House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled the American Privacy Rights Act. This comprehensive draft legislation sets clear, national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.
The bill would establish foundational uniform national data privacy rights for Americans by:
- Putting people in control of their own personal data.
- Eliminating the patchwork of state laws by setting one national privacy standard, stronger than any state.
- Minimizing the data that companies can collect, keep, and use about people, of any age, to what companies actually need to provide them products and services.
- Giving Americans control over where their personal information goes, including the ability to prevent the transfer or selling of their data. The bill also allows individuals to opt out of data processing if a company changes its privacy policy.
- Providing stricter protections for sensitive data by requiring affirmative express consent before sensitive data can be transferred to a third party.
- Requiring companies to let people access, correct, delete, and export their data.
- Allowing individuals to opt out of targeted advertising.
Additionally, it would give Americans the ability to enforce their data privacy rights by:
- Giving individuals the right to sue bad actors who violate their privacy rights, and recover money for damages when they’ve been harmed.
- Preventing companies from enforcing mandatory arbitration in cases of substantial privacy harm.
It would also protect Americans’ civil rights by:
- Stopping companies from using people’s personal information to discriminate against them.
- Allowing individuals to opt out of a company’s use of algorithms to make decisions about housing, employment, healthcare, credit opportunities, education, insurance, or access to places of public accommodation.
- Requiring annual reviews of algorithms to ensure they do not put individuals, including youth, at risk of harm, including discrimination.
The bill would hold companies accountable and establish data security obligations by:
- Mandating strong data security standards that would prevent data from being hacked or stolen. This limits the chances for identity theft and harm.
- Making executives take responsibility for ensuring that companies take all actions necessary to protect customer data as required by the law.
- Ensuring individuals know when their data has been transferred to foreign adversaries.
- Authorizing the Federal Trade Commission, states, and consumers to enforce against violations.
Small businesses that are not selling their customers’ personal information would be exempt from the requirements of the bill.