The American Privacy Rights Act (APRA) was unveiled on April 7, 2024 and has a long way to go before becoming law. But if it does become law, it would apply to many more businesses than any current state privacy law, such as the California Privacy Rights Act - a law long heralded as the grandfather for state privacy laws in the U.S. A section-by-section summary of the APRA is available here.
First, unlike most state-level general privacy laws that include a blanket exception for non-profit entities, the APRA would include non-profit organizations to potentially be in scope.
Second, only two state laws currently have financial thresholds to be met before a business is considered in scope. In California, a for-profit entity must earn at least US$25m in annual revenue before they are in scope or meet one of the other thresholds discussed below. In Texas, a for-profit entity must not be deemed a small business by the federal Small Business Administration or meet one of the thresholds discussed below. The APRA, if passed, would make any entity, for profit or non-profit, subject to the APRA if it exceeds US$40m in annual revenue or meets one of the other thresholds.
Third, while most of the current state privacy laws require a for-profit organization to process the personal information of at least 100,000 people that are residents in that state, the APRA proposes a modest increase to 200,000, but those 200,000 would be residents of the U.S. - a significantly easier threshold to meet when adding up residents of the entire country.
And finally, while most state laws apply to organizations that make a significant part of their revenue from the sale of personal information (sometimes with a lower minimum volume threshold), the APRA would bring any entity in scope if they earn any revenue from the transfer of personal information to third-parties. It is yet to be seen if this would include revenue in the form of "other valuable considerations" as is the case in many of the state general privacy laws, and if such revenue would include such considerations derived from disclosures through advertising or analytics cookies. If it does, any company that operates a website that uses analytics cookies may be in-scope, regardless of the number of website visitors, the amount of revenue earned, or the percentage of compensation (monetary or otherwise) received from such disclosures.
The Foley Cybersecurity & Data Privacy team will continue to review the proposed APRA and provide further guidance as (if) the proposed legislation progresses towards enactment. But close followers of privacy laws in the United States will have a sense of deja vu and recognize that we have been here before. The last time (a mere two years ago) Rep. Nancy Pelosi and other members of the California congressional delegation objected to a proposed legislation because it preempted the California CPRA. The APRA also preempts state general privacy laws, and it remains to be seen if it will face the same or similar objections.
Key definitions include:
Covered entity—any entity that determines the purpose and means of collecting, processing, retaining, or transferring covered data and is subject to the FTC Act, including common carriers and certain nonprofits. Small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and, except for data security obligations, fraud-fighting non-profits are excluded.
Small business—businesses that have $40,000,000 or less in annual revenue; collect, process, retain, or transfer the covered data of 200,000 or fewer individuals (not including credit card swipe and other transient data); and do not earn revenue from the transfer of covered data to third parties. Small businesses are exempt from the requirements of the Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.