This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Is 2024 the Year for a Federal Privacy Bill?

Much hype has emerged in the legal press in recent weeks regarding the American Privacy Rights Act, a draft bill currently working its way through Congress. The bill would adopt many measures already familiar to companies that comply with existing privacy laws: consumer rights in data about them, the duty to keep information secure and confidential, and a private right of action for aggrieved consumers. The bill is modeled on one that generated a lot of excitement in 2023 before dying.  

Why It Matters

It may not matter, much. If this bill passes, it will not take effect until six months later. By then, we are likely to be in or close to 2025. By 2025, at least a dozen states will have some form of privacy protection in place. Many of those state laws impose similar requirements to APRA's. Although it would be exceedingly helpful from a compliance perspective to have a single law to follow rather than dozens, APRA specifically exempts the vast majority of small and medium enterprises (under $40M revenues). Most state laws, however, either cover all companies doing business in their state or exempt companies starting at $25M in revenues. In other words, many small companies will not be helped or harmed by passage of APRA, since it will not change their compliance requirements at all: they will still have to comply with state law.  

Having said that, the bill could change. And it is arguably important for the US to have a national privacy law in terms of being part of the community of nations that follow best practices on privacy.  

In current form, however, it is plainly aimed at the Facebooks and Googles of the world. As consumers, we might or might not welcome an effort to regulate those mega tech companies; but the current bill really will not change much for small companies.  

The draft law emphasizes giving American consumers control over their personal information, including the ability to manage, correct, delete, and restrict the sale or transfer of their data. The draft also introduces measures to limit the amount of data companies can collect to what is necessary for their services, enhances protections for sensitive information, and allows people to opt out of targeted advertising and certain data processing activities. Additionally, the APRA includes provisions to enable individuals to take legal action against violations of their privacy rights.


data security and privacy, hill_mitzi, insights, emerging companies