While user data has become the lifeblood of the internet economy, it is not without risks. Data breaches, such as the AT&T leak last month, demonstrate that user information is a tempting target for hackers. To that effect, Congress recently introduced the American Privacy Rights Act of 2024 (APRA) which, if adopted, would create a nationwide regulatory framework for protecting consumers’ data, replacing the current patchwork of state regulations. As currently written, the bill will likely improve consumer control over their data and reduce the impact of data breaches in the process, even if there is room for improvement in the legislation.
The APRA takes a focused approach to data protection. It defines covered data as data that is either linked to or could be linked to the individual it came from while excluding publicly available data where any identifying information has been removed. In effect, the bill focuses on protecting the data most critical to people’s privacy and security.
While personal information can never be completely secure, the bill does help minimize the risk of exposure by limiting how much identifiable data is collected and preventing what is collected from being transferred to unknown third parties without the expressed consent of users. This limits what identifiable data is available to hackers through a breach or third parties that may not take adequate security measures.
Data breaches occur due to technical issues or human error and result in data being at the mercy of the hacker. Whatever the cause, the impact of these breaches can be very costly for the people whose data was compromised, the company involved, and consumers at large. Sensitive information, such as credit card numbers, insurance details, and other personal information can be stolen and used for any number of purposes. These attacks also drive up the cost of cybersecurity for affected companies who could be forced to pass these costs onto consumers in the form of higher prices.
Nothing can completely eliminate the risk of data breaches or completely ensure data security, but the kind of data minimization the APRA proposes could limit the impact of breaches by reducing the amount of identifiable information that is vulnerable. Hackers cannot obtain data that is not collected or stored; only keeping what is necessary and anonymous reduces what is available to hackers. Data minimization is already an established principle to protect consumer privacy.
ARPA is not perfect, however. Some stipulations leave data more vulnerable than is necessary. The biggest restriction is exempting small businesses from the definition of covered entities.
Privacy and security concerns need to be weighed against the financial burdens regulations place on small businesses. The American Consumer Institute has previously argued that while small businesses should be given room to develop security processes that work for them, they should not be given wholesale exemption from the law.
Data breaches are costly not only to their victims but also the wider economy. Therefore, taking steps to mitigate them by giving consumers more control over their identifiable data and limiting what companies can collect without consent is a step in the right direction. It gives individuals the chance to prevent sensitive information from being collected at all. In this regard, the bill is a good start, but it should be further refined to protect all consumers.
Trey Price is a policy analyst with the American Consumer Institute, a nonprofit education and research organization. For more information about the Institute, visit us at www.TheAmericanConsumer.Org or follow us on X @ConsumerPal.