What the American Privacy Rights Act means for data governance
The American Privacy Rights Act (APRA) promises to increase the protection, privacy and security of consumer data, across the United States through federal legislation. We look at what it covers, next steps on its implementation and the benefits it brings to organizations as well as consumers.
While many countries across the world have put in place comprehensive data privacy laws, until now protecting consumer data in the United States has been handled through state level legislation. There hasn’t been a federal equivalent to the European Union’s General Data Protection Regulation (GDPR).
However, this looks likely to change, thanks to the American Privacy Rights Act (APRA), new draft legislation that has been recently introduced into Congress. Supported by both parties, and by both houses, it has the potential to dramatically change how consumer data is protected, used and governed across American businesses.
What is the American Privacy Rights Act?
Introduced by US House of Representatives member Cathy McMorris Rodgers and Senator Maria Cantwell in April 2024, APRA has two key aims:
- Put consumers back in control of their personal data
- Set a national privacy standard that supersedes the current patchwork of state laws covering this area
It is currently undergoing committee review, ahead of being voted on by both chambers of congress and then, if passed, signed into law by the US President. This could potentially happen before the US election in November 2024.
What will the American Privacy Rights Act cover?
The ARPA shares the GDPR’s aim of protecting personal information, both in terms of how it is used by businesses, and how it is kept secure.
At this draft stage, key points include:
- It covers all organizations handling consumer data who have over $40 million in annual revenues, and who process data related to more than 200,000 individuals.
- It also covers service providers who handle data on behalf of such organizations as well as data brokers.
- There are additional requirements on large social media networks and companies with over $250 million revenues and/or process the data of 5 million+ individuals.
- As standard it covers information that “identifies or is linked or reasonably linkable” to an individual or device, either alone or in combination with other information.
- A second category of personal information (“Sensitive covered data”) will receive greater protection. This includes health, biometric, financial, and geolocation information, as well online activities across third-party websites.
- APRA will be enforced by the Federal Trade Commission (FTC), state attorneys general, chief consumer protection officers of states, or other authorized officers of a state. Individuals can also take action themselves in the event of breaches.
What are the principles behind the American Privacy Rights Act?
APRA includes five clear principles:
Data minimization
Companies would be forbidden from collecting, processing, retaining, or transferring data beyond what is necessary, proportionate, or required to provide or maintain a product or service requested by the consumer.
Transparency
Organizations need to provide updated privacy policies that include any third parties that have access to data, and any brokers that consumer data is shared with. If there are major changes to privacy policies, consumers have to be notified in advance and given the opportunity to opt-out. Larger organizations will need to retrospectively publish their data privacy policies for the last ten years.
Data security
Organizations must put in place appropriate data security policies and procedures, assessing any vulnerabilities and having clear incident response processes. They should appoint at least one privacy or data security officer, who reports annually on compliance. Larger organizations have to split the role between two separate people.
Consumer rights
As with the GDPR. consumers would have the right to access, correct, delete, and port their data. Large companies would have to comply with requests within 15 calendar days, smaller businesses within 30.
Algorithms
Recognizing the spread of AI, APRA covers the use of consumer data by AI algorithms, notably around avoiding discrimination/bias and ensuring it is used fairly in decision-making. Larger companies would need to conduct annual impact assessments around the AI algorithms they use.
The importance of data governance to APRA
By replacing state laws, APRA standardizes protection around consumer data, meaning that companies are subject to a single set of rules. This will deliver efficiency benefits in terms of compliance, and demonstrates the importance of strong data governance rules that cover:
- How data is collected, stored and used
- How data is protected in terms of security, anonymization, and access for specific internal and external users
- How data assets are enriched and changed within organizations
- How data is shared with partners and used within AI models
- Record-keeping around data assets, from creation to reuse
It is important to see APRA as a positive for the business – it increases trust, drives greater data sharing, protects corporate reputation and increases efficiency around compliance.
Opendatasoft’s data portals and APRA
Many of the provisions and principles within APRA are similar to the GDPR, which has been implemented across Europe since 2018. Opendatasoft’s data management approach has been built from the ground-up on GDPR compliance, meaning we have deep experience of helping clients protect personal data when using our data portal solution.
Relevant key features of our solution include:
- Easy access to a single source of trustworthy, up-to-date information through a centralized data portal that brings together data from across an organization and makes it securely available to all employees, in a trackable, compliant way.
- Processors to make it easy to anonymize personal information
- Data lineage features to track how data is used across the organization and its ecosystem
- Access control features that prevent unauthorized users from viewing specific datasets without permission
- Strong support for data governance processes to ensure data is protected before it is shared
- Fully secure software, hosted by leading cloud providers
While it is a new piece of legislation that has yet to become law, ARPA enjoys support from across the political spectrum, and builds on previous attempts to pass data protection and privacy regulations. Therefore, it could well become law before the end of 2024. This means that organizations haven’t got much time to be ready for it. They should act now to ensure that they have an effective data governance and data management strategy in place to ensure compliance, build trust with consumers, and unlock the power of data within their business.
The General Data Protection Regulation has transformed how personal information is used and protected across the European Union. However, its impact goes much further, forming the basis of state legislation within the US. We explain why following its principles benefits all organizations in terms of compliance and good practice.
What are the challenges municipalities face when it comes to effective data governance. We look at the importance of data portals and robust data governance programs to enable municipalities to securely share reliable, compliant data internally and externally.
How can data sharing help different public sector organizations meet their changing objectives? To demonstrate its power we look at how multiple agencies and municipalities in North Carolina are harnessing data to increase efficiency, transparency and innovation.