Proposed APRA Bill Is a Bad Attempt at Data Privacy Protection

Jonathan Hofer
The Berkeley Table
Published in
3 min readJun 12, 2024
Photo by Firmbee.com on Unsplash

In April, Congresswoman Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA) announced a proposal for a bipartisan and bicameral bill, now known as the American Privacy Rights Act (APRA). Right out of the gate, the bill was controversial. An updated version of the House bill was released on May 23rd, yet the updated language did not fix the most problematic provision, which allows federal regulations to preempt state privacy laws.

Proponents of APRA, like Microsoft Vice Chair and President Brad Smith, argue that APRA is a great bipartisan feat that gives “all consumers in the U.S. robust rights and protections. It would also provide clarity by establishing a national standard.” It is easy to understand how a national privacy standard entices some. The regulatory thicket surely adds to transaction costs for large companies, which can have undesirable downstream effects on consumers and the economy at large. It can also mean that all Americans are guaranteed some protections.

However, there are better strategies than federal preemption for protecting data privacy, and this likely results in a worse cure than the disease.

Preemption “is a legal doctrine that allows a higher level of government to limit or even eliminate the power of a lower level of government to regulate a specific issue.” There are different forms preemption can take. For example, in the United States, there is a federal minimum wage, and nearly all but a few of the individual states have their own minimum wage. The federal minimum wage is considered “floor preemption” because it creates a minimum standard, but states can exceed the federal minimum standard.

Instead, APRA would set up a “ceiling preemption” relationship, meaning that the federal standard would supersede existing state privacy laws and effectively limit future state laws.

By overriding state laws, APRA could lower the bar for privacy protections. An open letter circulated by the ACLU notes how many protections could be rolled back if APRA passes, including California’s laws that raise the standard of the government collecting location data from digital communications and California’s credit card privacy law, the Song-Beverly Credit Card Act, which, among other things, creates a private right to action if merchants take a customer’s personal information without their consent or a transaction taking place.

Similarly, some consumer data privacy regulations go too far. Despite having redeeming aspects, the EU’s General Data Protection Regulation legislation (GDPR) has struck a significant blow to the mobile applications market. Not only has application competition dropped and innovation slowed in the EU, but according to a National Bureau of Economic Research working paper, “Whatever the benefits of GDPR’s privacy protection, it appears to have been accompanied by substantial costs to consumers, from a diminished choice set, and to producers from depressed revenue and increased costs.” Decentralized regulatory regimes can mitigate such problems. Individual states are much more likely to try novel regulatory protections. Federal preemption would surely stifle this and slow the evolution of privacy laws in response to new technological challenges.

I stressed in Independent Institute’s thirteenth California Golden Fleece® Award on California’s laws governing automated license plate readers (ALPRs) that jurisdictions with differing privacy laws serve as crucial laboratories for policies. For example, city ordinances in Los Angeles allow police to store ALPR-captured data longer than the City of Alameda. Conversely, the State of New Hampshire effectively forbids ALPR data retention. It is helpful to compare and contrast the differences and give people a better ability to exercise their powers of exit and voice. Some jurisdictions will pass better privacy laws than others. APRA risks condemning everyone to a poor one-size-fits-all standard.

Many aspects of consumer data protection are completely justifiable when they align with the principle of informed consent and the right to make decisions free from coercion or deception. In many cases, consumers are unaware of or do not consent to the myriad ways businesses collect, process, and share their data. However, legislation like APRA misses the big picture—it largely ignores state data privacy violations. Of course, APRA is focused on consumer data privacy, and one could argue that state violations are entirely different. Still, the consequences and scope of state surveillance are near infinite. When will Congress protect citizens’ data from the government?

An executive summary of APRA from Rodgers and Cantwell can be found here.

--

--

Jonathan Hofer
The Berkeley Table

Public Policy Research Associate| Ad hoc consultant| Former Comparative Political Economy Researcher| Oakland, CA. B.A Political Science, UC Berkeley