Back | March 2025

The American Privacy Rights Act (APRA) – It’s Like Déjà Vu All Over Again!

Avishai Ostrin, Founder & CEO

On April 7, 2024, we got a peak at the newest attempt at a US federal privacy law – the American Privacy Rights Act (APRA). We’ve been here before, with the ADPPA introduced just last year, so what’s this new bill all about?

Check out the LinkedIn live session we did on this topic (in Hebrew) here, and here’s a quick summary in case you missed it:

Scope

APRA will apply personal information that identifies or linkable to an individual or device. Although this is seemingly a very broad definition, notable exceptions include employee data, publicly available information and de-identified data.

The law will apply to all companies covered by FTC’s jurisdiction, regardless of their incorporation location. This extraterritorial reach is designed to ensure that all personal information handled by businesses operating in the U.S. adheres to the same privacy standards.

Key obligations

  • Data Minimization: Companies must limit processing of covered data to what is strictly necessary for the purposes for which it was collected.
  • Consent and Withdrawal: Companies must obtain explicit consent from individuals before using their sensitive data (a term defined extremely broadly).
  • Access and Correction: Individuals will have the right to access their covered data and request to correct it if necessary.
  • Transparency: Companies must operate transparently regarding how they use covered data and disclose to whom covered data is transferred.
  • Information Security: Companies must protect covered data from unauthorized access, leaks, or misuse.
  • Vendor Management: Companies must carry out due diligence in the selection of service providers and in deciding whether to transfer covered data to a third party.
  • Algorithms and AI: The bill introduces various requirements for anyone developing AI tools which use or are trained with covered data.
  • Designation of privacy and security officer(s): An employee of the company must be designated as privacy/security officer.

Enforcement

Enforcement of the APRA will primarily be the responsibility of a new Bureau of the FTC. Besides the FTC, APRA includes a “private right of action” (a hotly contested topic in the past), so it would be fair to expect both lawsuits and class actions in the privacy space. State Attorneys General will also have the authority to impose civil penalties and other sanctions for violations.

Preemption

APRA would preempt state data privacy laws, for example CCPA – another hotly contested topic in the past. However, state laws that are not covered by APRA will not be preempted by the federal law, including state breach notification laws, provisions that address employee privacy, health information privacy laws will all continue to apply.

It remains to be seen whether this attempt will pass or whether it will take the route of its predecessors. For those who have already built solid GDPR-based privacy programs the uplifts don’t seem too painful. For those who have ignored the US to date as a country with minimal privacy protections, it might be time to rethink that strategy.

The very talented Dr. Avishay Klein, partner, head of the Privacy, Cyber and AI dept., and Eviatar Rich, legal intern at Barnea Jaffa Lande co-authored this article.