Comments · 27 Views

Discover the American Privacy Rights Act of 2024 with Tsaaro Consulting. Expert guidance for data security and compliance. Learn more now.


On 7 April 2024, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell, D-Wash. unveiled a discussion draft of the American Privacy Rights Act (APRA). This bipartisan and bicameral draft law aims to set up a national standard for data privacy. The announcement signals a renewed effort to pass a federal data privacy law, which has been delayed for a long time.

The draft legislation is aimed at addressing the evolving challenges and concerns relating to data privacy in the digital era and persistent threat of misuse of personal data, thus providing greater control to consumers over their personal data. In this blog, we will unveil the key provisions of the draft legislation to understand its effectiveness in addressing the privacy issue of the consumers.


Section 1 of the bill contains the short title. It says that this Act may be cited as the ‘American Privacy Rights Act of 2024.’


Section 2 contains numerous definitions, including definitions of the entities to which this bill will apply and those which are exempted. Some important terms that are defined under the bill are:

  • Affirmative express consent: Section- 2(1) of the draft legislation states that the term ‘affirmative express consent’ means an individual’s clear and specific authorization for an act or practice, given in response to a request from a covered entity. The request must be provided to individual in a clear disclosure, include descriptions of the requested actions, and be written in easy-to-understand language. Also, entity must state about the specific categories of covered data that the covered entity shall collect, process, retain, or transfer to fulfill the request.

Furthermore, the individual must be informed of their rights related to consent, and the request must be accessible to individuals with disabilities and available in all relevant

languages. Importantly, consent cannot be inferred from inaction or continued use of a service or product.

  • Collect; Collection: Section 2(3) of the draft bill says that the terms ‘‘collect and ‘‘collection’’ mean buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any means.
  • Covered data: Section 2(9) of the draft bill states that ‘covered data’ refers to information that directly identifies or is connected to an individual or device. However, it does not include: (1) data that has been de-identified, (2) employee data, (3) publicly available information, (4) inferences drawn from multiple publicly available sources that don’t qualify as sensitive covered data and are not mixed with covered data, as well as information contained within library, archive, or museum collections, with certain restrictions.
  • Covered entities: Covered entities are those entities that define the purpose and means of collecting, processing, retaining, or transferring covered data. Furthermore, Covered entities are also required to adhere to the regulations outlined in the Federal Trade Commission Act. However, exemptions apply to small businesses, governmental bodies, entities acting on behalf of governments, and other specifically defined organizations. This is similar to ‘controller’ under the General Data Protection Regulation (GDPR).
  • Covered minor: This refers to an individual under the age of 17.
  • Dark pattern: The term ‘‘dark patterns’’ means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
  • Sensitive covered data: Section 2(34) of the draft legislation defines ‘sensitive covered data’ as such data that includes government identifiers, health information, biometric information, genetic information, financial account and payment data, precise geolocation information, log-in credentials, private communications and other types of private information.


Section 3 provides that covered entities and service providers operating on their behalf would be prohibited from collecting, processing, retaining, or transferring data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or to provide a communication reasonably anticipated in the context of the relationship. Furthermore, it says that the covered entities would be able to use non-sensitive, covered data for targeted advertising only if individuals have not opted out.

Section 4 of the bill mandates that businesses would need to update their privacy policies to provide a variety of information, including categories of third parties and the names of any data brokers that receive covered data. Furthermore, businesses would need to notify users of any material changes before they occur and provide a means for consumers to opt out of the processing or transfer of such previously collected covered data pursuant to such material change.


Under Section 5 of the draft bill, individuals have extensive control over their covered data. Upon receiving a verified request from an individual, a covered entity must grant access, correction, deletion, and portability rights. This includes providing data in a readable format, disclosing recipients and purposes of transfer, allowing corrections and deletions, and facilitating data export. The first three requests are free, with specific time frames for completion. Verification of identity is required, with possible extensions and requests for additional information. However, exceptions exist to individual rights, including cases where verification isn’t possible or access to sensitive data of others is needed. Permissive exceptions may apply when compliance is impractical. The Commission can establish additional exceptions to protect rights and ease burdens on covered entities.

Furthermore, under Section 6, individuals have opt-out rights regarding their covered data. They can opt out of data transfers and targeted advertising. Additionally, it says that within two years, the Commission will establish regulations for a centralized opt-out mechanism, ensuring user-friendly interfaces and language accessibility.


Section 9 mandates that covered entities and service providers must establish reasonable data security practices to protect covered data. These practices should consider factors like entity size, data volume, and technological advancements. Specific requirements include vulnerability assessments, preventive/corrective actions, data disposal, retention schedules,

employee training, and incident response procedures. The Commission can issue technology-neutral regulations to enforce these standards.


Section 10 provides that covered entities must appoint at least one officer responsible for privacy or data security. Large data holders must designate separate officers for privacy and data security. Furthermore, these entities, along with the CEOs of large data holders, must annually certify to the FTC that they maintain internal controls and reporting structures in accordance with the APRA.

Know More about this blog >