The American Privacy Rights Act – A Radical Approach to Data Privacy

Government-enacted privacy laws are nothing new, from California to Connecticut to the European Union. However, while the majority of countries around the world have adopted national privacy laws, the United States has still failed to do so. 

Earlier this year, House Energy and Commerce Committee Chair Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Chair Sen. Maria Cantwell (D-WA) announced a bipartisan privacy policy framework, the American Privacy Rights Act (APRA). In today’s digitally powered economy, small business customers often cross state lines. The patchwork of more than 20 state privacy laws is unsustainable for small businesses, and a single, national privacy law is critically necessary.  However, APRA would overregulate the collection and use of data online in ways that go beyond states like California or Connecticut and the European Union’s vaulted General Data Protection Regulation (GDPR). 

California’s Consumer Privacy Rights Act (CPRA) and the EU’s GDPR are both comprehensive data privacy laws. Both focus on informing consumers about what information is being collected and what it is being used for and provide limitations and consumer rights related to this data collection and use. For instance, CCPA requires consumers to opt-in for sensitive data collection. GDPR restricts special categories of data.  CPRA’s and GDPR’s data minimization provisions require covered entities to limit data collection and processing to the stated purposes for which they were collected. APRA creates a blanket limit on these activities that goes much further and ties the data collection to the specific products and services that are requested. 

APRA’s data minimization provision states “shall not collect, process, retain, or transfer covered data (1) beyond what is necessary, proportionate, and limited to provide or maintain (A) a specific product or service requested by the individual to whom the data pertains, including any associated routine administrative, operational, or account  servicing activity such as billing, shipping, delivery, storage, or accounting.” 

A customer who purchases a tie from an online clothing store does not request that their data be collected so the store can better understand their customer base. For example, the store’s customers tend to be male, from suburban areas, between the ages of 35 and 60, and most of its website traffic comes from keyword searches for “red ties.” No opt-in would rise to the level of the customer making the request that APRA would require. 

And while APRA attempts to “carve out” small businesses, the carve-out is effectively meaningless. APRA exempts businesses with less than 200,000 annual individual’s data points. This is an incredibly low threshold, but more importantly, APRA’s data minimization provision will make it harder for companies that support small businesses, from Shopify and Salesforce to Etsy and eBay to Google and Facebook, to collect and process data for small businesses. Each of these companies helps even the smallest businesses gain insights into their audience and customer preferences and advertise effectively to reach new customers. Small businesses do not have the time or resources to develop these analytical tools on their own; by regulating the companies they rely upon, the law will consequently limit the capabilities of small businesses and their ability to compete with larger businesses.

Instead of pursuing radical data limitations, Congress should consider following Connecticut’s privacy law and similar laws in 18 US states covering approximately half of the US population, which expressly limit data collection to what was disclosed and what customers opted in to.