From Policy to Practice: How the American Privacy Rights Act Will Inadvertently Harm Small Businesses

In today’s digital age, protecting people’s sensitive data has never been more critical. As more and more states propose, pass, and implement varied data privacy laws, Congress must pass a unified national privacy law. However, the recently introduced American Privacy Rights Act (APRA) does not create a single national privacy law and raises significant concerns for small and medium-sized businesses (SMBs), in particular.

The Illusion of a Small Business Exemption

At first glance, APRA appears to protect SMBs with its small business exemption. However, upon closer scrutiny, it’s clear that it will still capture tens of thousands of small businesses with more than 200,000 website visitors, app downloads, or customers. The threshold of 200,000 data points is far too low and will force them to comply with the same requirements as large technology companies

Additionally, the definition of what constitutes a small business is unclear. The bill states that a business that transfers data for anything “of value” is not a small business, with a series of exemptions that are difficult to follow or understand. This requires further review to ensure that small businesses with fewer than 200,000 data points are not captured because of an unintended consequence of overbroad language. 

Increased Legal Risk

Another contentious aspect of APRA is its private right of action, opening the door for frivolous lawsuits against small businesses initiated by plaintiffs’ lawyers for any alleged technical violation of this complex law, even if no harm occurs. Just as it happened with patent infringement and still happens with ADA lawsuits, small businesses will be sued for allegedly over-collecting or over-processing consumer data even where there is no consumer harm. Then, they will be offered the “opportunity” to settle for costly payments but well below the costs of going to court, even if they have done nothing wrong. 

Restrictive Data Minimization Rules

APRA’s stringent “data minimization” section limits small businesses from knowing and communicating with their customers because it limits collection and processing to only data “necessary . . . to provide . . . a specific product or service requested by the individual.” This limitation serves to prevent SMBs from:

• Communicating with existing customers about upcoming sales, new products, or other marketing updates. 
• Updating their website based on user activity and interests.
• Using customers’ general geographic location data to decide where to open new locations.
• Collecting traffic data needed to measure and improve website performance.
• Collecting consumer data necessary to measure and improve advertising effectiveness.
• Displaying pictures of store activity that include customers on their website or in their app. 

Even for small businesses that are exempt from the bill, the impacts of overregulating data collection and use will be severe. Smaller businesses rarely collect customer data directly; they rely on third party partners like Google, Facebook, Amazon, Etsy, eBay, Shopify, and countless others to collect and process data and share insights with the small business. These insights help small businesses understand their customer base, inform their advertising and marketing, and understand how effective their ads and marketing are. When the tools offered by these companies are regulated, the small businesses that rely on these tools are impacted as well.

Overregulating these processes disproportionately hurts small businesses, eroding the cost-effective ways in which they can compete with large businesses. 

Complicated Opt-Outs and Vague Provisions

The targeted advertising opt-out is so broad that it supersedes opt-ins. Small businesses need certainty that browser-level opt-outs do not trump their store-level opt-ins, and consumers should have more choices about what content they see online, not fewer. Additionally, APRA’s vague algorithm rules and consequential decision provisions, for instance, allow small businesses to be the subject of myriad enforcement and private lawsuits to create and test the boundaries of these untethered new standards. This concern can be easily solved by tying the APRA anti-discrimination standards to federal law instead of APRA being a new, undefined, open-ended anti-discrimination standard.

Allows for the State Patchwork to Grow

The bill does not supersede all state privacy laws and regulations, allowing the patchwork of state rules to grow. Compliance with this patchwork creates significant complexity and costs for small businesses, placing them at a substantial disadvantage to larger businesses.

In Search of Balance

Small businesses do not want to dismiss APRA, and are not opposed to creating a strong, national privacy law, but it needs to be balanced and recognize the unique challenges and resource constraints smaller entities face. Legislation should protect consumer data while also enabling small businesses to leverage digital tools and data analytics for growth and innovation.

A balanced privacy act would offer explicit, achievable exemptions for small businesses and establish straightforward data collection and use guidelines. It should minimize litigation risks, allowing small businesses to focus on serving their customers rather than defending against lawsuits. Moreover, it would recognize the importance of digital marketing and customer engagement in today’s economy, providing pathways for responsible data use rather than stringent limitations.
While the American Privacy Rights Act aims to address crucial data privacy issues, its current iteration poses significant challenges for small businesses. Small business leaders, click here to take action now by sending a letter to lawmakers, urging them to fix APRA.