mayo 02 2024

Chairs of House and Senate Commerce Committees Announce Consumer Privacy Legislation

Authors:

Last month, two key members of Congress released a draft of the American Privacy Rights Act (“APRA”), comprehensive legislation that would change the landscape of consumer privacy law in the United States. If passed, APRA would create a national standard governing the collection, use, and disclosure of consumer personal information. It would also preempt a number of state laws, notably including the Illinois Biometric Information Privacy Act (“BIPA”) and Genetic Information Privacy Act (“GIPA”)—although the act includes Illinois-specific provisions that parallel those statutes in part, and allow enforcement under those laws to continue in certain situations. The draft bill has been proposed by Rep. Cathy McMorris Rodgers (R-WA), the chair of the House Committee on Energy and Commerce, and Sen. Maria Cantwell (D-WA), the chair of the Senate Committee on Commerce, Science and Transportation.

Companies that have sought to account for the patchwork of state privacy law requirements currently in effect will see familiar themes in APRA. For instance, APRA grants consumers certain rights over their “covered data,” and requires covered entities to make publicly available privacy policies detailing their data privacy and security practices.

But there are some key differences. For instance, APRA calls for affirmative express consent to the collection of biometric and genetic information, both of which are classified as categories of “sensitive information.” APRA also includes a general private right-of-action to recover actual damages for violations (beyond just violations that result in data breaches, as some state laws provide), with statutory damages available for plaintiffs who can prove violations of BIPA and GIPA occurred primarily and substantially in Illinois. APRA would also invalidate arbitration agreements as to certain claims arising under the statute, thereby upending preexisting arbitration agreements between businesses and consumers.

Scope and Key Definitions

APRA’s requirements follow some familiar trends we have seen across the patchwork of state privacy laws and the European Union’s General Data Protection Regulation (“GDPR”)—namely, data minimization, transparency, portability, and data security. APRA would also set forth specific requirements for “data brokers” and establishes a national data broker registry. Currently, only California, Texas, Oregon, and Vermont require entities to register as data brokers before collecting, selling, or licensing “brokered personal data.”

APRA is still a long way from becoming law, and it may go through significant changes along the way—as many in the business community are currently advocating. But, as currently drafted, APRA contains a number of key provisions:

APRA defines “covered data” as information that identifies, or is linked—or reasonably linkable, alone or in combination with other information—to an individual (or a device that identifies, can be linked, or is reasonably linkable to individuals). Exempted from APRA’s “covered data” definition are employee information, publicly available information, inferences made exclusively from multiple independent sources of publicly available information,¹ and information in the collection of a library, archive, or museum.²

“Covered entities” subject to APRA include for-profit businesses subject to the Federal Trade Commission Act, common carriers subject to title II of the Communications Act, and nonprofits. A covered entity must also meet one or more of the following jurisdictional thresholds: it must (i) receive annual gross revenues of more than $40 million for the period of the three preceding calendar years; (ii) on average, collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose; or (iii) transfer covered data to a third party in exchange for revenue or anything of value. Further, APRA would cover any entity that controls, is controlled by, is under common control with, or shares common branding with another covered entity.³

Additional Requirements for the Collection and Use of Biometric and Genetic Information

Like the comprehensive data privacy laws already in place in several states, APRA defines several categories of information as “sensitive data,” including both biometric and genetic information, which are subject to additional requirements and restrictions.

Biometric information: Any covered data that is specific to an individual and is generated from the measurement or processing of the individual’s unique biological, physical, or physiological characteristics that is linked or reasonably linkable to the individual, including: (i) fingerprints; (ii) voice prints; (iii) iris or retina imagery scans; (iv) facial or hand mapping, geometry, or templates; or (v) gait. Notably, APRA would not consider digital photographs, an audio or video recording, or “metadata” associated with a digital or physical photograph or an audio or video recording that cannot be used to identify an individual to be biometric information.⁴
Genetic information: Any covered data, regardless of its format, that concerns an identified or identifiable individual’s genetic characteristics, including: (i) raw sequence data that results from the sequencing of the complete, or a portion of DNA that is extracted from an individual, or (ii) genotypic and phenotypic information that results from analyzing raw sequence data described in (i).

Covered entities must obtain affirmative express consent to collect, process, or retain biometric or genetic information, unless one of several statutory exceptions applies.⁵ They may not retain biometric or genetic information longer than necessary to satisfy the purpose for which an individual’s affirmative express consent has been provided, or for more than 3 years after the individuals last interaction with the covered entity, whichever comes first. And with few exceptions,⁶ covered entities may not transfer biometric or genetic information to a third party without first providing affected individuals with (i) a notice describing such transfer, including the name of any entity receiving the individual’s covered data and the privacy policies of such entity, and (ii) a reasonable opportunity to withdraw any previously given consent and request the deletion of the individual’s covered data.

APRA’s Private Right of Action and Effect on Arbitration Agreements

Private Right of Action

Section 19 of APRA would create a private right of action for certain violations of the statute, including violations related to a data breach incident, sensitive data generally (Section 3(b)), and biometric and genetic information (Section 3(c)).

For civil actions brought under Section 3(c) pertaining to biometric and genetic information, APRA provides additional remedies for violations that occur primarily and substantially in Illinois. If the plaintiff prevails, APRA authorizes courts to award the same relief set forth in (i) Section 20 of BIPA (up to $5,000 in statutory damages per violation); or (ii) Section 40 of GIPA (up to $15,000 in statutory damages per violation).⁷ And in civil actions related to data breach incidents brought by California residents, APRA provides the same relief afforded in the CCPA’s private right of action.⁸ Thus, while preempting BIPA and GIPA, APRA would allow similar remedies, including statutory damages, for much of the conduct that would constitute alleged violations of those state laws.

That said, APRA could still end up impacting plaintiffs’ ability to sue for alleged BIPA violations for a few reasons. First, APRA’s definition of “biometric information” provides some additional clarity as to what types are actually covered. APRA makes clear that in order for data to be considered “biometric information” subject to the statute’s requirements, the data must be “specific to an individual” and “linked” or “reasonably linkable” to an individual. Although several courts have interpreted BIPA similarly,⁹ plaintiffs in BIPA litigation have continued to argue that data need not be identifying to qualify as a “scan of hand or face geometry” subject to BIPA’s requirements.¹⁰ By explicitly tying the definition of biometric information to “specific individuals” and requiring that data be reasonably (as opposed to theoretically) linkable to an individual to be considered biometric, APRA more firmly grounds a private right of action to harms stemming from collection of biometric data that is uniquely identifying, as opposed to generic characteristics or mere demographic information.

Second, APRA contains numerous exceptions based on the purpose of data collection that are absent from BIPA.¹¹ For example, companies that collect biometric data to “maintain data security” or “protect against spam, and maintain networks and systems, including through diagnostics, debugging, and repairs” are not subject to APRA’s affirmative consent requirements. As the proliferation of technologies that leverage artificial intelligence (AI) and machine learning continues, many companies use this data to train and improve their systems. Whether courts will consider such data collection to fall within the exemptions for system maintenance and diagnostics or construe the exemptions more narrowly is a space to watch.

APRA also contains certain procedural prerequisites to bringing a private right of action. Prior to commencing a civil action for injunctive relief, individuals must provide the covered entity with 30 days’ written notice identifying the specific APRA provisions that were violated, and an opportunity to cure.¹² For actions seeking actual damages, APRA requires the same form of notice, but covered entities do not have an opportunity to cure alleged violations, and even the notice requirement does not apply in the case of a substantial privacy harm.

Arbitration Agreements

The current draft of APRA purports to declare unenforceable, “at the election of an individual,” pre-dispute arbitration agreements as to claims involving (i) individuals under the age of 18, and (ii) violations of APRA that result in a purported “substantial privacy harm.” The law provides that federal courts (not arbitrators) must determine whether arbitration agreements are valid and enforceable when challenged under APRA.

Many businesses that use arbitration agreements will find this aspect of the draft bill concerning; it appears to open the doors to litigation while allowing consumers and their counsel to choose arbitration if they prefer. The act would limit its arbitration exception to claims involving minors and claims involving “substantial privacy harm”—which is defined to include alleged financial harms of at least $10,000 or certain alleged mental or physical harms, among other things. The second category appears highly likely to generate litigation over its applicability.

If this provision of APRA remains unchanged, businesses should consider reviewing their arbitration programs to account for this aspect of the proposed law.

Other Notable APRA Requirements

Although this alert mainly focuses on APRA’s potential impact on state laws that apply to the collection and use of biometric and genetic information, and APRA’s private right of action, below we have highlighted other notable obligations imposed by APRA on covered entities, as well as the rights APRA affords to individuals.

Rights of Individuals

Right to access to their covered data
Right to correct inaccurate or incomplete covered data
Right to delete covered data
Right to portability and to obtain a copy of covered data
Right to opt-out of the transfer of non-sensitive covered data and the use of their personal information for targeted advertising

Covered Entity and Service Provider Obligations

Covered entities and service providers operating on their behalf shall not collect, process, retain, or transfer data beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual, or provide a communication reasonably anticipated in the context of the relationship, or a permitted purpose;
Covered entities and service providers must have privacy policies that identify the entity; disclose the categories of data collected, processed, or retained; the purposes for the data processing; the categories of service providers and third parties to which data is transferred; the name of any data brokers to which data is transferred; the length of time data is retained; data security practices; and the effective date of the privacy policy;
Privacy policies must prominently describe how consumers can exercise their individual controls and opt-out rights and must be accessible in multiple languages and to people with disabilities;
Covered entities or service providers that make material changes to their policies must provide advanced notice and means to opt out of the processing or transfer of previously collected data;
Large data holders are subject to more requirements related to retaining and publishing their privacy policies from the past 10 years, and must also provide a short-form notice of their policies;
Covered entities must comply with individual control rights within specified timeframes, and large data holders must report metrics related to the requests they process;
All covered entities must designate one or more covered employees to serve as privacy or data security officers;
Large data holders are required to designate both a privacy and a data security officer;
Service providers must adhere to the instructions of a covered entity and help the entity fulfill its obligations under APRA;
Covered entities must exercise due diligence in the selection of service providers and in deciding to transfer covered data to a third party;
Third parties may only process, retain, and transfer data received from another entity for a purpose consistent with what the covered entity disclosed in its privacy policy; or, for sensitive covered data, a purpose for which the consumer provided affirmative express consent;
Large data holders are also directed to file with the FTC annual certifications of internal controls designed to comply with APRA and internal reporting structures for compliance with the act; and
Large data holders must conduct privacy impact assessments on a biennial basis.

Relationship Between APRA and State Privacy Laws

APRA would preempt any state law, regulation, rule, or requirement covered under its provisions. However, APRA contains a number of exceptions to this state law preemption, including state laws governing unfair or deceptive acts or practices, contracts, torts, and common law causes of action. Thus, while APRA would ostensibly set forth a national standard for compliance and preempt state privacy laws that impose specific obligations on the collection, processing and sharing of personal information, plaintiffs may still be able to allege privacy related harms under other state statutes. While it is still early in the legislation process, companies should monitor how this bill develops and consider its impact on existing state requirements.

¹ The inferences cannot (i) reveal information about an individual that meets the definition of sensitive covered data with respect to an individual, or (ii) be combined with covered data.

² A library, archive, or museum must (i) have a collection open to the public or routinely made available to researchers who are not affiliated with the library, archive, or museum, (ii) have a public service mission, (iii) train staff or volunteers to provide professional services normally associated with libraries, archives, or museums, and (iv) have collections composed of lawfully acquired materials and meet all licensing conditions for such materials.

³ On the other hand, APRA would not apply to (i) federal, state, tribal, territorial, or local government entities; (ii) an entity that is collecting, processing, retaining, or transferring covered data on behalf of federal, state, tribal, territorial, or local government entities; (iii) a small business; (iv) the National Center for Missing and Exploited Children; or (v) except with respect to the obligations under Section 9 of APRA pertaining to data security requirements, a nonprofit organization whose primary mission is to prevent, investigate, or deter various types of fraud.

⁴ APRA’s definition of “biometric information” would be much narrower than the Federal Trade Commission’s proposed definition in its policy statement on biometric information, which we previously covered in a Legal Update.

⁵ Exceptions are provided for collections of biometric or genetic information (i) to protect data security (as described in Section 9), protect against spam, and maintain networks and systems, including through diagnostics, debugging, and repairs; (ii) to comply with a legal obligation imposed by Federal, State, local, or Tribal law (that is not preempted by APRA); (iii) by a covered entity to investigate, establish, prepare for, exercise, or defend cognizable legal claims on its own behalf; (iv) to transfer covered data to a Federal, State, local, or Tribal law enforcement agency pursuant to a lawful warrant, administrative subpoena, or other form of lawful process; (v) by a covered entity or service provider that is considered a telecommunications carrier or a provider of a mobile service, interconnected VoIP service, or non-interconnected VoIP service (as defined in section 3 of the Communications Act of 1934, to provide call location information (as described in subparagraphs (A) and (C) of section 222(d)(4) of that Act); and (vi) except with respect to health information, to prevent, detect, protect against, investigate, or respond to criminal activity, excluding the transfer of covered data for payment or other valuable consideration to a government entity.

⁶ The statutory exceptions are for data transfers made (i) to comply with a legal obligation imposed by federal, state, local, or tribal law that is not preempted by APRA; (ii) by a private entity to investigate, establish, prepare for, exercise, or defend cognizable legal claims on its own behalf; (iii) to transfer covered data to a federal, state, local, or tribal law enforcement agency pursuant to a lawful warrant, administrative subpoena, or other form of lawful process; and (iv) to transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction when the third party assumes control, in whole or in part, of the covered entity’s assets, only if the covered entity, in a reasonable time prior to such transfer, provides each affected individual with notice describing such transfer, and a reasonable opportunity to withdraw consent or request deletion of covered data.

⁷ 740 ILCS 14/20; 410 ILCS 513/40.

⁸ Compare with Cal. Civ. Code § 1798.150 (permitting California residents to bring a civil action against California businesses for (i) statutory damages of up to $750 per incident or actual damages, whichever is greater; (ii) injunctive relief; or (iii) any other relief “the court deems proper”).

⁹ See, e.g., Carpenter v. McDonald’s Corp., 580 F. Supp. 3d 512, 515 (N.D. Ill. 2022) (“[A] ‘biometric identifier’ is . . . a set of measurements of a specified physical component (eye, finger, voice, hand, face) used to identify a person.”) (emphasis added); Clarke v. Aveda Corp., --- F. Supp. 3d ----, 2023 WL 9119927, at *2 (N.D. Ill. Dec. 1, 2023); Castelaz v. The Estee Lauder Companies, Inc., 2024 WL 136872, at *7 (N.D. Ill. Jan. 10, 2024); Daichendt v. CVS Pharmacy, Inc., 2022 WL 17404488, at *5 (N.D. Ill. 2022), modified on other grounds on reconsideration, 2023 WL 3579082 (N.D. Ill. 2023).

¹⁰ 735 ILCS 14/10 (defining “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”).

¹¹ See supra n.7.

¹² Notice is not required if any alleged violations result in a “substantial privacy harm.” A substantial privacy harm is defined as any alleged financial harm of at least $10,000 or any alleged physical or mental harm to an individual that involves either (i) treatment by a licensed, credentialed, or otherwise bona fide health care provider, hospital, community health center, clinic, hospice, or residential or outpatient facility for medical, mental health, or addiction care; or (ii) physical injury, highly offensive intrusion into the privacy expectations of a reasonable individual under the circumstances, or discrimination on the basis of race, color, religion, national origin, sex, or disability.