U.S. Rep. Cathy McMorris Rodgers, R-Wash., and Sen. Maria Cantwell, D-Wash. introduced this week a new bill to recognize new federal rights to personal data privacy. The bill titled the American Privacy Rights Act (APRA) was surprising and stunning. The United States Congress has long avoided serious consideration of any data privacy rights similar to the EU approach in the General Data Protection Regulation.
Although the bill does not expressly address the use of personal data in training of AI, its general requirements would presumably apply to that use of “covered data,” which is defined: “The term “covered data” means information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.” A special class of “sensitive covered data” receives additional protection even if publicly available.
The following discussion quotes from some of their summary of the bill:
TRANSPARENCY:
Covered entities and service providers must have publicly available privacy policies detailing
their data privacy and security practices.
The privacy policies must identify the entity; disclose the categories of data collected,
processed, or retained; the purposes for the data processing; the categories of service providers
and third parties to which data is transferred; the name of any data brokers to which data is
transferred; the length of time data is retained; data security practices; and the effective date of
the privacy policy.
Privacy policies must prominently describe how consumers can exercise their individual controls
and opt-out rights. The policy must be accessible in multiple languages and to people with
disabilities.
When a covered entity makes a material change to its policy, it must provide advanced notice
and means to opt out of the processing or transfer of previously collected data.
Large data holders are subject to additional requirements pursuant to retaining and publishing
their privacy policies from the past 10 years and also provide a short-form notice of their
policies.
CONSUMER CONTROLS OVER COVERED DATA:
After submitting a verifiable request, consumers have the right to access their covered data that
is collected, processed, or retained by a covered entity and to know the name of any third party
or service provider to which the data was transferred and the purpose of the transfer.
Upon a verified request, a covered entity must correct inaccurate or incomplete covered data
with respect to an individual.
Upon a verified request, a covered entity must delete the covered data of an individual.
Upon a verified request, a covered entity must export covered data pertaining to an individual to
the extent technically feasible.
Covered entities must comply with individual control rights within specified timeframes, and
large data holders must report metrics related to the requests they process.
Covered entities must ensure that rights are accessible to individuals living with disabilities and
available in any language in which the entity provides a product or service.
The FTC is directed to issue guidance for this section.
Covered entities shall deny an individual’s request if it would require access to data about another
individual; interfere with lawful legal process; violate another law; and other exceptions.
Covered entities may deny an individual’s request if the request would be demonstrably
impossible; would require deleting data necessary to perform a contract; would require the
release of trade secrets; or would prevent the maintenance of a confidential record of opt-out
rights. The FTC may promulgate rules to expand the situations where an entity may deny a
request.
OPT-OUT RIGHTS AND CENTRALIZED OPT-OUT MECHANISM:
A consumer has the right to opt out of the transfer of non-sensitive covered data.
A consumer has the right to opt out of the use of their personal information for targeted
advertising.
INTERFERENCE WITH CONSUMER RIGHTS:
Covered entities are prohibited from using dark patterns to divert an individual’s attention from
notice required by the Act, impair the exercise of any right under the Act, or to obtain consent
under the Act.
A covered entity shall not condition the exercise of a right described in this Act through the use
of any false, fictitious, fraudulent, or materially misleading statement or representation.
PROHIBITION ON DENIAL OF SERVICE AND WAIVER OF RIGHTS:
Covered entities may not retaliate against individuals for exercising their rights under the Act,
including by denying or charging different rates for goods or services.
Covered entities may offer bona fide loyalty programs or market research opportunities to
consumers.
Covered entities must obtain the consumer’s affirmative express consent for participation in a
bona fide loyalty program and for the transfer of any covered data collected pursuant to a bona
fide loyalty program.
DATA SECURITY AND PROTECTION OF COVERED DATA:
Covered entities and service providers must establish data security practices that are
appropriate to the entity’s size, the nature and scope of the data practices, the volume and
sensitivity of the data, and the state of the art of safeguards.
Covered entities and service providers must assess vulnerabilities and mitigate reasonably
foreseeable risks to consumer data. The FTC shall enact rules to interpret this section in
consultation with the Department of Commerce.
EXECUTIVE RESPONSIBILITY:
All covered entities must designate one or more covered employees to serve as privacy or data
security officers.
Large data holders are required to designate both a privacy and a data security officer.
Large data holders are also directed to file with the FTC annual certifications of internal controls
designed to comply with the Act and internal reporting structures for compliance with the Act.
Large data holders must conduct privacy impact assessments on a biennial basis.
SERVICE PROVIDERS AND THIRD PARTIES:
Service providers must adhere to the instructions of a covered entity and assist the entity in
fulfilling its obligations under the Act.
Service providers must cease data practices where they have actual knowledge that a covered
entity is in violation of this Act.
The FTC is directed to issue regulations to establish the requirements and technical
specifications for a centralized mechanism for individuals to exercise the opt-out rights