The American Privacy Rights Act
Legal Sidebar
The American Privacy Rights Act
Updated May 31, 2024
On April 7, 2024, Senate Commerce Committee Chair Maria Cantwell and House Energy & Commerce
Committee Chair Cathy McMorris Rodgers jointly released a draft of the American Privacy Rights Act
(APRA). The APRA would create a comprehensive federal consumer privacy framework. It builds on
prior congressional efforts to enact a comprehensive privacy bill, most notably incorporating elements of
the American Data Privacy and Protection Act (ADPPA) (H.R. 8152), which was advanced out of the
House Energy & Commerce Committee during the 117th Congress (H.Rept. 117-669).
The APRA has already evolved since its initial release. The House Energy & Commerce Committee
unveiled an updated version (Updated House Draft) in advance of a markup on May 23, 2024, by the
Innovation, Data, and Commerce Subcommittee. The Updated House Draft includes a new Title II
amending the Children’s Online Privacy Protection Act of 1998 (COPPA). It also makes other changes,
such as creating a centralized mechanism for individuals to request that data brokers delete their personal
information and prohibiting covered entities from targeting advertisements to children under the age of
17.
This Sidebar begins with a summary of the APRA, relying primarily on the joint draft released on April 7,
2024, but noting where the Updated House Draft differs from the original joint draft. The Sidebar also
contains a discussion of how Title II of the Updated House Draft would amend COPPA and how that
language compares with similar bills previously introduced in the 118th Congress. The Sidebar next
compares the APRA to the ADPPA and other comprehensive privacy bills that have been introduced in
Congress. The APRA borrows a substantial amount from the ADPPA but includes material differences,
such as its treatment of small businesses, approach toward minors, and interaction with state laws, as well
as its requirement for algorithmic opt-out rights and immediate availability of a private right of action.
The Sidebar concludes by discussing stakeholders’ reactions to the APRA and potential litigation that may
arise should Congress enact the bill.
Summary of the Bill
Key Definitions
The APRA’s chief focus is governing how covered entities use covered data. Thus, these two definitions
are central to the bill’s scope. The APRA defines “covered entities” to include most individuals,
Congressional Research Service
https://crsreports.congress.gov
LSB11161
CRS Legal Sidebar
Prepared for Members and
Committees of Congress
Congressional Research Service
2
commercial entities, and nonprofits that “alone, or jointly with others, determine[] the purposes and
means of collecting, processing, and retaining, or transferring covered data.” Small businesses, among
others, are exempt from this definition. The APRA defines “covered data” to include any information that
“identifies or is linked or reasonably linkable” to an individual.
Another key definition is sensitive covered data, for which the APRA provides additional protections.
“Sensitive covered data” includes, among other things, government-issued identifiers, genetic
information, health information, financial information, precise geolocation information, and information
about a child under the age of 17. The APRA would give the Federal Trade Commission (FTC) authority
to expand the categories of sensitive covered data through regulation.
The APRA also defines large data holder and data broker, which are two subsets of covered entities that
must comply with additional requirements. Large data holders are those covered entities with annual
gross revenue of more than $250 million in the preceding calendar year that collect enough data to meet
one of the bill’s thresholds. Data brokers are entities “whose principal source of revenue is derived from
processing or transferring covered data that the covered entity did not collect directly” from the individual
linked to the data.
Rights and Obligations
The APRA would establish rights for individuals from whom covered data is collected and impose
obligations on covered entities. Individuals would have the right to access, correct, delete, and export
their covered data held by a particular covered entity. When an individual submits a verified request to a
covered entity to exercise one of these rights, the covered entity must generally respond within 30
calendar days. Large data holders must generally respond to requests by individuals to exercise their
rights within 15 calendar days of receiving the request. The Updated House Draft, however, would
lengthen these timeframes to 45 and 30 days, respectively.
In terms of obligations, the APRA would impose a data minimization requirement on covered entities that
would prohibit them from collecting, processing, retaining, or transferring covered data unless it is
(1) reasonably necessary and proportionate to provide a specific product or service requested by a
consumer or to provide a communication anticipated in the context of the customer relationship; or (2) for
one of the fifteen permitted purposes (sixteen in the Updated House Draft) expressly listed in the bill
(e.g., to conduct market research, investigate and defend against legal claims, or transfer to law
enforcement pursuant to lawful process). The APRA would also require covered entities to comply with
opt-out and consent requirements. For most covered data, covered entities would need to give individuals
an opportunity to opt out of the transfer of their covered data or the use of their data for targeted
advertising. For sensitive covered data, covered entities would be required to obtain an individual’s
affirmative, express consent before transferring that data. Covered entities would also be required to get
express consent before collecting, processing, or retaining biometric or genetic information.
Covered entities would have to comply with a number of other obligations, including transparency rules,
data security standards, and algorithm opt-out requirements. They would also be prohibited from using
covered data in a way that discriminates on the basis of a protected class, using “dark patterns” to
interfere with individuals’ use of their rights, or retaliating against individuals exercising their rights by
denying them service or giving them a different level of service (subject to certain exceptions such as for
“bona fide loyalty programs”).
Large data holders and data brokers would have to comply with additional requirements. For example,
large data holders would have to conduct algorithm impact assessments and privacy impact assessments,
and their CEOs would have to make annual certifications to the FTC regarding their companies’
compliance with the APRA. Data brokers would be required to register with the FTC, which would
establish a central data broker registry with a “Do Not Collect” mechanism allowing individuals to opt out
Congressional Research Service
3
of data brokers’ collection of their covered data. The Updated House Draft would go further, requiring the
FTC to create a “Delete My Data” mechanism, allowing individuals to request that all registered data
brokers delete their covered data. Data brokers also would be required to establish public-facing websites
containing a link to the FTC’s data broker registry.
Federal Trade Commission Authority
The APRA would give the FTC authority to enforce violations of the bill. Violations of the APRA, or any
regulations issued under it, would constitute violations of rules defining unfair or deceptive acts or
practices under the Federal Trade Commission Act, giving the FTC grounds to seek civil penalties,
injunctions, and other equitable relief for violations. The APRA would create a fund for holding civil
monetary penalties paid by violators of the Act, from which the FTC could disburse payments to covered
persons affected by the penalized conduct.
The APRA would also give the FTC authority to add to and clarify certain provisions of the APRA. While
the APRA would not give the FTC broad authority to expound on its provisions through regulations, it
would vest the FTC with rulemaking authority in certain instances (e.g., regulations defining categories of
sensitive covered data and establishing data security requirements). The APRA also would direct the FTC
to issue guidance on how covered entities could comply with certain requirements (e.g., the data
minimization provision and data broker disclosure requirements). The APRA would further require the
FTC to create a process by which covered entities could submit compliance guidelines for approval, and
would require the FTC to establish a pilot program encouraging private-sector use of privacy-enhancing
technology.
To carry out these responsibilities, the APRA would direct the FTC to create a new bureau, comparable in
size to the existing consumer protection and competition bureaus. The new bureau would need to be
staffed and fully operational within one year of the APRA’s enactment.
State and Private Enforcement
The APRA would authorize state attorneys general and state privacy authorities to bring civil actions on
behalf of their states’ residents. In these actions, state enforcers could ask a federal court to issue an
injunction, impose civil penalties, award damages or appropriate equitable relief, and award litigation
costs and attorneys’ fees.
The APRA also would create a private right of action that would allow individuals to sue for certain
violations, for example, disclosure or use of their sensitive, biometric, or genetic information without their
consent; violation of their individual rights; and data security violations resulting in a breach of their
covered data. In such suits, courts could award aggrieved individuals actual damages, injunctive relief,
litigation costs, and attorneys’ fees. Before an individual could bring a lawsuit, however, the APRA would
require that individual to provide potential defendants with notice and, in actions for injunctive relief, an
opportunity to cure the alleged violation, unless the alleged harm qualifies as a “substantial privacy
harm.” The APRA also provides that, in certain cases, a plaintiff filing a suit would be entitled to the
remedies currently provided under Illinois or California state laws. The Updated House Draft would
extend the private right of action to persons—a term often interpreted to include business entities—as
opposed to individuals, a term more likely to be understood as limited to natural persons.
In certain circumstances, the APRA allows individuals to pursue claims in federal court, notwithstanding
any pre-dispute arbitration agreements. If the claim involves a minor, or if the claim alleges a substantial
privacy harm, then the APRA makes any arbitration agreement unenforceable with respect to those claims
if the individual harmed elects to proceed in federal court. The APRA clarifies that any disputes over the
application of this provision should be resolved by the federal court and not any arbitrator.
Congressional Research Service
4
Preemption of State Law
The APRA includes an express preemption clause providing that no state may “adopt, maintain, enforce,
or continue in effect any law, regulation, rule, or requirement covered by the provisions” of the APRA or
any regulations promulgated under it. The APRA has numerous exceptions to this preemption clause,
however. For instance, the APRA would not preempt, among other things, “consumer protection laws of
general applicability,” laws addressing the “privacy rights or other protections of employees or employee
information,” and laws that “protect the privacy of health information, healthcare information, medical
information, medical records, HIV status, or HIV testing.”
Relation to Existing Federal Privacy Law
The APRA would generally preserve existing federal data privacy and data security laws, such as the
Gramm-Leach-Bliley Act, the Health Information Portability and Accountability Act’s administrative
simplification provisions and regulations implementing those provisions, the Fair Credit Reporting Act,
and the Family Educational Rights and Privacy Act. (For an overview of these federal laws, see CRS
Report R45631, Data Protection Law: An Overview, by Steve P. Mulligan and Chris D. Linebaugh.) The
Updated House Draft also explicitly preserves additional laws, such as the Health Care Quality
Improvement Act of 1986 and the Patient Safety and Quality Improvement Act. Covered entities that are
subject to these existing laws would be “deemed to be in compliance” with—or, in the case of the
Updated House Draft, would “not be subject” to—the APRA insofar as they handle data subject to those
existing laws. The APRA provides that covered entities that are required to comply with these existing
laws will be “deemed to be in compliance” with the “related provisions” of the APRA. The APRA would,
however, displace most privacy requirements under the Communications Act of 1934 and the FCC’s
implementing regulations. Finally, the APRA specifically preserves COPPA and “antitrust laws.”
Updated House Draft and COPPA 2.0
Along with the changes mentioned above, the Updated House Draft includes a “Title II” called
“Children’s Online Privacy Protection Act 2.0” (Title II), which would amend COPPA. COPPA, as it
currently stands, provides privacy protections to children under the age of 13. COPPA’s requirements
apply to online operators that direct their website or online service to children or that have “actual
knowledge” they are collecting children’s information. Under COPPA and the FTC’s implementing
regulations, covered operators must, among other things, obtain verifiable parental consent before
collecting, using, or disclosing children’s personal information; provide parents with notice of the
operator’s privacy policies; maintain reasonable data security procedures; and comply with data retention
and deletion requirements. COPPA preempts state laws that regulate the activities of online operators in a
manner that is “inconsistent with the treatment of those activities or actions” under COPPA. Courts
applying COPPA’s preemption provision to state law causes of action have reached different outcomes in
different cases. The U.S. Court of Appeals for the Ninth Circuit has held that COPPA does not preempt
individuals from bringing state lawsuits based on conduct that also violates COPPA. In contrast, some
district courts in other circuits have held that such suits are inconsistent with COPPA’s enforcement
structure, which does not include a private right of action.
Some lawmakers have sought to update COPPA. In the 118th Congress, the Children and Teens’ Online
Privacy Protection Act (commonly referred to as “COPPA 2.0”) has been introduced and sponsored by
bipartisan groups of lawmakers in both the House (H.R. 7890) and Senate (S. 1418), and in July 2023 the
Senate Commerce Committee voted to advance S. 1418 to the full Senate. H.R. 7890 and S. 1418 would
extend COPPA’s protections to teens (defined as individuals “over the age of 12 and under the age of 17”)
and revise COPPA’s “actual knowledge” standard to include situations where an online operator “has
Congressional Research Service
5
knowledge fairly implied on the basis of objective circumstances” that they are collecting information
from a child or teen. These bills would also ban “individual-specific advertising” to children or teens,
prohibit online operators from storing or transferring a child or teen’s data outside of the United States
without providing direct notice, and impose data minimization requirements on online operators. These
bills would direct the FTC to, among other things, update its regulations to address how COPPA applies in
the educational context, evaluate the feasibility of a common verifiable consent mechanism for multiple
operators providing a joint service, and submit oversight and enforcement reports to Congress.
Title II of the Updated House Draft contains many of the same provisions as H.R. 7890. For instance, it
contains most of the same definitional updates, the same provision addressing COPPA’s application in the
educational context, the same provision directing the FTC to evaluate a common verifiable consent
mechanism, and the same requirement directing the FTC to submit reports to Congress.
There are notable differences. Title II would not extend COPPA’s protections to teens, would not include
H.R. 7890’s prohibition on “individual-specific advertising,” and it would not broaden COPPA’s
knowledge standard. The Updated House Draft does, however, include certain protections for “covered
minors” (individuals under the age of 17) in Title I. These protections include a ban on transferring
sensitive covered data (which includes information about a covered minor) without affirmative express
consent and a prohibition on “targeted advertising” to covered minors. Title I does not, however, specify
any knowledge standard or other mental state requirement that applies to these prohibitions. There are
other distinctions between Title II and H.R. 7890 that appear to reflect Title II’s integration with the
APRA. For instance, Title II omits H.R. 7890’s prohibition on collecting personal information from
children or teens when not necessary to complete a transaction or perform a service, but Title II would
expressly prohibit online operators subject to COPPA from collecting personal information from a child in
a manner that violates the APRA. Similarly, Title II does not include H.R. 7890’s data minimization
requirements, but the APRA has its own data minimization provision in Title I. Lastly, Title II does not
have a provision expressly allowing state laws that provide additional protections to children or teens,
thus leaving COPPA’s existing preemption provision in place.
Comparison to the ADPPA and Other Privacy Bills
While the APRA has many similarities with the ADPPA, containing broadly similar individual rights and
covered-entity obligations, there are differences. For example, the APRA would exempt small businesses
entirely from its scope, while the ADPPA would have excluded small businesses only from certain
requirements. The APRA also does not have some of the protections that the ADPPA would have
established for minors under the age of 17, such as its prohibition of targeted advertising (although such a
prohibition was added in the Updated House Draft) and the creation of a Youth Privacy and Marketing
Division at the FTC. The APRA, however, contains some obligations not found in the ADPPA, such as the
requirement that covered entities give individuals an opportunity to opt out of the use of certain
algorithms. (The Updated House Draft creates an exception for this opt-out requirement where doing so
would be prohibitively costly or technologically impracticable.) While both bills contain a private right of
action, the APRA’s private right of action would be effective immediately, whereas the ADPPA would
have delayed it for two years after the law’s enactment. The two bills’ preemption provisions have the
same basic structure, yet there are several potentially significant differences. For instance, the ADPPA
would have expressly preserved several specified state privacy laws, such as Illinois’s Biometric Privacy
Act and Genetic Information Privacy Act and California’s private right of action for victims of data
breach. In contrast, under the APRA, these laws would not expressly be preserved, although individuals
would be able to obtain the remedies provided by these laws in certain circumstances.
Numerous other comprehensive data privacy bills that further differ from the APRA have been introduced
in the 117th and 118th Congresses. For example, rather than specifying detailed user rights and consumer
Congressional Research Service
6
obligations, the Data Care Act of 2023 (S. 744, 118th Cong.) would impose broad duties of care, loyalty,
and confidentiality on online service providers. Other bills contain a set of individual rights and covered
entity obligations similar to the APRA yet differ on individual enforcement and preemption of state laws.
For example, the Online Privacy Act of 2023 (H.R. 2701, 118th Cong.) would provide, and the Consumer
Online Privacy Rights Act (COPRA) (S. 3195, 117th Cong.) would have provided, a private right of
action without requiring an opportunity to cure or imposing other limitations and would not preempt state
laws unless there was a direct conflict with the federal law.
Commentary and Potential Legal Challenges
The draft APRA has garnered bipartisan support, and various interest groups, commentators, and
technology companies, such as, respectively, the Center for Democracy and Technology, the Washington
Post’s editorial board, and Microsoft, have expressed enthusiasm for the draft bill. Some of these
commentators have lauded the bill for compromising on contested issues (namely, whether to provide a
private right of action and whether to preempt state laws). At a House Energy & Commerce Committee
hearing on April 17, 2024, all of the witnesses agreed that the APRA was the “best chance” for “getting
something done” on comprehensive data privacy. At the same time, some of the APRA’s supporters have
also suggested ways it could be improved. For example, some lawmakers and commentators have said
that the APRA’s protections for minors should be strengthened, such as by including the ADPPA’s ban on
targeted advertising to those under the age of 17. Some commentators have also argued that its data
broker provisions should be tightened, such as by including a “one-stop-shop for data deletion requests”
and clarifying that data brokers are not exempt from the APRA even if they qualify as consumer reporting
agencies under the Fair Credit Reporting Act. Several of these concerns have been addressed by the
Updated House Discussion Draft, which, as mentioned, includes a ban on targeted advertising to minors
under 17 and would require the FTC to create centralized data deletion request mechanisms for data
brokers. At the same time, during the May 23 markup of the Updated House Draft, several Members
expressed concerns with the way in which Title II of the Draft revises COPPA, such as by not updating
COPPA to protect teens and by failing to expand COPPA’s knowledge standard. Some Members also
maintained that the Update House Draft’s prohibition on targeted advertising to minors is less robust than
H.R. 7890 and S. 1418’s restriction on “individual-specific advertising.”
Other stakeholders have been critical of the APRA’s preemption provisions, which were not changed in
the Updated House Draft. The California Privacy Protection Agency (CPPA), for example, has faulted the
APRA for preempting state privacy laws and has argued that Congress should set a “floor” for privacy
rights rather than a “ceiling.” The CPPA cited its draft regulations on automated decisionmaking
technology (ADMT), which would allow individuals to opt out of companies using their personal
information to train ADMT, as an example of an important protection that could be preempted by the
APRA. On the other hand, the U.S. Chamber of Commerce has criticized the APRA for taking too narrow
of an approach to preemption. The Chamber also took issue with the APRA’s private right of action and
some of its substantiative requirements, such as its algorithm provisions and its right to opt out of targeted
advertising.
Should the APRA be finalized, there may be litigation over its constitutionality and scope. As discussed
further in a 2019 CRS report, the U.S. Supreme Court has said that “the creation and dissemination of
information are speech within the meaning of the First Amendment.” Litigants have challenged laws that
restrict the sale or use of data collected from customers and laws that restrict certain targeted
advertisements under the First Amendment. It is possible that similar challenges may be raised against
some of the APRA’s provisions that restrict the dissemination of customer data or the targeting of
advertisements. There may also be litigation over the scope of the APRA’s preemption provisions. For
instance, questions may arise as to whether the APRA preempts state privacy laws that regulate entities
not covered by the APRA, such as small businesses. The expansive reach of the APRA’s savings clauses,
Congressional Research Service
7
too, may give rise to litigation, as potential challengers of the law might seek to clarify whether various
state laws qualify as one of the categories of statutes exempt from preemption.
Author Information
Chris D. Linebaugh
Clay Wild
Legislative Attorney
Legislative Attorney
Peter J. Benson
Jonathan M. Gaffney
Legislative Attorney
Section Research Manager
Matthew D. Trout
Legislative Attorney
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.
LSB11161 · VERSION 2 · UPDATED