In April, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) introduced the American Privacy Rights Act of 2024 (APRA), a bicameral and bipartisan federal comprehensive privacy bill that would provide multiple governmental enforcement mechanisms, including for the Federal Trade Commission (FTC) and state attorneys general, as well as a private right of action for certain breaches of defined privacy rights. The draft APRA expands upon the American Data Privacy Protection Act (ADPPA), which was considered last Congress in 2022.

As drafted, the APRA has sweeping coverage and would apply to entities that (1) determine the purpose and means of collecting, processing, retaining, or transferring covered data; and that (2) are subject to the FTC’s authority under the FTC Act, including common carriers and certain nonprofits. See American Privacy Rights Act of 2024, Sec. 2 (10)(A)(i). The bill also outlines various requirements for large data holders, data brokers, and covered high-impact social-media companies. Id. at Sec. 2 (25)(13)(11). The APRA’s tiered approach would instantiate sweeping coverage, all while including exemptions for small businesses, governments, as well as entities that are “collecting, processing, retaining, or transferring covered data” on behalf of a government entity, and fraud-fighting nonprofits. Id. at Sec. 2 (10).