It took the magic of an eclipse across America for US legislatures to finally progress on developing federal data privacy regulation. The American Privacy Rights Act (APRA) is surprising but not shocking, given that it has been in the works for several years. The APRA began to have a more straightforward path toward reality as recent executive orders on data transfers and AI delivery and development would be difficult to implement without a national law.
What is the American Privacy Rights Act (APRA)?
The American Privacy Rights Act of 2024 is currently a “discussion draft” providing a national data privacy and security framework outlining consumer rights and data management requirements. Under the APRA, companies would have to limit the types of consumer data they collect, retain, and use, allowing only data needed to operate their services.
Why is the APRA Important?
The new legislation fills pieces of the data privacy protection puzzle and adapts to new cybersecurity complexities and technological advancements, such as Intelligence artificielle (IA). It addresses the constant data privacy challenges and proposes a more unified approach to giving consumers specific rights to their personal data. The ARPA gives Americans more control over their privacy online, such as the right to opt out of target ads and take legal action for violating their privacy rights.
What You Need to Know About APRA
The draft of the APRA is an evolved version of the American Data Privacy and Protection Act (ADPPA). Both legislation provided privacy rights to consumers, required data minimization, advanced security measures, and set rule-making by the Commission fédérale du commerce (FTC). However, although both are similar, several significant changes need attention:
Exclusions
The APRA excludes small businesses, only if:
- Annual revenue is less than USD40 million.
- Data processing is more than 200,000 individuals, with exceptions.
- No revenue is earned from the transfer of data to third parties.
Executive Accountability
The ARPA requires a designated data privacy or security officer, but doesn’t need to be a standalone position or new hire.
Transparence des données
- Privacy policies must include specific information, including categories of data collected, processed or retained; the purpose for processing data, the length of data retained, data security practices, list of third parties and names of any data broker transfers.
- The privacy policy must also detail how consumers can exercise their rights.
- Material changes to the privacy policy require advanced notice and ways of opting out.
Minimisation des données
There is a major emphasis on minimisation des données which restricts the data collected and used to purposes deemed necessary and limited, with special handling and consent for biometric and genetic information.
Data Security & Protection
APRA requires organizations to establish data security standards that are appropriate for the company’s size, the nature and scope of data management, the volume and sensitivity of data, and the technologies used to safeguard data. Organizations must also assess vulnerabilities and mitigate risks to consumer data.
Private Right of Action
The APRA has introduced a private right of action. The private right of action will allow consumers to file lawsuits and seek compensation against companies that fulfill data privacy rights such as data deletion requests or use personal data without consent.
Évaluations de l'impact sur la vie privée
The APRA requires privacy impact assessments for covered algorithms that pose a “consequential risk,” especially when they pertain to:
- Children and minors
- Housing, education, employment, health care, insurance, or credit
- Public accommodations based on protected characteristics;
- Race, color, religion, and sex
- Political party registration and affiliation.
Service Providers and Third Parties
- The APRA requires organizations to do their due diligence when selecting a service provider and sharing data with third parties.
- Service providers must adhere to the instructions of a covered entity and fulfill the obligations under the APRA.
APRA Consumer Rights
Under the APRA, consumers have the right to:
- Access their data collected, processed, or retained after submitting a verified request
- Know the name of any third party or service provider to which the data was transferred and the purpose of the transfer
- Correct inaccurate or incomplete data regarding an individual
- Delete the data of an individual
- Export data pertaining to an individual
- Not be retaliated against for exercising consumer rights
- Opt-out of data transfers and target advertising
- Opt-out of algorithms for consequential decisions that relate to employment, healthcare, education, housing, credit, or insurance
Organizations must comply with individual data privacy rights within the correct timeframes. Organizations may deny a request if it requires access to data on someone else; interferes with a legal process; or violates other laws.
How Does the ARPA Affect New and Emerging State Legislation?
Even though the ARPA will be enforced nationally, individual state laws may no longer be enforceable but will still be relevant on specific issues such as consumer protections, civil rights, health, and financial data.
The legislation is similar to existing state laws such as CCPA/CPRA, which include similar provisions around protecting genetic and biometric data.
How BigID Helps Organizations Get In-front of the APRA
Regardless of the outcome of the new APRA, BigID is prepared to help organizations comply with evolving privacy regulations and adapt to the constantly shifting data privacy landscape by implementing a comprehensive privacy program.
Leverage BigID’s AI-automated and identity-aware data privacy management for risk & compliance to move beyond policy and process to:
- Découvrez vos données : Découvrez et cataloguez vos données sensibles, y compris structurées, semi-structurées et non structurées, dans des environnements sur site et dans le cloud.
- Cartographiez vos données : Automatiquement mapper les PII et les PI aux identités, entités et résidences pour visualiser les données sur les systèmes.
- Appliquer les politiques de protection de la vie privée : Assurer l'alignement et l'application des politiques de données conformément aux mandats de protection de la vie privée afin de satisfaire aux exigences de conformité réglementaire.
- Automatiser la gestion des droits sur les données : Automatiser les demandes de respect des droits des individus et des données personnelles, depuis l'accès et les mises à jour jusqu'aux appels et à la suppression.
- Suivi des violations et de l'éthique de l'IA : Assess and monitor AI technology and usage across the organization to protect personal data and remediate risk.
- Surveiller les transferts de données transfrontaliers : Appliquez la résidence aux sources de données et aux données personnelles individuelles avec des politiques pour déclencher des alertes sur les violations de transfert de données transfrontalières.
- Évaluer les risques liés à la confidentialité : Initiez, gérez, documentez et réalisez diverses évaluations, notamment PIA, DPIA, fournisseur, IA, TIA, LIA, etc. pour la conformité et la réduction des risques.
- Accelerate Breach Analysis & Response: Accurately determine the extent of a data breach and notify the right individuals and entities according to regulatory requirements.
- Rationalisez la gestion du cycle de vie des données : Appliquez une approche basée sur des politiques pour automatiser la gestion du cycle de vie des données à travers la collecte, la conservation et la suppression.
Obtenir une démonstration 1:1 to see how BigID enables businesses to automate and operationalize their privacy programs to comply with the APRA.
Auteur
