Some 18 months on from the failed American Data Privacy and Protection Act (ADPPA), there is another proposed federal privacy law. House and Senate committee leads released a new proposal for the bipartisan American Privacy Records Act (APRA) on April 7. There is a lot of discussion around this bill, which is subject to change and not certain to become law. Below are a few initial observations on the bill:

  1. The APRA would contain broad preemption rights, which are stronger than those under the ADPPA and would seemingly preempt the more than dozen comprehensive state privacy laws that have been passed in recent years. The California Privacy Protection Agency (CPPA) has stated that “Americans shouldn’t have to settle for a federal privacy law that limits states’ ability to advance strong protections in response to rapid changes in technology and emerging threats in policy…”
  2. The APRA would exclude human resources (HR) data. Therefore, not only would the APRA not cover HR data, but it would also not preempt state laws (i.e., the CCPA) that do cover HR data. In other words, CCPA would become an HR data privacy law only.
  3. The wording of the proposed law is currently unclear, but small businesses appear to be excluded. Small businesses are defined as any business with revenue less than $40 million, with data on fewer than 200,000 data subjects, and that does not “transfer” covered data “in exchange for revenue or anything of value.” It is unclear whether the third factor includes ad tech. If it does not, a lot of companies would qualify as small businesses and would thus be out of the APRA’s scope.
  4. The APRA would provide for a private right of action. As currently drafted, this right could be read broadly to apply to violations of most privacy provisions. This is a departure from most state privacy laws, which do not permit a private litigant to sue except in cases of data security breach in California under the CCPA and violations of the Washington My Health My Data Act. In addition, the APRA would prohibit the use of pre-dispute arbitration clauses for violations that resulted in substantial privacy harm. While the APRA does not provide for statutory damages, the likely effect of both these provisions would be a substantial increase in litigation.