Congress unveils American Privacy Rights Act to set national data standards

On April 5, 2024, the US Congress drafted a comprehensive data privacy bill titled the American Privacy Rights Act. 

What happened

On April 5, 2024, members of the US Congress provided the draft of the bipartisan, bicameral American Privacy Rights Act (APRA). This legislation is set to establish a national data privacy and security standard, allowing individuals the right to control their personal information. 

The bill is designed to consolidate the diverse privacy protections found in state laws into a single federal standard and aims to provide mechanisms for enforcement by both the Federal Trade Commission (FTC) and state attorneys general, as well as through private lawsuits. 

See also: Features to look for in a HIPAA compliant email service provider

Going deeper

1. APRA grants consumers several rights regarding their personal data, including:
   • Consumers can request access to their personal data held by a covered entity.
   • Consumers can request corrections to inaccurate or incomplete personal data.
   • Consumers can request the deletion of their personal data.
   • Consumers can request their data be provided in a format that allows them to transfer it to another service.
2. Consumers are granted the right to opt out of:
   • Targeted advertising
   • Data transfers
   • Algorithmic decisions
3. Entities are restricted to collecting and processing data only as necessary for the specific purposes for which consent was given and must adhere to practices that minimize the amount of data they collect, process, retain, or transfer.
4. Entities must maintain clear and accessible privacy policies that outline their data collection, processing, and sharing practices.
5. Entities are required to implement robust security measures appropriate to the risk level and volume of data they handle.
6. There are improved protections provided for "sensitive covered data," which includes health, biometrics, financial data, and more. This type of data cannot be processed without explicit, affirmative consent from the consumer, except for specific permitted purposes.

See also: What is HIPAA?

Who does it apply to?

Covered entities: Any entity that, alone or jointly with others, determines the purposes and means of processing covered data and is subject to the FTC Act. This includes common carriers and certain nonprofit organizations.

Exclusions:

• Small businesses that fall below certain revenue thresholds or handle data of a limited number of individuals are exempt from some of the Act's requirements.
• Federal, state, and local government entities and their service providers are generally excluded.
• Nonprofits whose primary mission is to fight fraud or to educate about fraud, except for data security obligations, are excluded.
• National Center for Missing and Exploited Children (NCMEC)

Service Providers: Service providers to covered entities are also subject to the Act, particularly regarding data handling and processing stipulations that align with the obligations of the covered entities they serve.

What was said

"This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people's behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act," Chair Rodgers said in a press release. "I'm grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month."

In the same press release, Chair Cantwell offered: "This bipartisan agreement is the protections Americans deserve in the Information Age."

HIPAA and APRA

The APRA and the Health Data Use and Privacy Commission Act introduced by Senators Baldwin and Cassidy both aim to modernize health privacy laws. In this regard, the ARPA addresses the limitations and gaps present in the existing HIPAA. The APRA sets out to establish comprehensive national data privacy and security standards, extending protections beyond those covered by HIPAA.

This is particularly necessary for health information management changes with the entry of technology companies into the healthcare space. Healthcare organizations are set to handle an expanding scope of health-related data that HIPAA does not currently cover. 

The introduction of APRA is seen as a move to enhance how personal health information is protected. The Act would enforce stricter control and clearer guidelines on how all personal data, especially sensitive health information, is handled across different platforms and entities, including those not traditionally covered by HIPAA. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

Is the APRA enacted?

No, it has been drafted and is still due to follow due process to be enacted.

What is a covered entity, and doesn't it apply only to HIPAA?

In the case of the APRA, covered entity refers to any entity that determines the purpose and means of collecting, processing, retaining, or transferring covered data and is subject to the FTC's authority under the FTC Act, plus common carriers subject to Title II of the FTC Act. 

Can HIPAA and APRA apply to the same entities?

Yes, HIPAA and APRA can apply to the same entities, as both laws deal with data privacy and security, and the APRA has a broader scope than HIPAA.