APRA: Will the U.S. get its own version of GDPR?

Privacy news
3 mins

A draft of the American Privacy Rights Act (APRA) was introduced in Congress on April 7, 2024, aiming to offer broad protections to everyone in the U.S. This bipartisan, bicameral effort is the second major attempt at creating a federal privacy law in the U.S. It’s similar to the European Union’s robust General Data Protection Regulation (GDPR), the strongest example of comprehensive data privacy law. Here’s what you need to know about it.

What are the goals of APRA?

Dozens of states in the U.S. have their own data privacy laws, with varying regulations, while some states have no such laws. On a federal level, there are a handful of laws that protect people’s privacy in specific situations, but there is no comprehensive privacy law that applies protections to everyone. Not only does this landscape leave large swaths of the population unprotected, but its complexity creates a challenge for businesses to stay compliant.

The APRA would supersede state laws. It represents a significant step towards a comprehensive federal privacy law in the U.S., aimed at giving all consumers more control over their personal data while simplifying compliance for businesses.

What are the key protections of APRA?

Consumer rights. The act grants consumers several rights concerning their personal data:

  • Right to access: Consumers can access their data and know which third parties it has been shared with.
  • Right to correct: Consumers can correct inaccurate or incomplete data.
  • Right to delete: Consumers can request the deletion of their data.
  • Right to data portability: Consumers can export their data to another service provider.
  • Right to opt-out: Consumers can opt out of data transfers, targeted advertising, and the use of algorithms for significant decisions​​​​​​.

Data minimization. APRA mandates that companies only collect, process, and retain data necessary for providing services or for specific purposes outlined in the act. This includes strict rules on handling sensitive data like health information, biometric data, and precise geolocation information​​​​.

Transparency requirements. Companies must maintain clear and accessible privacy policies detailing their data practices. Large data holders have additional transparency obligations, including publishing previous versions of their privacy policies and metrics regarding consumer rights requests​​.

Data security. The act requires companies to implement reasonable data security practices to protect consumer data. This includes regular vulnerability assessments, incident response plans, and designating privacy and data security officers​​​​.

Enforcement mechanisms. APRA provides robust enforcement mechanisms, including a private right of action allowing individuals to sue for violations. It also empowers state attorneys general and the Federal Trade Commission (FTC) to enforce its provisions​​​​.

Civil rights protections. The act prohibits discriminatory use of personal data and requires companies to perform annual reviews of algorithms to ensure they do not harm or discriminate against individuals​​.

Does anyone oppose APRA?

There are criticisms of certain parts of APRA.

  • Lack of comprehensive preemption. Some critics, including the U.S. Chamber of Commerce, argue that APRA fails to establish a single, national privacy standard. Instead, it allows states to impose additional requirements, leading to continued regulatory complexity and higher compliance costs for businesses.
  • Private right of action. The inclusion of a private right of action in APRA is another contentious point. Critics believe this provision could lead to an increase in frivolous lawsuits, particularly harming small businesses. 
  • Exemptions and loopholes. Some privacy advocates are concerned about certain exemptions in the APRA, such as those for government contractors and de-identified data. 
  • Innovation and data use limitations. Not surprisingly, some criticism comes from the business and tech sectors, which argue that data minimization and opt-out requirements might stifle innovation. 
  • Loss of California’s CCPA. The California Privacy Protection Agency opposes APRA. The state’s own CCPA is the strongest privacy law in the country and would be replaced by APRA, which is seen as a weaker law. 

What has to happen now?

APRA is only in the very early stages of the legislative process on its way to becoming law. It will likely undergo modifications before being brought to the House and Senate for voting. This process could take years.

Phone protected by ExpressVPN.
Protect your privacy with the best VPN

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Vanessa is an editor of the blog.