It took the magic of an eclipse across America for US legislatures to finally progress on developing federal data privacy regulation. The American Privacy Rights Act (APRA) is surprising but not shocking, given that it has been in the works for several years. The APRA began to have a more straightforward path toward reality as recent executive orders on data transfers and AI delivery and development would be difficult to implement without a national law.

What is the American Privacy Rights Act (APRA)?

The American Privacy Rights Act of 2024 is currently a “discussion draft” providing a national data privacy and security framework outlining consumer rights and data management requirements. Under the APRA, companies would have to limit the types of consumer data they collect, retain, and use, allowing only data needed to operate their services.

Why is the APRA Important?

The new legislation fills pieces of the data privacy protection puzzle and adapts to new cybersecurity complexities and technological advancements, such as Artificial Intelligence (AI). It addresses the constant data privacy challenges and proposes a more unified approach to giving consumers specific rights to their personal data. The ARPA gives Americans more control over their privacy online, such as the right to opt out of target ads and take legal action for violating their privacy rights.

Download The Forrester Wave™: Privacy Management Software, Q4 2023

What You Need to Know About APRA

The draft of the APRA is an evolved version of the American Data Privacy and Protection Act (ADPPA). Both legislation provided privacy rights to consumers, required data minimization, advanced security measures, and set rule-making by the Federal Trade Commission (FTC). However, although both are similar, several significant changes need attention:


The APRA excludes small businesses, only if:

  • Annual revenue is less than USD40 million.
  • Data processing is more than 200,000 individuals, with exceptions.
  • No revenue is earned from the transfer of data to third parties.

Executive Accountability

The ARPA requires a designated data privacy or security officer, but doesn’t need to be a standalone position or new hire.

Data Transparency

  • Privacy policies must include specific information, including categories of data collected, processed or retained; the purpose for processing data, the length of data retained, data security practices, list of third parties and names of any data broker transfers.
  • The privacy policy must also detail how consumers can exercise their rights.
  • Material changes to the privacy policy require advanced notice and ways of opting out.

Data Minimization

There is a major emphasis on data minimization which restricts the data collected and used to purposes deemed necessary and limited, with special handling and consent for biometric and genetic information.

Data Security & Protection

APRA requires organizations to establish data security standards that are appropriate for the company’s size, the nature and scope of data management, the volume and sensitivity of data, and the technologies used to safeguard data. Organizations must also assess vulnerabilities and mitigate risks to consumer data.

Download the DSPM Guide.

Private Right of Action

The APRA has introduced a private right of action. The private right of action will allow consumers to file lawsuits and seek compensation against companies that fulfill data privacy rights such as data deletion requests or use personal data without consent.

Privacy Impact Assessments

The APRA requires privacy impact assessments for covered algorithms that pose a “consequential risk,” especially when they pertain to:

  • Children and minors
  • Housing, education, employment, health care, insurance, or credit
  • Public accommodations based on protected characteristics;
  • Race, color, religion, and sex
  • Political party registration and affiliation.
Explore Our PIA Automation App

Service Providers and Third Parties

  • The APRA requires organizations to do their due diligence when selecting a service provider and sharing data with third parties.
  • Service providers must adhere to the instructions of a covered entity and fulfill the obligations under the APRA.

APRA Consumer Rights

Under the APRA, consumers have the right to:

  • Access their data collected, processed, or retained after submitting a verified request
  • Know the name of any third party or service provider to which the data was transferred and the purpose of the transfer
  • Correct inaccurate or incomplete data regarding an individual
  • Delete the data of an individual
  • Export data pertaining to an individual
  • Not be retaliated against for exercising consumer rights
  • Opt-out of data transfers and target advertising
  • Opt-out of algorithms for consequential decisions that relate to employment, healthcare, education, housing, credit, or insurance

Organizations must comply with individual data privacy rights within the correct timeframes. Organizations may deny a request if it requires access to data on someone else; interferes with a legal process; or violates other laws.

How Does the ARPA Affect New and Emerging State Legislation?

Even though the ARPA will be enforced nationally, individual state laws may no longer be enforceable but will still be relevant on specific issues such as consumer protections, civil rights, health, and financial data.

The legislation is similar to existing state laws such as CCPA/CPRA, which include similar provisions around protecting genetic and biometric data.

See BigID in Action

How BigID Helps Organizations Get In-front of the APRA

Regardless of the outcome of the new APRA, BigID is prepared to help organizations comply with evolving privacy regulations and adapt to the constantly shifting data privacy landscape by implementing a comprehensive privacy program.

Leverage BigID’s AI-automated and identity-aware data privacy management for risk & compliance to move beyond policy and process to:

  • Discover Your Data: Discover and catalog your sensitive data, including structured, semi-structured, and unstructured – in on-prem environments and across the cloud.
  • Map Your Data: Automatically map PII and PI to identities, entities, and residencies to visualize data across systems.
  • Enforce Privacy Policies: Ensure alignment and enforcement of data policies in accordance with privacy mandates to fulfill regulatory compliance requirements.
  • Automate Data Rights Management: Automate individual, personal data rights fulfillment requests from access and updates to appeals and deletion.
  • Track AI Violations & Ethics: Assess and monitor AI technology and usage across the organization to protect personal data and remediate risk.
  • Monitor Cross-Border Data Transfers: Apply residency to data sources and individual, personal data with policies to trigger alerts on cross-border data transfer violations.
  • Assess Privacy Risks: Initiate, manage, document, and complete various assessments, including PIA, DPIA, vendor, AI, TIA, LIA, and more for compliance and risk reduction.
  • Accelerate Breach Analysis & Response: Accurately determine the extent of a data breach and notify the right individuals and entities according to regulatory requirements.
  • Streamline Data Lifecycle Management: Apply a policy-based approach to automate data lifecycle management across collection, retention, and deletion.

Get a 1:1 demo to see how BigID enables businesses to automate and operationalize their privacy programs to comply with the APRA.