M. Ebbink is a partner in the Sacramento and Washington D.C. offices and Co-Chair of the Government Relations Practice Group.
With over two decades of experience in the intersection between labor and employment law and public policy, he focuses on legislation and regulations enacted at the federal, state and local levels. Benjamin assists employers with navigating evolving legislative and regulatory landscapes in a variety of areas. He is also a member of the firm’s Artificial Intelligence Team, where he monitors he rapidly-developing regulation of artificial intelligence at the federal and state level.
Rick Grimaldi is the author of FLEX: A Leader’s Guide to Staying Nimble and Mastering Transformative Change in the Workplace. Based on his thirty years of working with employers large and small, Rick’s influential work provides a blueprint for all employers to understand and navigate the incredible changes occurring in the workplace that impact everything from hiring to terminations, and all the issues that occur in between. By combining his labor relations skills, negotiating acumen, and employment counseling experience on behalf of his clients, Rick actively builds strong partnerships as both a legal counselor and trusted business advisor. Rick partners with his clients to help achieve their workplace goals by combining sound practical strategic advice with an understanding that business decisions are never made in a vacuum.
Usama Kahf is a partner in Fisher Phillips’ Irvine office, a Certified Information Privacy Professional (CIPP/US), and co-chair of the Privacy and Cyber Practice Group. His primary areas of practice are (1) workplace privacy and data security, (2) employee defections, unfair competition, trade secret theft, and corporate espionage, and (3) artificial intelligence.
As co-leader of the firm’s Consumer Privacy Team, Usama advises clients on compliance with state consumer privacy laws, including the California Consumer Privacy Act (CCPA), and the California Invasion of Privacy Act. He regularly conducts trainings and publishes articles relating to consumer and employee privacy and data security.
Leave a Reply