The American Privacy Rights Act gives Americans fundamental, enforceable data privacy rights, puts people in control of their own data and eliminates the patchwork of state law
U.S. Senator Maria Cantwell, Chair of the Senate Committee on Commerce, Science and Transportation, and U.S. Representative Cathy McMorris Rodgers, Chair of the House Committee on Energy and Commerce, unveiled the American Privacy Rights Act. This comprehensive draft legislation sets clear, national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said Chairs Cantwell and Rodgers. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”
“A federal data privacy law must do two things: it must make privacy a consumer right, and it must give consumers the ability to enforce that right,” said Chair Cantwell. “Working in partnership with Representative McMorris Rodgers, our bill does just that. This bipartisan agreement is the protections Americans deserve in the Information Age.”
“This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act,” said Chair Rodgers. “I’m grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month.”
The American Privacy Rights Act:
Establishes Foundational Uniform National Data Privacy Rights for Americans
- Puts people in control of their own personal data.
- Eliminates the patchwork of state laws by setting one national privacy standard, stronger than any state.
- Minimizes the data that companies can collect, keep and use about people, of any age, to what companies actually need to provide them products and services.
- Gives Americans control over where their personal information goes, including the ability to prevent the transfer or selling of their data. The bill also allows individuals to opt out of data processing if a company changes its privacy policy.
- Provides stricter protections for sensitive data by requiring affirmative express consent before sensitive data can be transferred to a third party.
- Requires companies to let people access, correct, delete and export their data.
- Allows individuals to opt out of targeted advertising.
Gives Americans the Ability to Enforce Their Data Privacy Rights
- Gives individuals the right to sue bad actors who violate their privacy rights—and recover money for damages when they’ve been harmed.
- Prevents companies from enforcing mandatory arbitration in cases of substantial privacy harm.
Protects Americans’ Civil Rights
- Stops companies from using people’s personal information to discriminate against them.
- Allows individuals to opt out of a company’s use of algorithms to make decisions about housing, employment, healthcare, credit opportunities, education, insurance or access to places of public accommodation.
- Requires annual reviews of algorithms to ensure they do not put individuals, including our youth, at risk of harm, including discrimination.
Holds Companies Accountable and Establishes Strong Data Security Obligations
- Mandates strong data security standards that will prevent data from being hacked or stolen. This limits the chances for identity theft and harm.
- Makes executives take responsibility for ensuring that companies take all actions necessary to protect customer data as required by the law.
- Ensures individuals know when their data has been transferred to foreign adversaries.
- Authorizes the Federal Trade Commission, states and consumers to enforce against violations.
Focuses on the Business of Data, Not Mainstreet Business
- Small businesses, who are not selling their customers’ personal information, are exempt from the requirements of this bill.
Chair Cantwell has been a leading advocate for stronger privacy protections for American consumers. As Congress has worked to develop privacy legislation, she has repeatedly called for privacy rights that are both strong and enforceable by consumers. In 2019, following her Committee Report on the State of Online Privacy, Senator Cantwell led Senate Democrats in introducing the Consumer Online Privacy Rights Act (COPRA). This comprehensive federal privacy legislation established her principles to give Americans safeguards and control over their personal data. At a hearing on the bill in 2019, Senator Cantwell laid out the key rights protected under her COPRA bill and emphasized the importance of strong enforcement through a private right of action. As Committee Chair, she held multiple hearings over the revelations of how Facebook’s unrestrained data practices harm children and teens, including testimony from Facebook whistleblower Frances Haugen. As Committee Chair, she led the fight to strengthen children’s privacy legislation, passing legislation out of the Senate Commerce Committee two years in a row. Senator Cantwell supported legislation to close loopholes from selling cell phone logs and taxpayer data to data brokers. Senator Cantwell championed stronger cybersecurity investments and questioned the CEO of Equifax on data breaches that exposed the personal information of millions of Americans. She urged President Trump to veto a resolution that allowed internet companies to sell Americans’ browser history and other sensitive information. Recently, after the overturn of Roe v. Wade, Senator Cantwell backed the My Body, My Data Act to protect Americans’ personal reproductive health data.