US Congress Proposes American Privacy Rights Act
On the back of two straight years of a run on state-level privacy laws, Congress is trying again to pass a federal comprehensive data privacy law to pull itself back to an even stage globally. The American Privacy Rights Act, sponsored by Washington representatives (D)Maria Cantwell and (R)Cathy McMorris Rodgers, picks up where 2022's American Data Privacy & Protection Act failed.
The initial APRA draft would match several GDPR requirements like the appointment of a privacy officer within organizations and a 30-day timeline to handle data subject requests (as opposed to the standard 45-day timeline states have implicitly agreed on). The bill would also formalize opt-in rights for sensitive data processing and transfers and include a limited private right of action for individuals to sue organizations over noncompliant behavior.
However, the APRA, despite also implementing stricter data minimization standards, would only require larger organizations to conduct data protection impact assessments, in addition to generally looser applicability thresholds in an attempt to exempt small businesses.
The bill is not guaranteed to pass, as it has a long road ahead and still insists on preemption over all state privacy laws, which compelled California lawmakers to kill ADPPA two years ago.
For a more detailed analysis of the bill's pros, cons, and likelihood to pass, click here.