Latest Federal Data Privacy Proposal Stalls in Committee: What It Means for the Security Industry

Meanwhile, More States Adopt Consensus Model

On June 27, 2024, the House Energy and Commerce Committee canceled its planned markup of the American Privacy Rights Act (APRA), following pushback from a wide spectrum of stakeholders on the latest draft released just days prior, including groups that had been supportive of previous iterations. Even more significantly, House leadership indicated that an overhaul would be necessary to consider bringing it to the House floor. These developments effectively ensure no further action on the measure until after the 2024 election, and possibly the remainder of the 118th Congress. Meanwhile, five more states have adopted the emerging consensus data privacy model this year that is not beset by the same issues.

Regarding the specific changes to APRA, while nongermane (and problematic) sections on algorithmic discrimination and automated decision-making systems were removed, government contractors were drawn into the bill’s scope, and there was no movement to address significant law enforcement issues, or broader business community concerns regarding the scope of state preemption and potential for abusive lawsuits under its private right of action (PRA). Additionally, significant last-minute changes in the proposal with respect to biometric information would, unlike in its previous iteration, essentially apply Illinois Biometric Information Privacy Act-like requirements nationwide, which would be unworkable for important implementations of biometric technologies.

Ahead of the markup scheduled for June 27, the Security Industry Association (SIA) joined 21 other national trade associations in expressing concerns about this latest APRA proposal and the problematic changes to its biometric provisions in particular, despite overall support for the goal of achieving a national data privacy framework.

In a significant development the week prior that influenced debate, Vermont Gov. Phil Scott’s veto of a data privacy measure earlier passed in the legislature was sustained in a bipartisan Senate vote, largely over local business concerns with a private right of action and untested “data minimization” requirements. Both provisions bore resemblance to APRA, and enactment would have made Vermont an outlier among all others as the only state allowing a PRA for enforcement of a comprehensive data privacy law.

Meanwhile, Nebraska, Kentucky, Maryland, New Hampshire and Rhode Island passed comprehensive data privacy measures in 2024 that are generally similar, bringing the total to 19 U.S. states that have enacted what many consider to be the emerging “state consensus” data privacy model that is based more closely on the European Union’s General Data Protection Regulation. SIA will soon update member resources such as its Guide to U.S. Biometric Privacy Laws with more information about these measures.