By Nathan Lindfors, Policy Director, Engine Advocacy
[This is a living blog post: it will be updated as the APRA moves forward through the legislative process. Last updated: April 11, 2024]
Congress is taking another crack at data privacy legislation, a universally regarded but elusive policy priority for lawmakers and industry alike. On Sunday, April 7th, key committee chairs released a draft federal privacy law, called the American Privacy Rights Act, the first movement on bipartisan comprehensive privacy legislation since the American Data Privacy and Protection Act failed to move out of the House last Congress. The law would create new data privacy rights for consumers, preempt state laws, allow individuals to sue over alleged violations, and exempt small businesses. Startups have encountered increasing burdens from a growing patchwork of unique state privacy laws, and the uniform national standard to be created by this legislation would be a welcome step.
How did we get here?
In the absence of federal action, more than fifteen states have enacted their own privacy laws, creating a patchwork of rules that vary by state. That patchwork is continuing to grow, sowing confusion for startups and their customers alike. Differing rules about the same issues is a significant headwind for startups. Founder and CEO of New Jersey-based 1Huddle Sam Caucci emphasized that “as a high-growth and early-stage startup trying to grow fast, you’re at a major competitive disadvantage” saying, “I would have to raise an entire second Series A to navigate many of these frameworks.” Last year, an Engine report found startups already spend hundreds of thousands on privacy compliance, and each additional state tacks on $15,000-$60,000 in costs. Ultimately, the Internet does not stop at state borders, and a patchwork of rules threatens to bury resource-strapped startups under duplicative compliance costs, limit their scalability, and burden their chances of success.
During the previous Congress in 2022, key committee leaders aimed to solve this problem with a proposed federal privacy law called the American Data Privacy and Protection Act. That bill had support from Rep. Frank Pallone (D-N.J.), Rep. Cathy McMorris Rodgers (R-Wash.), and Sen. Roger Wicker (R-Miss.) and advanced with a near-unanimous 53–2 vote out of committee but fell victim to familiar sticking points on privacy. Then-Speaker Nancy Pelosi (D-Calif.) refused to bring the legislation up for a floor vote because it would preempt her home state’s law, the California Consumer Privacy Act. Senate Commerce Committee Chair Maria Cantwell (D-Wash.) opposed the legislation because it put up too many roadblocks to individuals suing over alleged violations. The Federal Trade Commission meanwhile initiated the process of writing its own privacy rules — to the chagrin of many lawmakers.
After a flurry of hearings early in the current Congress in 2023, many expected the ADPPA to be reintroduced. That failed to materialize and focus at the federal level shifted to measures to expand privacy protections for children. Then, on April 7th, 2024, Senator Cantwell and Rep. McMorris Rodgers, the House Energy and Commerce Committee Chair, released a discussion draft of legislation called the American Privacy Rights Act (APRA). That legislation is poised to be a focal point of the privacy debate in the months to come and startups should understand what it might mean for them.
What’s in the draft legislation?
Applicability — Small Business Exemption
The first step in understanding legislation is understanding who it applies to, and most privacy legislation at the state level include exemptions for small businesses. The APRA exempts small businesses that have $40,000,000 or less in annual revenue; collect, process, retain, or transfer the covered data of 200,000 or fewer individuals; and (emphasis added) do not earn revenue from the transfer of covered data to third parties. That’s a high revenue number, almost certainly ruling out startups that are Series B or smaller. Contrastingly, many startups, even some pre-revenue startups may have covered data from more than 200,000 individuals. (Depending on business model, startups can reach 200,000 user accounts before generating much revenue, and some startups use waitlists to understand what features they should develop or to demonstrate consumer interest to investors). Since the definition says “and,” not “or,” once a company pierces any of those three parts of the definition, they’re in scope of the legislation. This definition will exempt many conventional small businesses (transaction information like credit card data doesn’t count toward the 200,000), but many startups will quickly find themselves in-scope.
Some state laws have revenue thresholds, like California and Utah, at $25 Million or higher. Most state laws have thresholds for personal information of 100,000 individuals or more, except a few smaller states that lowered it because of their small populations (Montana, New Hampshire, and Delaware). The threshold in APRA is only twice what most of the states have enacted, but in percentage terms, it is much lower. The average U.S. state has a population of about 5.7 million, and 100,000 is about 1.75 percent of that. The population of the U.S. is about 333.3 Million, and 200,000 is about 0.06 percent. To remain on parity with state exemptions, policymakers would need to revise this threshold upward to well over 5 million.
Most startups will be in scope of the APRA, or otherwise plan to grow to a point where they will be and, should it become law, will build their companies with the APRA in mind. If policymakers wish to mitigate the negative impacts of scoping in startups so soon, they should change “and” to “or” in the definition of small business, remove the 200,000 element of the definition, or alternatively revise the individuals’ data threshold significantly upward.
Preemption
Preemption of unique state data privacy laws is critical to establish one set of rules nationwide, creating greater clarity and removing duplicate compliance activities and costs. In discussing preemption, the APRA includes a section indicating its “purpose” to “establish a uniform national data privacy and data security standard in the United States to prevent administrative costs and burdens placed on interstate commerce.” Separately, the draft includes a provision to “terminate” the Federal Trade Commission’s rulemaking on “Commercial Surveillance and Data Security.” The APRA would preempt state laws that address issues covered by the federal law, but it would not preempt unique state laws governing things like health information, student information, financial records, data breaches, consumer protection, or civil rights. That would preempt comprehensive state laws and some narrower privacy laws like Illinois’ Biometric Information Privacy Act. But it would seem to leave in place some narrower state laws that impact some healthtech, edtech, and fintech startups, and it would leave in place the patchwork of data breach laws.
Data rights, opt-outs, transparency, and data minimization
The APRA includes several data rights commonly found in privacy laws, letting people access, correct, delete, and export their data. The bill also lets individuals opt out of targeted advertising out of certain data transfers, and out of the use of an algorithm to make a “consequential decision” with regard to housing, employment, education, healthcare, insurance, or credit. It lays out transparency requirements for what companies must include in their privacy policies and enables individuals to opt out in the event of material changes to data processing or transfers. The APRA also maintains a focus on data minimization that was present in the earlier ADPPA draft. Generally, companies cannot collect, process, retain, or transfer data beyond what they need to facilitate the product or service requested by the consumer — though there are 15 exceptions, including for if the data is de-identified.
These provisions will impact startups. Many of the basic data rights to access, delete, etc. may be familiar to startups, but most have not encountered requests at the same scale that might be expected nationwide as opposed to just several states. That said, having one standardizable process for handling the requests will be helpful. Some startups — especially those in the early stages and those that offer free services to consumers — often rely on data-driven advertising revenue or reach consumers through such advertisements. The APRA would impact those companies. Some startups’ main product is to provide an algorithm that leads to better or different outcomes for those categories, like credit or employment. It is unclear if startups will be able to facilitate alternatives for those decisions, and not providing them is unlikely to be an option since that could be considered retaliation, which is prohibited under the Act. Finally, data minimization may impact future product development for startups, particularly those in data-driven spaces, like AI, or those looking to enhance their current offerings with AI in the future. For example, many startups can order content manually or with a basic algorithm at launch and will look to build machine learning algorithms to personalize ordering of content in the future.
Enforcement
The APRA will be enforced by the Federal Trade Commission, by states, and by individuals through private lawsuits. The draft legislation would set up a new bureau within the FTC tasked with enforcing the law. In the states, state Attorneys General, state chief consumer protection officers, or other state officers authorized to enforce data privacy laws can enforce the APRA, but only one of those officers can bring an enforcement action against the same defendant. States also must notify the FTC prior to bringing an action. States cannot bring enforcement actions while the FTC is pursuing an enforcement action, but they can conduct investigations during that time. Finally, and likely of greatest concern to startups, the APRA empowers individuals to sue for alleged violations of the law seeking actual damages (i.e., a monetary amount equal to the alleged harm) and/or injunctive relief (e.g., to stop or reverse an allegedly violative data transfer). Except for cases of substantial privacy harm, individuals must provide at least 30 days’ notice before bringing an action, and for actions involving injunctive relief companies have that 30-day period where they can “cure” the violation. Individuals can only bring actions under certain parts of the bill.
The earlier ADPPA also included enforcement by private lawsuits (also called a private right of action), but that bill had some safeguards (and a longer cure period) that drafters thought could curb abusive or bad-faith litigation. Under that bill, an individual (or class of individuals) that wanted to sue needed to first confer with their state attorney general and the FTC, who had 60 days to determine if their agencies would independently take action. Only if neither enforcer decided to pursue the case, could the individual continue with their lawsuit. That was still somewhat problematic because it would lead to a selection problem where the least meritorious private lawsuits could proceed, but the APRA does not even have these safeguards. The APRA could set up a “privacy troll” problem impacting startups. Private lawsuits — or even the threat of lawsuits — negatively impact startups, which don’t have the resources to withstand litigation that can cost hundreds of thousands of dollars.
What’s next?
On April 17th, the APRA will get its first legislative hearing in the House Energy and Commerce Innovation, Data, and Commerce Subcommittee, alongside several other bills addressing privacy and content online. It will be an opportunity for members of the committee to learn more about and scrutinize the bill.
Two key members of Congress have already weighed in on the APRA, including the top Energy and Commerce Democrat, Rep. Frank Pallone (N.J.), who commended the draft but said it needed to be strengthened with regard to children’s privacy. Meanwhile, Sen. Ted Cruz (Texas), the top Republican on the Senate Commerce Committee, criticized aspects of the bill, insinuating that the private right of action will “empower trial lawyers,” warning that he could not support a bill that would impose “crushing new regulatory costs on upstart competitors,” and urging that the bill moves through regular order.
Creating a uniform national data privacy standard that ends the patchwork has long been a priority for startups. As this draft gets introduced and continues to move through the legislative process, lawmakers should continue to improve it so that U.S. startups can thrive and continue to lead the world in innovation.
Disclaimer: This post provides general information related to the law. It does not, and is not intended to, provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.
Engine is a non-profit technology policy, research, and advocacy organization that bridges the gap between policymakers and startups. Engine works with government and a community of thousands of high-technology, growth-oriented startups across the nation to support the development of technology entrepreneurship through economic research, policy analysis, and advocacy on local and national issues.
