Light Dark
May 1, 2024 By Jennifer Gregory 3 min read
News

After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations.

With the American Privacy Rights Act of 2024, the U.S. government established the first national privacy policy establishing national consumer data privacy rights and also set standards for data security. Specific entities are excluded from the legislation, including small businesses, governments, entities working on behalf of governments and the National Center for Missing and Exploited Children (NCMEC). Fraud nonprofits are only required to follow the data security standards. As part of the Act, the Federal Trade Commission (FTC) will establish a new bureau to enforce violations, which will be treated as an unfair or deceptive practice under the FTC Act.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) in the press release. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

APRA replaces disparate state laws

One of the key parts of the Act is that it replaces the current disparate state privacy laws, referred to as preemption. Because companies had to follow the laws in the state in which the customer resided, it was challenging to ensure compliance with different laws in many states.

However, states can still pass their own privacy laws in some instances, such as civil rights and consumer protections. When crafting the APRA, lawmakers preserved standards from key states, such as California, Illinois and Washington.

The 140-page draft APRA details specific standards and processes regarding data privacy. Here are five key parts of the new bill.

1. Individuals harmed by data breaches can sue corporations

Lawmakers used the language from the California Consumer Privacy Rights Act (CCPA) that gave individuals harmed by a data breach the power to sue corporations. From the lawsuit, consumers can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs. California residents can also receive statutory damages based on the CCPA.

2. Companies are limited in the type of data they can collect and use

Organizations will be required to have a privacy policy that details data collection processes and how consumers can opt-out. The Act also restricts the collection and transfer of specific types of data, such as biometric or genetic information, without the individual’s affirmative express consent unless expressly allowed by a stated permitted purpose.

3. Americans gain greater control of their data

The APRA gives Americans the ability to stop companies and data brokers from transferring or selling their data. Consumers can also opt out of targeted advertising. Additionally, the Act requires consent from the consumer for companies to transfer sensitive data to a third party.

4. A national registry of data brokers will be created

As part of the legislation, the FTC will maintain a data broker registry. All data brokers will also need to keep a public website that identifies themselves as a data broker. Consumers, including individuals with disabilities, must be able to control data and opt-out from collection on the website using a “do not collect” mechanism.

5. Companies must designate a privacy or data security officer

While most companies can appoint either a privacy or data officer, large data holders must designate both along with following additional requirements such as filing with the FTC annually. Companies are not required to create a standalone position but can add these responsibilities to an existing role.

Next steps with the APRA

Because the Act is still in discussion draft, the next steps are not yet set. There is not an official date set for voting or approving the bill into law. Because of the implication for both companies and consumers, Americans should carefully follow the discussions, and companies should begin preparing to follow the regulations if passed, which would go into effect 180 days after approval.

 |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
May 13, 2024

Debate rages over DMCA Section 1201 exemption for generative AI

3 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…

May 10, 2024

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience. In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the…

May 8, 2024

Change Healthcare attack expected to exceed $1 billion in costs

3 min read - The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.” In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature