The American Privacy Rights Act (APRA), the replacement of the American Data Privacy and Protection Act (ADPPA), has been questioned by 15 State Attorneys General who are asking Congress not to move forward with the recommended government data privacy legislation in its present form.
An APRA draft was introduced in April 2024 that tackled a few of the issues with the ADPPA that kept the bill from moving on. Although the APRA could enlighten a few of the ADPPA critics, one of the major sticking details was the preemption of state legislation and that concern was not appropriately resolved in the APRA. In case the APRA is approved, it would benefit the residents of states with weak privacy laws. They will enjoy new rights and protections for their private information. However, states with strong data privacy legislation will find their rights weakened.
California is one of the states that implement the strongest privacy protections. It enacted privacy legislation in 2018, which 17 other states have adopted and launched regulations that provide consumers more rights over their private information. The 17 states include Connecticut, Colorado, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Virginia, Maryland, Tennessee, Utah, Texas, Kentucky, New Jersey, and New Hampshire.
California Attorney General Rob Bonta wrote a letter to Congress to resist the APRA. Attorneys General in 14 other states co-signed the letter including Connecticut, the District of Columbia, Delaware, Hawaii, Illinois, Maryland, Maine, Massachusetts, Minnesota, New York, Nevada, Pennsylvania, Oregon, and Vermont, whose locals will probably be less protected in case the legislation is approved. Although the APRA tackles a few of the problems with the ADPPA that brought about its shelving, Attorney General Bonta along with the co-signers is disappointed with some conditions of the present APRA draft.
Bonta and the letter co-signers are not against federal data privacy legislation, and they accept many of the conditions of the APRA for example the automatic data minimization, strict consent requirements, and protections for children under 17 years old; nevertheless they are against a data privacy legislation that sets a base for data privacy and consumer privacy privileges instead of a limit.
The primary issue with the recommended privacy legislation is that the draft presently being considered forbids states from adopting, retaining, enforcing, or continuing essentially, any law, rule, regulation, or requirement that is included in the terms of the APRA. States will be compelled to agree to the terms of APRA and cannot strengthen protections.
The state Attorneys General propose making a federal privacy law that values, instead of preempts, more strenuous and protective state regulations, particularly given the speed of technology advancement. As shown on several occasions, states could quickly pass legislation according to changing data collection procedures and advancements in technology.
Locals in states with extensive data privacy regulations are enjoying the privacy protections and privileges that state legislation provides them with, and businesses have taken and applied systems to respect consumer rights. For example, the online user-activated global opt-out systems like the Global Privacy Control. In case APRA is passed, there is a minimum of two more years before clients can enjoy their privacy rights as per the Global Privacy Control.
A few states have approved regulations that call for the implementation of data safety measures by businesses and have created special protections for data types that can be employed for identity theft. States have played a crucial role in aligning to real-world situations and establishing new minimum data privacy requirements that have not hindered business or restricted technology. Congress must strive to protect, not endanger, these protections.
In the letter, the State Attorneys General talked about other federal regulations that were successful at strengthening data privacy and security while highly regarding states that would like to strengthen protections even more. The Health Insurance Portability and Accountability Act (HIPAA) sets minimum criteria for data privacy and security for healthcare companies. When states would like to strengthen protections even more, they can do so. States likewise can enforce HIPAA compliance.
The state Attorneys General questioned the terms of the APRA regarding enforcement. Although state Attorneys General get a role in APRA enforcement, their capability to check into violations will be affected because of the present terms of the bill.
Typically, a federal law or standard violation could likewise be a state consumer protection law violation. However [APRA] Section 20 would work as a standard to check out violations of the federal legislation since it forbids them from creating the basis for state consumer protection claims. This language unnecessarily disrupts strong enforcement capacities.