Roughly a year ago, the American Consumer Institute (ACI) released the primer Consumer-Focused Data Privacy. In it, we emphasized a need to eliminate the patchwork of state laws and instead focus on informed consumer consent. In addition, we cautioned against overly broad provisions such as the right to be forgotten, limits on targeting, and data portability, and emphasized empowering consumers.

The recently proposed American Privacy Rights Act of 2024 accomplishes this in part, but is much broader than the proposal put forward by ACI. Overall, the legislation has some good, some bad, and some areas for improvement.

Good

  • Definitions: The definitions rightfully acknowledge differences between data types and allow for different requirements for sensitive and non-sensitive data. Additionally, the term “covered data” excludes de-identified (anonymized) information and inferences made from public sources. This narrow(er) focus allows the regulations to better target data that isn’t already somewhat protected through anonymization or publicly available.  
  • Data Minimization: In line with ACI’s data privacy principles, data minimization allows consumers the ability to opt-out of collection, maintenance, or transferring data to third parties. This section provides needed flexibility with exclusions that range from market research to data security and compliance with other laws.
  • Transparency: Informed consumer consent is another essential principle for consumer-centered data privacy. This section requires simple explanations of data practices, notifications when these practices change, and the opportunity to opt-out.  An additional bonus is that the public statement of data practices allows for the FTC to pursue action against companies that don’t adhere to their standards.  
  • Relation to Other Laws: Creating preemption is crucial to avoid the patchwork of different laws that currently exist. This patchwork creates estimated annual business compliance costs of anywhere between $98 and $112 billion.
  • Termination of FTC Rulemaking on Commercial Surveillance and Data Security: Creating a data privacy law is the role of Congress. Supplanting agency efforts with this legislation protects the proper role of both entities.

Bad

  • Definitions: Small businesses are excluded from the definition of covered entity. This is common in data privacy legislation intending to alleviate compliance burdens on firms that aren’t as financially secure. However, from the consumer perspective, harm from privacy violations or data leaks is still harmful even if a small business causes it.
  • Individual Control over Data: Under this section, businesses would be required to release data to consumers and upon request correct, delete, and notify third parties of the request.  The provision does include a beneficial carve-out for derived data – inferences made by the company — if doing so would jeopardize a trade secret.
  • Commission Approved Compliance Guidelines: The FTC is a logical choice for enforcement. However, the agency is increasingly losing its reputation as a non-political enforcer that particularly focuses on tech companies. Granting enforcement, rulemaking, and guidance to the agency, without a push for agency reform, will result in over-prosecution that targets legitimate business practices and mission creep that grows a costly bureaucracy.

Proposed Changes

  • Definitions: Rather than excluding small businesses from data privacy requirements, Section 9 should be altered to allow for small businesses to develop processes that are right for them and remove the carve-out.
  • Definitions: Currently derived data is excluded if taken from multiple public sources. This definition should be updated to exclude derived data that is de-identified, from a public source, or a combination of both.
  • Data Minimization: In addition to the current provisions, lawmakers should consider a rolling deletion requirement that excludes de-identified and derived data.
  • Individual Control over Data: Allowing a consumer to view, correct, delete, and track where their data has been sent is in-line with a consumer-centric approach. However, mandating that companies facilitate the transfer of data would require tech companies to essentially provide highly desired resources to their competitors. Given other provisions in the bill, consumer provision of data would be well informed, requiring the transfer goes beyond consumer protection. This aspect should be removed.
  • Inference with Consumer Rights: A key shortcoming of the term dark patterns is that it lacks a clear definition and there is a significant gray area between deception and user experience. The legislation already mandates that the “option to refuse consent shall be at least as prominent as the option to accept, and the option to refuse consent shall take the same number of steps or fewer as the option to accept.” Since this requirement already covers truly deceitful practices this section should be removed.
  • Enforcement by Individuals: Creating a private right of action creates incentives to flood the courts with lawsuits that benefit trial attorneys but do not benefit consumers. In Illinois, the Biometric Information Privacy Act has a private right of action and on average individuals receive only $506 per case while plaintiff law firms receive $11.5 million. State agencies already can pursue violations and the FTC can offer compensation. This feature is duplicative and should be removed.
  • Enforcement by Individuals: Limited preemption carve-outs should be removed.

Tirzah Duren is the Vice President of Policy and Research at the American Consumer Institute, a nonprofit educational and research organization. You can follow her on Twitter @ConsumerPal.

Share: