The American Privacy Rights Act and what it means for startups

[This is a living blog post: it will be updated as the APRA moves forward through the legislative process. Last updated: June 26, 2024]

{APRA was formally introduced June 25, ahead of a full committee markup scheduled for June 27th, which includes notable changes from earlier versions, reflected in braces below.}

[A new version of the draft legislation was released on May 22, ahead of markup scheduled for May 23, which includes some significant changes to the bill, notable changes are noted in brackets below.]

Congress is taking another crack at data privacy legislation, a universally regarded but elusive policy priority for lawmakers and industry alike. On Sunday, April 7th, key committee chairs released a draft federal privacy law, called the American Privacy Rights Act, the first movement on bipartisan comprehensive privacy legislation since the American Data Privacy and Protection Act failed to move out of the House last Congress. The law would create new data privacy rights for consumers, preempt state laws, allow individuals to sue over alleged violations, and exempt small businesses. Startups have encountered increasing burdens from a growing patchwork of unique state privacy laws, and the uniform national standard to be created by this legislation would be a welcome step.

How did we get here?

In the absence of federal action, more than fifteen states have enacted their own privacy laws, creating a patchwork of rules that vary by state. That patchwork is continuing to grow, sowing confusion for startups and their customers alike. Differing rules about the same issues is a significant headwind for startups. Founder and CEO of New Jersey-based 1Huddle Sam Caucci emphasized that “as a high-growth and early-stage startup trying to grow fast, you’re at a major competitive disadvantage” saying, “I would have to raise an entire second Series A to navigate many of these frameworks.” Last year, an Engine report found startups already spend hundreds of thousands on privacy compliance, and each additional state tacks on $15,000-$60,000 in costs. Ultimately, the Internet does not stop at state borders, and a patchwork of rules threatens to bury resource-strapped startups under duplicative compliance costs, limit their scalability, and burden their chances of success.

During the previous Congress in 2022, key committee leaders aimed to solve this problem with a proposed federal privacy law called the American Data Privacy and Protection Act. That bill had support from Rep. Frank Pallone (D-N.J.), Rep. Cathy McMorris Rodgers (R-Wash.), and Sen. Roger Wicker (R-Miss.) and advanced with a near-unanimous 53–2 vote out of committee but fell victim to familiar sticking points on privacy. Then-Speaker Nancy Pelosi (D-Calif.) refused to bring the legislation up for a floor vote because it would preempt her home state’s law, the California Consumer Privacy Act. Senate Commerce Committee Chair Maria Cantwell (D-Wash.) opposed the legislation because it put up too many roadblocks to individuals suing over alleged violations. The Federal Trade Commission meanwhile initiated the process of writing its own privacy rules — to the chagrin of many lawmakers.

After a flurry of hearings early in the current Congress in 2023, many expected the ADPPA to be reintroduced. That failed to materialize and focus at the federal level shifted to measures to expand privacy protections for children. Then, on April 7th, 2024, Senator Cantwell and Rep. McMorris Rodgers, the House Energy and Commerce Committee Chair, released a discussion draft of legislation called the American Privacy Rights Act (APRA). That legislation is poised to be a focal point of the privacy debate in the months to come and startups should understand what it might mean for them.

{On June 25th, APRA was formally introduced, with Energy and Commerce Committee and Subcommittee Chairs and Ranking Members Reps. Rodgers (R-Wash), Pallone (D-N.J.), Bilirakis (R-Fla.), and Schakowsky (D-Ill.) as original cosponsors.}

What’s in the legislation?

{June 25 version changes are reflected in braces.}

[May 22 version changes remain reflected in brackets.]

Applicability — Small Business Exemption

{The June 25 version includes changes to the small business definition, but these changes aren’t fully responsive to concerns of startups, Engine, other startup and small business advocates, and some lawmakers on the Committee. The June 25th version revises the revenue element of the definition, scrapping the one tied to NAICS codes and reverting to $40 million (as in the original version) but now indexed to the Producer Price Index.}

[The May 22 draft included changes to the small business definition, but startups are still squarely in scope of the law.

The specific revenue threshold in the definition is replaced with one relying on NAICS code. The last component is updated to clarify use of web analytics (not for targeted advertising) are not included in transferring “covered data to a third party in exchange for revenue or anything of value.” The “covered data of more than 200,000 individuals” element of the definition is unchanged, meaning startups as small as a few employees are subject to the same rules as the largest tech companies in the world.]

The first step in understanding legislation is understanding who it applies to, and most privacy legislation at the state level include exemptions for small businesses. The APRA exempts small businesses that have $40,000,000 or less in annual revenue; collect, process, retain, or transfer the covered data of 200,000 or fewer individuals; and (emphasis added) do not earn revenue from the transfer of covered data to third parties. That’s a high revenue number, almost certainly ruling out startups that are Series B or smaller. Contrastingly, many startups, even some pre-revenue startups may have covered data from more than 200,000 individuals. (Depending on business model, startups can reach 200,000 user accounts before generating much revenue, and some startups use waitlists to understand what features they should develop or to demonstrate consumer interest to investors). Since the definition says “and,” not “or,” once a company pierces any of those three parts of the definition, they’re in scope of the legislation. This definition will exempt many conventional small businesses (transaction information like credit card data doesn’t count toward the 200,000), but many startups will quickly find themselves in-scope.

Some state laws have revenue thresholds, like California and Utah, at $25 Million or higher. Most state laws have thresholds for personal information of 100,000 individuals or more, except a few smaller states that lowered it because of their small populations (Montana, New Hampshire, and Delaware). The threshold in APRA is only twice what most of the states have enacted, but in percentage terms, it is much lower. The average U.S. state has a population of about 5.7 million, and 100,000 is about 1.75 percent of that. The population of the U.S. is about 333.3 Million, and 200,000 is about 0.06 percent. To remain on parity with state exemptions, policymakers would need to revise this threshold upward to well over 5 million.

Most startups will be in scope of the APRA, or otherwise plan to grow to a point where they will be and, should it become law, will build their companies with the APRA in mind. If policymakers wish to mitigate the negative impacts of scoping in startups so soon, they should change “and” to “or” in the definition of small business, remove the 200,000 element of the definition, or alternatively revise the individuals’ data threshold significantly upward.

Preemption

{The June 25 version includes new language for children’s privacy laws, only preempting those state laws when they conflict with APRA. States are able to enact “greater” protections, meaning APRA is a floor, not a ceiling. For startups, that means APRA will not end the privacy patchwork, but merely add to it and enable it to grow in new directions.}

Preemption of unique state data privacy laws is critical to establish one set of rules nationwide, creating greater clarity and removing duplicate compliance activities and costs. In discussing preemption, the APRA includes a section indicating its “purpose” to “establish a uniform national data privacy and data security standard in the United States to prevent administrative costs and burdens placed on interstate commerce.” Separately, the draft includes a provision to “terminate” the Federal Trade Commission’s rulemaking on “Commercial Surveillance and Data Security.” The APRA would preempt state laws that address issues covered by the federal law, but it would not preempt unique state laws governing things like health information, student information, financial records, data breaches, consumer protection, or civil rights. That would preempt comprehensive state laws and some narrower privacy laws like Illinois’ Biometric Information Privacy Act. But it would seem to leave in place some narrower state laws that impact some healthtech, edtech, and fintech startups, and it would leave in place the patchwork of data breach laws.

Data rights, opt-outs, transparency, and data minimization

[New section: Privacy by design. The May 22 draft includes a new section spelling out privacy by design considerations and requiring the Federal Trade Commission to issue guidance on what constitutes reasonable privacy policies and practices.]

{The June 25 version scraps the section on civil rights and algorithm governance. The removal of this section has been met with strong pushback from civil rights and privacy advocates.}

[Changes to algorithm governance in the bill. The earlier version of APRA included requirements for “large data holders” to enable individuals to opt out of certain “consequential decisions” performed by an algorithm. The May 22nd version of APRA adds to this section specific audit requirements for algorithms, including the engagement of certified independent auditors.]

The APRA includes several data rights commonly found in privacy laws, letting people access, correct, delete, and export their data. The bill also lets individuals opt out of targeted advertising, and out of certain data transfers. It lays out transparency requirements for what companies must include in their privacy policies and enables individuals to opt out in the event of material changes to data processing or transfers. The APRA also maintains a focus on data minimization that was present in the earlier ADPPA draft. Generally, companies cannot collect, process, retain, or transfer data beyond what they need to facilitate the product or service requested by the consumer — though there are 15 exceptions, including for if the data is de-identified. {The June 25 version adds explicit exemptions for research and medical research, meaning there are now 17 exceptions. There is not an explicit mechanism in the bill to add new exceptions through rulemaking or otherwise.}

These provisions will impact startups. Many of the basic data rights to access, delete, etc. may be familiar to startups, but most have not encountered requests at the same scale that might be expected nationwide as opposed to just several states. That said, having one standardizable process for handling the requests will be helpful. Some startups — especially those in the early stages and those that offer free services to consumers — often rely on data-driven advertising revenue or reach consumers through such advertisements. The APRA would impact those companies. Finally, data minimization may impact future product development for startups, particularly those in data-driven spaces, like AI, or those looking to enhance their current offerings with AI in the future. For example, many startups can order content manually or with a basic algorithm at launch and will look to build machine learning algorithms to personalize ordering of content in the future.

Enforcement

{The June 25 text extends the notice period from 30 to 60 days. It also adds a new provision relating to “Bad Faith” actions. Private suits brought without this notice will be dismissed without prejudice, meaning they can be refiled once they have given the required notice. This new provision will do little to stop bad faith litigation against startups, especially since startups can encounter significant costs from the mere threat of a lawsuit, even without a lawsuit ever actually being filed. Moreover, this provision is not self-executing. Using this provision to dispense a bad faith claim would involve having an attorney file a motion to dismiss. Motions to dismiss can cost startups in the neighborhood of $15,000 — very expensive for resource-limited startups. Given the claims can be refiled anyway, startups will likely face a much higher legal bill.}

The APRA will be enforced by the Federal Trade Commission, by states, and by individuals through private lawsuits. The draft legislation would set up a new bureau within the FTC tasked with enforcing the law. In the states, state Attorneys General, state chief consumer protection officers, or other state officers authorized to enforce data privacy laws can enforce the APRA, but only one of those officers can bring an enforcement action against the same defendant. States also must notify the FTC prior to bringing an action. States cannot bring enforcement actions while the FTC is pursuing an enforcement action, but they can conduct investigations during that time. Finally, and likely of greatest concern to startups, the APRA empowers individuals to sue for alleged violations of the law seeking actual damages (i.e., a monetary amount equal to the alleged harm) and/or injunctive relief (e.g., to stop or reverse an allegedly violative data transfer). Except for cases of substantial privacy harm, individuals must provide at least 30 days’ notice before bringing an action, and for actions involving injunctive relief companies have that 30-day period where they can “cure” the violation. Individuals can only bring actions under certain parts of the bill.

The earlier ADPPA also included enforcement by private lawsuits (also called a private right of action), but that bill had some safeguards (and a longer cure period) that drafters thought could curb abusive or bad-faith litigation. Under that bill, an individual (or class of individuals) that wanted to sue needed to first confer with their state attorney general and the FTC, who had 60 days to determine if their agencies would independently take action. Only if neither enforcer decided to pursue the case, could the individual continue with their lawsuit. That was still somewhat problematic because it would lead to a selection problem where the least meritorious private lawsuits could proceed, but the APRA does not even have these safeguards. The APRA could set up a “privacy troll” problem impacting startups. Private lawsuits — or even the threat of lawsuits — negatively impact startups, which don’t have the resources to withstand litigation that can cost hundreds of thousands of dollars.

COPPA 2.0

{June 25 version: The COPPA 2.0 title of APRA has been updated to fold in more parts of the separate COPPA 2.0 legislation. On-committee sponsors of COPPA 2.0 vocalized their discontent at subcommittee markup with how the parts of the bill had been folded in to the broader package when it was added in May. Among the concerns they highlighted, was that the COPPA knowledge standard — actual knowledge — was unchanged. The new version now has a more expansive knowledge standard: “knowledge fairly implied on the basis of objective circumstances,” which amounts to a “you should have known standard.” (This updated standard also now applies to provisions throughout the bill relating to children and minors.)

Actual knowledge is a clear, bright-line standard that makes compliance straightforward for startups. The new standard will create uncertainty and new difficulties for startups to ensure they are on the right side of the law. The new text explicitly states that age verification, age-gating, or additional data collection won’t be required, but that leaves it unclear what the new text would change in practice. Instead it will be up to the Federal Trade Commission to release guidance on best practices.}

[May 22 version: New title added: Children’s Online Privacy Protection Act 2.0

APRA itself already includes many provisions relating to minors, and the added title folds in parts of separate legislation, the Children and Teens’ Online Privacy Protection Act, also called COPPA 2.0.]

What’s next?

{APRA is scheduled to be marked up by the full House Energy and Commerce Committee on June 27th.}

[APRA passed by voice vote on May 23rd at a markup in the House Energy and Commerce Innovation, Data, and Commerce Subcommittee].

On April 17th, the APRA will get its first legislative hearing in the House Energy and Commerce Innovation, Data, and Commerce Subcommittee, alongside several other bills addressing privacy and content online. It will be an opportunity for members of the committee to learn more about and scrutinize the bill.

Two key members of Congress have already weighed in on the APRA, including the top Energy and Commerce Democrat, Rep. Frank Pallone (N.J.), who commended the draft but said it needed to be strengthened with regard to children’s privacy. Meanwhile, Sen. Ted Cruz (Texas), the top Republican on the Senate Commerce Committee, criticized aspects of the bill, insinuating that the private right of action will “empower trial lawyers,” warning that he could not support a bill that would impose “crushing new regulatory costs on upstart competitors,” and urging that the bill moves through regular order.

Creating a uniform national data privacy standard that ends the patchwork has long been a priority for startups. As this draft gets introduced and continues to move through the legislative process, lawmakers should continue to improve it so that U.S. startups can thrive and continue to lead the world in innovation.