© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Bipartisan Federal Privacy Act Proposed in US

On April 7, 2024, a draft of the American Privacy Rights Act was introduced. Bringing forth this bipartisan-supported bill represents a significant step toward privacy regulation in the United States. The proposed act brings the American privacy regime closer to the European one, which has long since become a global benchmark. The legislative process will likely continue for several more months. Upon its completion, a period of 180 days will be set before the act enters into force. During that period, companies subject to the act can begin to prepare for its implementation.

What Is the Scope of the Act?

The act applies to companies subject to regulation by the Federal Trade Commission (FTC). This includes all companies that have business operations in the US, even if it is not their place of incorporation. The act will not apply to small companies (those with annual revenue of less than USD 40 million, that process personal information of fewer than 200,000 people except for payment purposes, and that do not sell personal information), nor to state entities.

The act includes provisions directed at entities collecting and processing information for their own purposes, as well as service providers.

The act deals with all personal information that can be linked, alone or in combination with other information, to an individual or a specific device.

Data covered by the act does not include:

  •  Unidentified data.
  • Employee information.
  •  Publicly available information (e.g. information publicly available on social networks).

The FTC will enforce the act. In addition to enforcement by the authorities, the act will allow for individual claims regarding its violation.

What Are the Key Provisions of the Act?

The proposed act establishes several key principles regarding the processing of personal information:

  1. Data Minimization

    Entities should not collect unnecessary or disproportionate information and should limit themselves to collecting information for its designated purpose.

  2. Consent and Withdrawal

    Explicit consent from individuals is necessary for the use of their personal information. Individuals should have the ability to withdraw this consent, including for targeted advertising at any time.

  3.  Access and Correction

    Individuals should have the right to access information collected about them and correct it.

  4. Transparency

    Companies must operate transparently regarding their collection of personal information and the parties to whom they transfer the information.

  5. Accessibility

    Companies must publish a publicly accessible and detailed privacy policy that persons with disabilities can access.

  6. Data Security

    Companies should protect personal information from unauthorized access, security breaches, or misuse.

Additionally, the act orders the establishment of a national registry of data brokers, enabling individuals to request limitations on the use of their personal information.

What Does the Act Add to Existing Legislation?

The proposed act’s provisions are expected to apply on the federal level, taking precedence over state law on the same subject (such as the CPRA in California). However, some state legislation detailed in the act will continue to apply, specifically in the areas of employment, student information and data breach reporting and notification. Companies operating in states with this type of legislation may be subject to enforcement by both the state and federal authorities.

Entities subject to federal laws regulating the transfer of information (such as HIPAA, which regulates the transfer of medical information) will be subject to all provisions of the act except for those concerning information security, for which the arrangements set in other laws will apply.

 

***

 

Barnea Jaffa Lande’s Cyber, Privacy and Data Protection Department is at your service for any questions regarding the adaptation of your business activity to the provisions of privacy laws in Israel, Europe, the United States, and other jurisdictions.

 

Dr. Avishay Klein is a partner and heads the department.

 

Adv. Masha Yudashkin is an associate in the department.

 

Tags: Data protection | Privacy Law