Is a US Nationwide Privacy Law Really Coming?

COMMENTARY

April 7 was quite a moment for Americans. That was when two US lawmakers shared draft legislation of a soon-to-be unveiled bill called the American Privacy Rights Act, or APRA. According to the International Association of Privacy Professionals (IAPP), if it becomes law, the American Privacy Rights Act "would introduce a significant shift in how organizations collect, process and share personal information, and set a high bar for data minimization practices.

To date, corporate privacy professionals whose operations are in scope of the US have needed to treat the region essentially as 50 countries since, generally, each state has its own set of laws and regulations on the subject. Complex if you deal with one or two states, unmanageable if you deal with 50.

Let's set the scene: The United States has, historically, addressed the privacy of its citizens at the state level, reserving broader rule for specific industries such as medical (HIPAA), financial, and trade (FTC). You quickly can see how this legislative patchwork left significant gaps in the processing of personal data outside very specific use cases. Europe suffered a similar lack of cohesion for many years, until the implementation of the General Data Protection Regulation (GDPR) in 2018, and the world watched closely to see if unified laws spanning dozens of geographies could actually work.

Six years later, it is safe to say that the processing and protection of personal information across Europe is unrecognizable from what it once was, and in the interim period, we've even seen the birth of revolutionary data laws in California and other states. A standard for data subjects' rights and what they expected was emerging in a place where we were generating and using — as well as valuing and relying upon — an exponentially increasing amount of data.

The US Needs Federal Privacy Laws

There are a number of reasons why the US wants, and needs, privacy laws at a federal level: consistency, manageability, interstate operability, trade with other regions such as Europe and Australia, and to enable technologies such as open banking to move forward. To date, states including California, Kentucky, Maryland, and others have been left with no choice but to enact local laws in order to compete in a marketplace where data privacy is a key player and differentiator among those vying for business. 

APRA, which at the time of this writing is still in draft form, follows in the footsteps of GDPR and the ePrivacy Directive, with provisions for data processing principles, subject's rights, consent to marketing, and data security.

This is still very early days, and in addition to the unclear timing (typically, an election year would preclude these types of proposals), there are more than a few obstacles still to overcome, including the same challenges that were evident in 2022, such as state law preemption and Private Right of Action.

Relevant stakeholders (think big tech, privacy groups, state governors, etc.) will each have their own perspectives, priorities, and questions, all of which will take time to come to an agreement on, if at all possible. It's worth noting that, unlike legislation in other countries, APRA attempts to consider both the interests of the data subject as well as those of the business and its operational abilities. This is untested waters, though, so it will be very interesting to see if, and how, that would work in real life.

In summary, APRA is a giant leap forward for the rights and freedoms of American subjects. I know we have been here before (two years ago), but this feels different — with people reenergized, reinvigorated, and excited by it. US lawmakers will be feeling pressure from different angles, not least from large enterprises that are losing opportunities to other regions where legislation enforces the notion of putting personal information front and center. Watch this space: I think good things are coming.