RegFi Episode 30: A Closer Look at the American Privacy Rights Act
36 min listen
If passed, the proposed American Privacy Rights Act would dramatically transform data privacy compliance obligations for companies operating in the United States. Shannon Yavorsky — head of Orrick’s global Cyber, Privacy & Data Innovation group — joins RegFi cohosts Jerry Buckley and Sherry Safchuk for a conversation about the background and purpose of the APRA, key provisions in the bill and implications for the financial services industry. The discussion covers potential exemptions based on existing federal financial regulations, which state laws are preempted and which are not, how a federal privacy enforcement and oversight regime might be structured, and the prospects for legislative action as policymakers focus on the upcoming election season.
Links:
Jerry Buckley: | Hello, this is Jerry Buckley, and I am here with my RegFi co-host, Sherry Safchuk, and our Orrick partner, Shannon Yavorsky, who is the head of Orrick's Global Cyber Privacy and Data Innovation Group, and a leading authority on U.S. and EU privacy, cybersecurity, and artificial intelligence issues. Today, we are going to discuss the proposed American Privacy Rights Act. As background for our listeners, this proposed legislation has been a long time in gestation. As state privacy laws have proliferated, starting in California, the Congress has been urged to adopt uniform national privacy and data security legislation that would facilitate interstate commerce over the borderless medium of the internet and avoid a patchwork of state laws. The APRA addresses this goal by preempting inconsistent state laws. What has emerged from a long and arduous drafting process is a bicameral, bipartisan bill sponsored by the Democrat chair of the Senate Commerce Committee, Senator Maria Cantwell, and by Republican chair of the House Energy and Commerce Committee, Representative Cathy McMorris-Rodgers. Interestingly, both are from Washington state. The bill adopts many of the provisions of the California Privacy Rights Act and similar state laws and, as mentioned, preempts inconsistent state laws. Regulatory jurisdiction and enforcement authority at the federal level is assigned to the Federal Trade Commission, the FTC. State attorneys general are also given enforcement authority under the proposed legislation, and the bill provides for private rights of action within defined limits of damages. Today, we are going to be considering the implications of the bill for financial services providers. As listeners know, the premise of the RegFi podcast series is the financial regulation will change more in the next 10 years than in the past 50. And, as mentioned in prior episodes, data is the lifeblood of the financial services industry, so this legislation, that significantly impacts the way in which banks and other financial services providers use and protect data, goes right to the heart of the way financial services will be delivered in the United States. As we will discuss, under the proposed legislation, financial services firms have an exemption from the bill's requirements with respect to certain of their activities, but the bill will still have a significant impact on data management at financial services providers. Today, we want to give a high-level view of what this bill will potentially mean for financial services industry, even with the preemption and exemption provisions in place. So, Shannon, putting aside for a moment any exemptions from financial institutions and the preemption issue, how could you describe the major requirements and restrictions in the bill that would be placed on companies dealing with personally identifiable information? |
Shannon Yavorsky: | Thanks so much, Jerry, and thanks for having me today on the podcast. So, I think it's helpful to start with what types of entities are covered by the proposed APRA, and it covers really a broad swath of companies. A covered entity is an entity that determines the purpose and means of processing covered data, so this really aligns with the GDPR definition of a data controller, and the entity is subject to the FTC's authority under the FTC Act and common carriers subject to Title II of the Communications Act, and nonprofits, which is a little bit of a surprise because a lot of the state privacy laws that are in effect right now really carve out nonprofits. So, this would be a bit of a change. The bill defines special heightened requirements for certain covered entities. It has definitions for large data holders, data brokers, and a new category called covered high-impact social media companies, and that's really a covered entity that provides internet-accessible platform where the entity generates $3 billion or more in global annual revenue, so, meant to really apply to this, like a corner of the companies in existence. So, there are a number of different exemptions, and I know that Sherry's going to talk a little bit more about this, but I'd also like to talk about the core rights and obligations established by the APRA. So, very familiar to the state privacy laws, the GDPR, and other privacy frameworks are a raft of consumer rights. So, these are the right to access covered data, the right for consumers to correct inaccurate or incomplete data, the right to delete covered data, and the right to export covered data — so that's kind of like the right of portability — and then the right to opt out of certain processing of personal data. So, these rights really align with what we see in the — I think we're at 15 state privacy laws right now, all of which include some iteration of these consumer — of these consumer rights, and the APRA would establish very — these very similar, very similar rights. In addition, there are a number of robust requirements and fairly onerous obligations placed on covered entities. One that's a little bit of a surprise is data minimization requirements. Now, data minimization is a principle — privacy principle — that is quite old. It comes from the OECD privacy principles of the late 70s, early 80s, but isn't one that's been formally enshrined in the state privacy laws, although it is a GDPR principle. It's kind of novel to have it described in so much detail in proposed federal law. And what it really means is that covered entities are not permitted to collect data that goes beyond what is necessary, proportionate, and limited to provide specific goods and services, to send reasonably anticipated communications, or for one of, you know, certain enumerated express permitted purposes. So, data minimization requirements is really an important one that companies will need to think carefully about in terms of implementation. Also common to most privacy regimes are transparency requirements. Again, OECD principle of providing consumers with notice of privacy practices or privacy policy that accurately details data collection, processing, retention, and transfer activities. So, again, another feature that we see in the GDPR and also in all of the state privacy laws. I think another point that I wanted to highlight was the data security and incident response requirements. So, the APRA makes it express that covered entities and service providers have to establish, implement, and maintain reasonable data security practices. And that reasonable data security practices is one that we've seen in the state privacy laws and is familiar to us from the GDPR, although the GDPR uses slightly different language and talks about appropriate technical and organizational security measures. But the concept is really aligned, and the law would establish standard reasonable practice requirements and a little bit more specificity around those security, what constitutes reasonable security, which I think would be really welcome, because I hear that question all the time from clients. Well, if I do ISO 27001 or if I do SOC 2, does that mean that I have reasonable security in place? So additional specificity around security requirements will be really, really welcome. So, those are, I think, Jerry, those are the really core requirements that stand out to me from the APRA. I think it's going to be, you know, maps out a lot of different things that organizations are going to have to think about or do to adjust their existing privacy programs. |
Jerry: | You know, Shannon, your mention of the data security aspect of this — it could be as big as all of the data use restrictions because it's a moving target, as you say, and it is an immense threat to businesses and to individual consumers. So that, even though it's not the highlighted feature of the bill, I think it could be extremely important as we move forward. What are your thoughts on that? |
Shannon: | Yeah, I absolutely agree. I think it's going to really make covered entities and service providers think carefully about, or far more carefully than they have in the past, perhaps, think about their security programs in a more intentional way. |
Jerry: | Right. Now, the preemption provisions are a central feature of this legislation. Could you take a few minutes to describe the implications and how the provision of the APRA would work that becomes law? |
Shannon: | Yeah, this has been a bit of a sticky topic in the past and a charged issue, I would say, as it was one of the blockers in terms of the ADPPA, the earlier proposed federal privacy law that really got hung up on preemption. And I think it's one of the places that as soon as the draft APRA was published, everybody was paging through and looking for the preemption. I think they were looking for the preemption provisions and they were looking for the private right of action, which were two things that were really sticking points in the last proposed federal privacy law. And as I worked my way through the preemption provisions — it's not straightforward. I have to say. And for state privacy laws, it's — there's a general rule, but then there are a lot of different exemptions, which I think is going to make it a little bit complex. It's not going to wipe the slate clean of state privacy laws. It's not like if the APRA goes into effect that we would, you know, be able to ignore all of the 15 different state privacy laws. They're still going to be at play. And, certainly, the other state privacy laws that are adjacent to the comprehensive consumer privacy laws, like the My Health, My Data, as one example, the CMIA, the Confidentiality of Medical Information Act, and the children's privacy laws. So, there is going to continue to be a complex interplay between federal and state privacy laws. So, the baseline rule is that the APRA would preempt state privacy laws, but then there are a number of other laws that would not be preempted. So, the state data breach notification laws, as one example, which — that was a little bit of a disappointment from my personal perspective, because, right now, there are, you know, 50, at least 50, different — because there's also Puerto Rico and Guam — state data breach notification laws that are all slightly similar, but slightly different. So, whenever there is a data breach, you have to go to each of the state data breach notification laws and figure out: Is it covered? What are the data elements that are covered? So, those laws are not preempted, which, I think, is, you know, that complexity will remain. And, I think as this works its way, as this law works its way through the system, there's going to be a lot of figuring out which laws are preempted and which provisions will remain in place. So, it's going to be, I think, fairly complex. |
Jerry: | And a matter that will need sorting out before this passes, but it leaves a lot of opportunity for work for lawyers and their briefs (laughing)... |
Shannon: | (laughing) That's an upside. Sure. |
Jerry: | I guess we can say that. I hate to say it to our listeners, but — Well, thanks, Shannon. Now, we have the objectives and the core principles laid out and in mind. Let's turn to the exemption for financial institutions mentioned earlier. Sherry, could you describe the exemption? What's in, and what's out? And, based on your experience with similar exemption in California law, how will financial services firms deal with making the distinction between their covered data and the data that does not come under the proposed federal statute? |
Sherry Safchuk: | Thanks so much, Jerry, and thank you so much, Shannon, for joining us. I think to answer this question, we have to start with what data is covered by the law. And, right now, the definition of covered data is any information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals. Interestingly enough, this definition doesn't reference household, which is a big sticking point in the California Consumer Privacy Act. Because how do you define household given the various households we have in the U.S.? What is not covered is de-identified data, which is a specific definition. It's not just any data that you think is not able to be reasonably linked to another person. Employee information, which is really interesting, as well as publicly available information and inferences made from those publicly available inferences, and then, this one I kind of like because I was an art history major, information in the collection of a library, archive, or museum if the library meets certain conditions. So, the reason I talk about covered data is because the exemption for a financial institution is driven by the types of data that they have, and they'll have to parse through what data is subject to, for example, the California Privacy Rights Act, which they're currently doing. Now, they're going to add another layer, which is the American Privacy Rights Act. So, I think what's going to happen is going to be another type of bifurcation of what's in, what's out. I know that financial institutions have the experience already with the California law — this would just expand it. But there are also difficulties with figuring out what's in and what's out with respect to the California law that will just kind of bleed over into the APRA. So, I think it's very interesting to see how financial institutions will adapt on a nationwide basis, and maybe it's a matter of extending their CCPA practices on a nationwide basis. |
Jerry: | Well, if I could interrupt for just a second, Sherry. I mean, to simplify this for our listeners and maybe for me, the fact is that the type of exemption that we have here, I guess, is a data-level exemption, not an entity-level exemption. So, if you're subject to the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act, I think that means that if it were an entity-level exemption, okay, you're out of this regulatory regime being set up by the APRA. On the other hand, if you have a data-level exemption, as is provided here, then let's talk about the kinds of data held by financial institutions that might be subject to it. Their marketing data, everything that happens before someone becomes a customer, I think, would be covered by this statute, wouldn't it? |
Sherry: | I think that's right, and I just want to hone in on that data-level exemption before I give you what I think might fall under the law with respect to financial institutions. The APRA makes it clear that the exemption is solely and exclusively with respect to any data subject to the requirements of, for example, the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act. So, they make it very express that this is a data-level exemption. From a financial services perspective, I play around with this because it really is financial institution-specific. What data would be covered under the APRA would be, for example, website data, tracking — tracking those that come on your website. I don't want to say customer because there may be folks that aren't customers that go on your website and kind of poke around. Any data you receive from a Contact Us page, I think, may fall within the data subject to the APRA. Any marketing or leads that are purchased may also fall under this law because it may not be a name of a person that was trying to get a financial product or service. But that gets a little bit into the gray area, so that's one of the areas that financial institutions struggle with of whether to say it's in or out of a particular law that has a data-level exemption. |
Jerry: | Well, yes. And there's a lot more that we could say about that if we did have more time. But that's a crucial question, and one, we'll see as things go forward — if you have to comply with respect to one set of data that you have with the APRA—just as states having various laws, some with the data-level exemption, some with the entity-level exemption—anybody operating in California might be tempted to just comply with the California law and get it over with, and that may be the case with respect to parsing between the GLBA/FCRA-covered data and the other data that you have. I don't know. Maybe it won't go that way, but it'll be interesting to see what happens. Well, Shannon, let's talk a bit about regulation enforcement under the statute by the FTC and state attorneys general. The FTC is an agency with years of experience in the privacy arena. However, the agency has a limited number of personnel committed to this area of its jurisdiction. In fact, I recall a few years ago, the Irish Privacy Authority had more people employed in their exercise than did the FTC in its privacy domain. So, with this greatly heightened level of responsibility for the APRA, how do you envision the FTC stepping up? |
Shannon: | Yeah, really excellent question and something that, I think, regulators have been thinking through how to best regulate this law. Similar to how the, I would say, the states have thought about it as well. So, in California, there was a new agency established, the California Privacy Protection Agency, which, for me, was a little bit like a supervisory authority in Europe under the GDPR, having a new regulator that's primarily tasked with thinking through enforcement in relation to privacy and data protection. So, the APRA would establish a new bureau in the FTC to implement and enforce the law, and violations would be treated as unfair and deceptive acts and practices under the FTC Act. It would also allow the FTC to seek civil penalties for violation of the statute or the agency's regulations. There would still also be state AG enforcement, so states would be able to seek a wide variety of relief for violations, including injunctive relief, civil penalties, restitution. And then, finally, there's the private right of action, which again, like I said, I think as soon as the bill was published, people went straight to preemption and the private right of action. Like, what does it look like? And it looks like it's a pretty broad and complex private right of action for consumers who allege violations of the law. I'm sure the plaintiff's bar is unpicking this in great detail right now to figure out exactly how they're going to move forward and what kind of opportunity there will be for the plaintiff's bar in relation to the private rights of action. So, it's going to be enforced in a variety of ways, and I really think this new bureau within the FTC is very novel, and it's a really interesting construct. So, that's a high-level summary of how and what enforcement might look like. |
Jerry: | But you would agree that they're going to have to do some significant staffing up to take this off? |
Shannon: | Oh, staffing up is going to be a huge, huge issue, I think, if the law passes. |
Jerry: | Right. Well, Sherry, the APRA assigns regulatory responsibility at the federal level to the FTC. However, for financial institutions, the CFPB has its own set of rules regarding the customer's rights to data, and which, of course, is part of the pending 1033 rulemaking, which we've discussed in prior podcasts. Under the APRA, as previously discussed, some personally identifiable information in the possession of banks — that is, customer data — will be exempt from the provisions of the APRA, whereas data used in marketing to non-customers, as we've discussed before, will be subject to regulation by the FTC. It would appear. This is not unlike the current situation for California-based financial institutions. How do you see this overlapping jurisdiction between the FTC, the CFPB, and the federal financial regulators playing out? |
Sherry: | So, I think — I know you didn't ask about state, but I'm also going to address state attorneys general. At the federal level, I think I break it up into two buckets: those subject to FTC and/or CFPB authority and then those subject to federal prudential regulators, which is the Office of the Comptroller of the Currency, the Federal Reserve Board. And so, that is like your banks, your credit unions, and so forth. For those subject to FTC and/or CFPB authority, I wonder and I hope that they will consider the memorandum of understanding that they entered into, which requires them to coordinate certain law enforcement activities and to formulate policy in a consistent manner, just, and to really avoid duplication or conflict. So, I'm hoping the FTC and CFPB kind of join forces as opposed to having multiple separate enforcement actions that may or may not be consistent. For banks, credit unions, and those types of entities, I don't know if it's clear how the APRA applies to them, and I think we have to kind of dig in and get more clarity as to what role the prudential regulators may have with respect to enforcing the APRA. Maybe it's through unfair, deceptive, and abusive practices. And then, we have kind of the state attorney general piece, and I think the state attorneys general may or may not coordinate with the federal regulators. In some states, you see them coordinating, so — I believe they've done that in New York — but in other states, they kind of have parallel tracks. So, I think it'll be interesting to see how it plays out with respect to enforcement. |
Jerry: | And not only with respect to enforcement, but in the case of the CFPB, with respect to policymaking and what rights do people have to move data? That's a big subject of the 1033 rule. Now, APRA is going to assign some responsibility to the FTC to enforce with respect to the right of a consumer to control their own data. So, there's going to have to be, I believe, a lot of coordination, as you've indicated, Sherry, between these two agencies. The current head of the CFPB, of course, was at the FTC beforehand as a member, so — but this will be an interesting — if this legislation passes, it will be interesting to see how they coordinate. Maybe in the process of considering the legislation, there will be some involvement of the financial services committees in the House and Senate with respect to the statutes that they have on the books and they have responsibility for that deal with consumers' data rights and protections. Well, we've covered this legislation at a high level, and we've come to the point where our time is going to run out. But, of course, the $64,000 question is: What are the prospects for enactment of the APRA in this Congress? And, Shannon, you have your finger on the pulse of what's happening, at least the discussions that are going on in the privacy bar and what people think. I mean, it's impossible to predict, but could you give us some of the considerations? |
Shannon: | Sure thing. I think there are a lot of different pressures here, and it's a tricky time because it's an election year. People generally think it has more chance of passing than the ADPPA, than, you know, the last proposed federal privacy law, and there are a lot of different factors at play here. Another one is GenAI, generative AI, and the desire of lots of different global players to collect as much data as possible, and so having a federal privacy law is perceived to, you know, sort of draw stronger lines around U.S. data. So, I think that's one consideration here that goes beyond just, “Oh, there's a complex landscape of state privacy laws.” There's also the macro geopolitical climate of the GenAI or AI arms race that I think comes into consideration when we're thinking about cross-border data transfer and whether this law has a chance of passing. I think that's one feature that sort of sits in a layer above all of this when you're looking at all the different factors and working out the calculus as to whether this will pass. I don't have a crystal ball. (laughing) |
Jerry: | True, but the passage by large margins of the TikTok divestiture requirement are indicative of a congressional awareness of the use of data from U.S. citizens and businesses by foreign adversaries, and that's a new layer that hasn't been as present in this discussion. I also think there is the thought that in addition to having surrendered to the states, the making of law in this area, the states, I think, have done a pretty good job, but it's also surrendering to the European Union and others, the establishment of standards, which usually the United States is the lead in establishing standards for consumer protection or the use of financial data, as we're — which is our subject, and that, that has been ceded to Europe. And I'm not sure that is something that, in the long run, our legislative body would want to see be the case. You mentioned, you know, the other factors at work, including the desire for a uniform standard so that we can facilitate commerce in the United States. But, on the other hand, you've mentioned the — that it may be defined as a preemption provision, but the exceptions can prove the rule. So, this — there's a lot to sort out here. Sherry, I mean, I'll offer my thought at the end, but your thoughts as to likelihood of passing? |
Sherry: | I don't know. I'm kind of torn on this. I think there's going to be a lot of debate as to potential revisions, and then this year is an election year. I don't know. I think it's not likely to pass this year. But it looks like Congress is really poised to pass a privacy law, so this is not the end of potential legislation. |
Jerry: | Well, I would agree with you, Sherry. For what it's worth, my thought is there is a lot here that still has to be sorted through. I think there is huge enthusiasm. The House Energy and Commerce Committee had a hearing on this, and people were excited — yes, now is the time — and I think that's, you know, I share their excitement about the possibility of getting, finally getting, some legislation in place. But, I think, that it's — there are a very limited number of days left in this Congress before they adjourn to go and run for reelection. There are so many other issues that are there, and there has been, we found, the difficulty of arriving at consensus on anything in the House of Representatives as we witnessed with respect to the foreign aid package for Ukraine, Israel, and Asia. So, I think it is going to be very hard to make it happen. The leadership by the chairs of the two committees is a very significant motivator for it to move, and maybe — wish them well — they'll be able to make it work. But I think that — now that it's a likely possibility that it will be enacted or becomes much more likely than it was a month or two ago — now, people are going to take it seriously, and you're going to have a lot of people with a lot of questions. Some of which have been raised here, coming forth and saying, "Well, what about this, and what about that, and how does it affect me here, and how does it affect me there, and what about my exemption for GLBA and FCRA?" So, Sherry and I are shortly going to have a call with the financial services trade associations, with whom we have a call on a monthly basis. It'll be fascinating to hear what the reactions of the various trades are at this point. So, first of all, I want to say, Shannon, thank you so much for joining us. You bring a deep knowledge of this area, and I think we all find it fascinating. Sherry, great. And listeners, I hope you enjoy this. |
Sherry: | Thank you. |
Shannon: | Thanks so much. |
Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.
By clicking "OK" below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.