Will the US catch up to GDPR?

Aušra Mažutavičienė
Written by
Aušra Mažutavičienė
May 14, 2024

The background

On April 7th this year, representatives from the US House and Senate introduced a draft federal privacy law - the American Privacy Rights Act. It aims to give people greater control over their personal information, define processing principles and set out consumer rights, among other things.

The need for a federal privacy law has been increasing since the introduction of the California Consumer Rights Act (CCPA) which started a wave of state-level privacy legislation in the US. Since 2018, the total number of states with a comprehensive privacy law is 15 (and counting). This has made navigating US privacy landescape a very complex challenge and hence several attempts to pass a federal privacy law have been made over the years.

The most recent was the ADPPA (American Data Privacy and Protection Act) in 2022. One of the reasons the ADPPA failed to pass was because it was argued that the draft federal law didn't guarantee the same level of protections as some of the existing US state privacy laws. So how is the new APRA different?

APRA vs US privacy laws

In many aspects, the new draft is very similar to the ADPPA . The APRA (if passed) will supersede state-level privacy legislation and it's main purpose is to ensure a consistent privacy and security standard across the US.

Though it would preempt state laws, it would also empower the enforcers of state privacy laws (e.g. Attorney Generals) to instead enforce the APRA.

The APRA also identifies many types of state laws that overlap with consumer privacy concerns, including consumer protection, employee privacy, data breaches, civil rights, etc. These state laws would remain unaffected by the APRA.

What does it mean for businesses?

Overall, the APRA emphasizes data minimization, limiting data collection and usage to what is deemed necessary and proportionate. Special attention is given to the handling of sensitive information, including biometric and genetic data, requiring expressed consent for their collection and transfer.

The APRA also outlines comprehensive transparency obligations for covered entities (an equivalent to GDPR’s “data controllers”), introducing a centralized opt-out mechanism to streamline the exercise of privacy rights. It also introduces a private right of action, allowing individuals to sue under many of its operative provisions.

So on one hand, the APRA introduces stringent data minimization and consent requirements for businesses, strengthened with broader enforcement options. But on the other hand, by establishing a unified national framework for data privacy, the APRA could simplify the regulatory environment and reduce the complexity associated with navigating different state privacy laws.

What's next?

It's a long road ahead for the APRA to become law. It must first be introduced to Congress, undergo review by relevant committees, be debated and voted on in both the House and the Senate, and potentially reconciled if there are different versions. Finally, it needs approval by the President.

The proposal is already facing opposition, with e.g. the California Privacy Protection Agency expressing concerns that “Congress should set a floor, not a ceiling”. Moreover, with the November elections rapidly approaching, Congress is also running out of time to pass significant legislation.

So will the US have a federal privacy law? Many say that the APRA changes are unlikely. We'll of course keep a close eye and let you know.