- APRA is a bi-partisan, cross-sector US draft for comprehensive consumer data protection, based on ADPPA, COPRA and partly GDPR principles.
- Scope of regulation: data minimization, rights (information, deletion, objection), data security, DPO obligation and special obligations for large platforms and data brokers.
- APRA contains specific rules for algorithms/AI, including risk impact assessments, information obligations and rights of objection for decision-relevant applications.
In the USA, a new attempt is being made to introduce cross-sector and national regulation of core data protection in the form of the “American Privacy Rights Act” (APRA):
The APRA is currently a discussion draft, but it is supported by both parties (“bipartisan”) and therefore has a slightly better chance than previous attempts such as the ADPPAHowever, the content of the APRA is based on the ADPPA and the Federal Consumer Online Privacy Rights Act (COPRA). Certain similarities with the GDPR are also obvious, even if the terminology differs of course (e.g. “covered entities” instead of “controllers”). APRA is limited to the private sector and excludes companies with less than USD 40M turnover and data of less than 200,000 consumers as long as they do not sell personal data.
The APRA regulates on 53 pages in 24 sections, among other things, certain Principles (e.g. for data minimization), Right (e.g. a right to object to advertising, a right to information or a right to erasure), consent errequirements for the disclosure of sensitive data to third parties, provisions on the Data securitythe duty, DPOs to order, and Special requirements for certain companiesfor example, particularly large social networks with special reach and data brokers.
With reference to certain Algorithms APRA also contains its own regulation. Because algorithms is a defined term that is tailored to AI applications (even if the definition is broader), APRA is also a rudimentary AI regulation that fits into the growing canon of corresponding regulations. To the extent that companies apply the AI Act as a global standard, which is partly the case and will certainly increasingly be the case, the APRA requirements are essentially compatible. When using recorded algorithms, large controllers must carry out a risk impact assessment for sensitive areas of application (e.g. in the workplace or health sector, or when using particularly sensitive data), and if algorithms make decisions or facilitate human decisions, information obligations and a right to object are provided for.
The APRA is structured as follows:
- Sec. 1 Short title; table of contents.
- Sec. 2 Definitions.
- Sec. 3 Data minimization.
- Sec. 4 Transparency
- Sec. 5 Individual control over covered data.
- Sec. 6 Opt-out rights and centralized mechanism.
- Sec. 7 Interference with consumer rights.
- Sec. 8 Prohibition on denial of service and waiver of rights.
- Sec. 9 Data security and protection of covered data.
- Sec. 10 Executive responsibility.
- Sec. 11 Service providers and third parties.
- Sec. 12 Data brokers.
- Sec. 13 Civil rights and algorithms.
- Sec. 14 Consequential decision opt out.
- Sec. 15 Commission approved compliance guidelines.
- Sec. 16 Privacy-enhancing technology pilot program.
- Sec. 17 Enforcement by the Federal Trade Commission.
- Sec. 18 Enforcement by States.
- Sec. 19 Enforcement by individuals.
- Sec. 20. Relation to other laws.
- Sec. 21 Children’s Online Privacy Protection Act of 1998.
- Sec. 22 Termination of FTC rulemaking on commercial surveillance and data security.
- Sec. 23 Severability.
- Sec. 24 Effective date.