Is 2024 the Year for a Federal Privacy Bill?

Much hype has emerged in the legal press in recent weeks regarding the American Privacy Rights Act, a draft bill currently working its way through Congress. The bill would adopt many measures already familiar to companies that comply with existing privacy laws: consumer rights in data about them, the duty to keep information secure and confidential, and a private right of action for aggrieved consumers. The bill is modeled on one that generated a lot of excitement in 2023 before dying.  

Why It Matters

It may not matter, much. If this bill passes, it will not take effect until six months later. By then, we are likely to be in or close to 2025. By 2025, at least a dozen states will have some form of privacy protection in place. Many of those state laws impose similar requirements to APRA's. Although it would be exceedingly helpful from a compliance perspective to have a single law to follow rather than dozens, APRA specifically exempts the vast majority of small and medium enterprises (under $40M revenues). Most state laws, however, either cover all companies doing business in their state or exempt companies starting at $25M in revenues. In other words, many small companies will not be helped or harmed by passage of APRA, since it will not change their compliance requirements at all: they will still have to comply with state law.  

Having said that, the bill could change. And it is arguably important for the US to have a national privacy law in terms of being part of the community of nations that follow best practices on privacy.  

In current form, however, it is plainly aimed at the Facebooks and Googles of the world. As consumers, we might or might not welcome an effort to regulate those mega tech companies; but the current bill really will not change much for small companies.