What the American Privacy Rights Act means for data governance

While many countries across the world have put in place comprehensive data privacy laws, until now protecting consumer data in the United States has been handled through state level legislation. There hasn’t been a federal equivalent to the European Union’s General Data Protection Regulation (GDPR).

However, this looks likely to change, thanks to the American Privacy Rights Act (APRA), new draft legislation that has been recently introduced into Congress. Supported by both parties, and by both houses, it has the potential to dramatically change how consumer data is protected, used and governed across American businesses.

Introduced by US House of Representatives member Cathy McMorris Rodgers and Senator Maria Cantwell in April 2024, APRA has two key aims:

• Put consumers back in control of their personal data
• Set a national privacy standard that supersedes the current patchwork of state laws covering this area

It is currently undergoing committee review, ahead of being voted on by both chambers of congress and then, if passed, signed into law by the US President. This could potentially happen before the US election in November 2024.

The ARPA shares the GDPR’s aim of protecting personal information, both in terms of how it is used by businesses, and how it is kept secure. 

At this draft stage, key points include:

• It covers all organizations handling consumer data who have over $40 million in annual revenues, and who process data related to more than 200,000 individuals.
• It also covers service providers who handle data on behalf of such organizations as well as data brokers.
• There are additional requirements on large social media networks and companies with over $250 million revenues and/or process the data of 5 million+ individuals.
• As standard it covers information that “identifies or is linked or reasonably linkable” to an individual or device, either alone or in combination with other information. 
• A second category of personal information (“Sensitive covered data”) will receive greater protection. This includes health, biometric, financial, and geolocation information, as well online activities across third-party websites.
• APRA will be enforced by the Federal Trade Commission (FTC), state attorneys general, chief consumer protection officers of states, or other authorized officers of a state. Individuals can also take action themselves in the event of breaches.

APRA includes five clear principles:

Data minimization

Companies would be forbidden from collecting, processing, retaining, or transferring data beyond what is necessary, proportionate, or required to provide or maintain a product or service requested by the consumer. 

Transparency

Organizations need to provide updated privacy policies that include any third parties that have access to data, and any brokers that consumer data is shared with. If there are major changes to privacy policies, consumers have to be notified in advance and given the opportunity to opt-out. Larger organizations will need to retrospectively publish their data privacy policies for the last ten years.

Data security

Organizations must put in place appropriate data security policies and procedures, assessing any vulnerabilities and having clear incident response processes. They should appoint at least one privacy or data security officer, who reports annually on compliance. Larger organizations have to split the role between two separate people.

Consumer rights

As with the GDPR. consumers would have the right to access, correct, delete, and port their data. Large companies would have to comply with requests within 15 calendar days, smaller businesses within 30.

Algorithms

Recognizing the spread of AI, APRA covers the use of consumer data by AI algorithms, notably around avoiding discrimination/bias and ensuring it is used fairly in decision-making. Larger companies would need to conduct annual impact assessments around the AI algorithms they use.

By replacing state laws, APRA standardizes protection around consumer data, meaning that companies are subject to a single set of rules. This will deliver efficiency benefits in terms of compliance, and demonstrates the importance of strong data governance rules that cover:

• How data is collected, stored and used
• How data is protected in terms of security, anonymization, and access for specific internal and external users
• How data assets are enriched and changed within organizations
• How data is shared with partners and used within AI models
• Record-keeping around data assets, from creation to reuse

It is important to see APRA as a positive for the business – it increases trust, drives greater data sharing, protects corporate reputation and increases efficiency around compliance.

Many of the provisions and principles within APRA are similar to the GDPR, which has been implemented across Europe since 2018. Opendatasoft’s data management approach has been built from the ground-up on GDPR compliance, meaning we have deep experience of helping clients protect personal data when using our data portal solution. 

Relevant key features of our solution include:

• Easy access to a single source of trustworthy, up-to-date information through a centralized data portal that brings together data from across an organization and makes it securely available to all employees, in a trackable, compliant way.
• Processors to make it easy to anonymize personal information
• Data lineage features to track how data is used across the organization and its ecosystem
• Access control features that prevent unauthorized users from viewing specific datasets without permission
• Strong support for data governance processes to ensure data is protected before it is shared
• Fully secure software, hosted by leading cloud providers

While it is a new piece of legislation that has yet to become law, ARPA enjoys support from across the political spectrum, and builds on previous attempts to pass data protection and privacy regulations. Therefore, it could well become law before the end of 2024. This means that organizations haven’t got much time to be ready for it. They should act now to ensure that they have an effective data governance and data management strategy in place to ensure compliance, build trust with consumers, and unlock the power of data within their business.