Congressional leaders introduce new legislation for a national data privacy framework

Key Takeaways

On April 7, U.S. House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) and U.S. Senate Commerce, Science and Transportation Committee Chair Maria Cantwell (D-Wash.) introduced the American Privacy Rights Act. Unveiled as a discussion draft, this legislation seeks to set a national data privacy framework and define relevant rights and protections of Americans.

What would this legislation do?

If enacted in its current form, the American Privacy Rights Act would enumerate national data privacy rights and set data security standards. In doing so, the bill prohibits covered entities (i.e. for-profit organizations) from:

• Collecting, processing, retaining or transferring more personal data than is proportionate and necessary to provide or maintain a product or service requested by the consumer
• Transferring sensitive personal data (i.e. government-issued identifiers, personal health information, financial information, etc.) to a third party without the consent of the consumer

This legislation also requires entities to provide consumers with the ability to:

• Access its personal data which the entity holds and the name of third parties to whom data has been transferred
• Correct any inaccuracies or incomplete personal data that has been collected, processed or retained
• Delete personal data that has been collected, processed or retained (and requires the entity to notify third parties of this action if data has been transferred)
• Receive exported personal data which the entity collected, processed or retained

Consumers would also have the right to opt-out of targeted advertising that leverages personal data and algorithm-based decision making for housing, employment and health care. It also establishes civil right protections that prohibit entities from employing discriminatory data collection or use practices.

To enhance transparency, entities must publicly provide a privacy policy to its consumers laying out its data collection, processing, retention and transfer activities. In addition, a short-form notice of data practices (of no more than 500 words) must also be made available.

What does this mean for counties?

Generally, these provisions would not apply to county governments or entities that are acting as a service provider to the county. However, this legislation would apply to many entities that county governments regularly interact with, including third-party vendors that counties may interact with to provide services to residents.

 
NACo supports initiatives and systems to ensure that personal and county information is secure from illegitimate actors and hackers. Furthermore, NACo supports ensuring that third party providers conform to county privacy policies and practices that maximize the security of private information. NACo has not yet taken a position on the American Privacy Rights Act, and we encourage feedback from members interested to learn more about the legislation. 
 

Want to learn more?

NACo will continue to monitor developments around The American Privacy Rights Act. To learn more about the bill and ongoing discussions on federal data privacy policy, click here.