Hello all, and happy Thursday!
Right on the heels of IAPP’s Global Privacy Summit, U.S. lawmakers gave the privacy community a major surprise in the form of a newly proposed federal data privacy law.
The American Privacy Rights Act (APRA) derives a lot from its predecessor, the American Data Protection and Privacy Act (ADPPA). So much so, that the APRA may very well face the same challenges that eventually put a stop to the ADPPA.
You can read a summary of the law’s major features on our site here.
Nothing is certain at this point, and the APRA has a long road ahead of it before it becomes law—but if I were to hazard a guess, I would predict the APRA will undergo significant changes should it ultimately be enacted. As was the case with the ADPPA, preemption will be a major sticking point for representatives in states with stronger data privacy laws on the books, notably California. Will the APRA preempt the California Privacy Rights Act (CPRA)?
The Executive Director of the California Privacy Protection Agency (CPPA), Ashkan Soltani, certainly seems to feel the same way about the APRA’s preemption as he did about the ADPPA. According to the IAPP, Soltani said:
Americans shouldn't have to settle for a federal privacy law that limits states' ability to advance strong protection in response to rapid changes in technology and emerging threats in policy—particularly when Californians' fundamental rights are at stake. Congress should set a floor, not a ceiling.
California swings a lot of weight around in Congress, so it seems likely that the APRA will need to undergo changes that mollify Californian privacy stakeholders’ concerns. But as I’m sure many of you can attest to, compliance with the current patchwork of state laws is a confusing and difficult task. A single federal law would vastly simplify the work of data privacy compliance for U.S.-based companies.
So, what’s better: Imperfect but comprehensive data privacy protection, or strong but inconsistent data privacy protection? We’ll have to see where California, Congress, and other state legislators stand on this question before we can predict the APRA’s future with any kind of accuracy.
Best,
Arlo
The proposed American Privacy Rights Act (APRA), which was shared Sunday by U.S. Rep. Cathy McMorris Rodgers, R-Wash., and Sen. Maria Cantwell, D-Wash., would introduce a significant shift in how organizations collect, process, and share personal information and set a high bar for data minimization practices. McMorris Rodgers and Cantwell are respective chairs of the House and Senate committees. Each committee would need to approve the bill prior to any potential floor vote.
Maryland legislature has passed the Maryland Online Data Privacy Act, though the law still awaits the governor’s signature. The proposed law would be one of the toughest comprehensive privacy laws among states. If enacted, the bill will take effect 1 Oct. 2025.
The UK Information Commissioner’s Office (ICO) recently published its 2024-2025 priorities for protecting children’s personal data online. The strategy builds on the ICO Children’s Code, introduced in 2021, sets forth priority areas of improvement for social media and video-sharing platforms, and indicates how the ICO will continue to enforce and drive conformance with the Children’s Code.
Under the GDPR, businesses have to report personal data breaches to the local data protection authority. In France, that authority is the Commission Nationale de l'Informatique et des Libertés, or CNIL, which recently released a report analyzing five years of data breaches under the GDPR.
Data privacy is chock-full of acronyms, but few cause more confusion than “DPIAs” and “PIAs.” Learn the difference between these two assessment types in our blog.
If you’re interested in working at Osano, check out our Careers page!