Alarm bells rang last month among the business community when Rep. Cathy McMorris Rodgers (R-WA) and Sen. Maria Cantwell (D-WA) unveiled the American Privacy Rights Act (APRA). Both members chair committees (the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation, respectively) in which they plan to hear the bill in the coming weeks or months.
The Indiana Chamber supports a (business-friendly) federal bill that preempts the patchwork of state data privacy laws – 17 in total – that have passed in recent years. A federal solution would mitigate uncertainty around compliance for businesses, particularly small businesses, that must navigate potentially conflicting laws between states.
However, according to the U.S. Chamber of Commerce, APRA, as drafted, is fatally flawed in two ways: (1) it does not provide full preemption, and (2) it contains private right of action provisions that allow consumers to sue companies directly for alleged violations of the law.
On the first point, APRA allows states to regulate “on top of” federal requirements. This means that rather than eliminating differences in how data privacy is regulated among the various states, APRA would compound legal requirements and create new confusion, duplication and uncertainty.
Second, APRA’s private right of action provisions would allow for an explosion of frivolous litigation against small businesses, charities and other entities that could be forced to settle because they lack the time, expertise and financial resources to fight back. These potential outcomes are the very reasons why some states, such as Indiana, rejected private rights of action that are embraced by other, more consumer-friendly states like California and Vermont.
APRA is not yet scheduled for hearings in either branch of Congress, but it’s a matter of time. Until then, we urge you to become knowledgeable of the potential ramifications of the bill to your business and consider contacting your legislator to express opposition.
