When it comes to online privacy, US regulations lag well behind the UK and Europe. Against that backdrop, Republican leadership in the US House of Representative cancelled votes on two important pending bills which would have provided a framework for consumer privacy. The cancellations make the likelihood of their passage during the current session of Congress near-zero in an election year.
The American Privacy Rights Act (APRA) and the Kids Online Safety Act (KOSA) – both linked below – would limit the use of consumer data that companies could collect and use, and to reduce the likelihood of harm to young people.
The bills have been under development for several years, beginning in previous Congressional sessions, and had strong bi-partisan support. Ironically, APRA was introduced by Cathy McMorris-Rodgers, a Republican.
Resistance from both sides
Reports emerged this week that US House Republican leaders had expressed opposition to the bills. The Washington Post reported that House Majority Leader Steve Scalise (R-Louisiana) “(criticized) the measure for giving consumers the right to sue companies for violations.” A Republican aide said that “This bill has become so poisonous and the structure is just so difficult that you really need to scrap this bill and start over,” according to The Post.
Privacy rights groups also objected to APRA, but for different reasons. The internet advocacy group Public Knowledge observed that while APRA incorporated elements from previous privacy bills, it lacked important considerations.
The American Privacy Rights Act of 2024 (APRA)
APRA is intended to place parameters around what consumer data online platforms can collect and use for marketing purposes; as well as how online platforms request permission from consumers, to use that personal information. Requests would be presented clearly and conspiciously, and “the option to refuse consent is at least as prominent as the option to provide consent.”
If passed, APRA would regulate the collection, processing, retention and transfer of personally identifiable information, including the length of time an entity intends to retain or use it.
Data parameters are specific. For example, “biometric information” includes fingerprints, voiceprints, iris or retina imagery scans, facial or hand mapping, geometry or templates, and gait. “Precise geolocation information” includes information that “reeals the past or present physical location of an individual or device with sufficient precision … that is equal or less than the area of a circle with a radius of 1,850 feet or less”
APRA defines information that cannot be used to infer or derive the identity of an individual as “de-identified data,” which includes health information, disability information, derived data, device data, targeted advertising, employee information and other categories of personal information, which are defined by US Code.
APRA applies to “Large Data Holders” and is clearly aimed at the leading online platforms, such as those operated by Alphabet (Google), Meta (Facebook, Instagram), Apple and Amazon. “Large Data Holders” are entities with revenue of “not less than $250,000,000,” that manage the data of more than 5 million individuals, 15 million portable connected devices, or more than 35 million connected devices overall.
Entities that are exempted from APRA include government entities and entities that handle data on their behalf, small businesses and individuals, organizations whose missions are to prevent, deter or educate about fraud, and the National Center for Missing and Exploited Children.
The Kids Online Safety Act (KOSA)
KOSA sets out requirements to protect minors from online harms, such as online bullying and sexual exploitation while restricting access to minors’ personal data and to provide parents with tools to supervise monots’ use of online platforms, such as control of privacy and account settings.
Enforcement would be through the Federal Trade Commission and the US states.
Under KOSA, covered online platforms must also
- Disclose specified information, including details regarding the use of personalized recommendation systems and individual-specific advertising to minors;
- Allow parents, guardians, minors, and schools to report certain harms;
- Refrain from facilitating advertising of age-restricted products or services (e.g., tobacco and gambling) to minors; and
- Annually report on foreseeable risks of harm to minors from using the platform.
Additionally, according to the text of the bill, KOSA requires large (based on specified revenue, employment, or user criteria) websites, internet applications, and search engines (including social network sites) to meet certain requirements before using algorithms that prioritize information furnished to the user based on user-specific data. For example, such platforms must (1) provide users with notice that the website uses such algorithms, and (2) make available a version of the platform that uses algorithms that do not prioritize information based on user data.
Shortcomings
“The removal of civil rights protections is unacceptable,” said Sara Collins, Public Knowledge’s Director of Government Affairs. “Privacy rights are civil rights. It is disheartening to see the committee remove these important protections.
“Second, APRA needlessly eliminates the Federal Communications Commission’s important role in protecting consumer privacy, cybersecurity and national security. For 90 years, the FCC has protected the privacy of communications, and has technical expertise and experience that would compliment the FTC,” said Director Collins.
Separately, while KOSA appears on the surface to be comprehensive, the bill would “(exempt) internet service providers, email services, educational institutions, and other specified entities from the requirements,” according to the summary of the bill posted online by Congress.
Further reading
American Privacy Rights Act of 2024. HR8818. June 25, 2024. 118th Congress (2023-2024). United States House of Representatives
Kids Onine Safety Act. S.1409. December 13, 2023. 118th Congress (2023-2024). United States Senate.
American Data Privacy and Protection Act. H.R. 8152. December 30, 2022. 117th Congress (2021-2022). United States House of Representatives
Public Knowledge Opposes Weak Privacy Bill. Press release. June 26, 2024. Public Knowledge
House Energy and Commerce Leadership Heed Calls from Civil Rights Leaders, Pull Down Privacy Legislation Markup. Press release. June 27, 2024. The Leadership Conference on Civil and Human Rights.
Tech Brief. June 28, 2024. The Washington Post
Why it matters
Millions of consumers release their most personal details – ranging from location to DNA profiles – to entities that do business online, and whose business models often depend on selling that data. Data breaches and sale of consumer databases often place such private data into the hands of unsavory actors, who attack these consumers.
American consumers don’t realize that they are usually opted-in to this practice, since they rarely read the terms of service. Online platforms strive to maximize the resulting revenue using advanced analytics, artificial intelligence and machine learning.
The bills themselves make eye-opening reading, for those who follow privacy issues only with their peripheral vision. APRA’s opening pages provide definitions of the information covered under the legislation. For example, “Genetic information” includes “raw sequence data … of deoxyribonucleic acid of an individual” and “genotypic and phenotypic information that results from analyzing raw sequence data…” Sound far fetched? As noted earlier millions of consumers – mostly unwittingly, since they rarely read the terms of service – submit their details to services like Ancestry.com, which is then sold.
The fight will continue: “Our fight is far from over, said “Koustubh “K.J.” Bagchi, vice president of the Center for Civil Rights and Technology. “This bill still needs to be revised before we can wholeheartedly support it. Our call to lawmakers is simple: Restore strong, explicit civil rights protections to what should be a comprehensive data privacy bill. It should include protections for sexual orientation and gender identity, which were omitted in previous APRA drafts.”
