Proposed American Privacy Rights Act (APRA) signals new phase of privacy regulation: ESRB Privacy Certified welcomes COPPA-style compliance mechanism

Photo credit: NASA/Jordan Salkin

Last week, on the eve of the total solar eclipse, a bipartisan, bicameral “discussion draft” for a comprehensive federal privacy law – the American Privacy Rights Act of 2024 (APRA) – landed in Congress. Accompanied by almost as much excitement as the celestial event itself (at least among privacy professionals, a cohort as intense as eclipse-chasers (umbraphiles)), the APRA would create a long-elusive national data privacy regime and reduce the ever-growing patchwork of state comprehensive privacy laws.

Top Provisions

The discussion draft introduced by Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-Wash.) and House Energy & Commerce Chair Cathy McMorris Rogers (R-Wash.) on April 7 (since updated slightly) would markedly remake the landscape of data privacy in the United States. Substantively, it would:

• Cover a wide swath of businesses (including non-profits and “common carriers” currently excluded from Federal Trade Commission (FTC) jurisdiction) defined as “covered entities” and impose additional requirements on data brokers, “large data holders” and “high-impact social media companies.” (Conversely, it would exempt small businesses from many requirements.);
• Adopt a broad definition of covered data (i.e., data that “identifies or is linked or reasonably linkable” to an individual or device, either alone or in combination with other information);
• Impose strong transparency and strict data minimization by default requirements, prohibiting the processing of consumers’ personal data unless it meets general data minimization principles or one of 15 specified purposes;
• Provide heightened protections for a long list of types of “sensitive personal data,” including the data of minors under the age of 17 and including requiring express affirmative consent for transfers of such data. (The APRA does not contain extensive provisions on children’s and teen’s data, with many observers positing that the drafters plan to port pending provisions from pending online privacy and safety bills into the legislation. Indeed, at yesterday’s House Innovation, Data, and Commerce Subcommittee’s hearing on the APRA and several kids’ privacy and safety bills, many lawmakers and witnesses expressed concerns about kids’ privacy, especially targeted advertising.); and
• Grant consumers the right to access, correct, delete, and export their data, including the right to opt out of targeted advertising, consistent with many of the state laws enacted over the past two years.

And, although not featured in most analysis of the bill’s provisions to date, the draft bill would lay the foundation for a “regulated, self-regulatory” (or co-regulatory) approach to privacy compliance and enforcement – a critical feature from our privacy compliance and certification perspective. (There’s much, much more including provisions on algorithms and civil rights, dark patterns, data security, enforcement (including a limited private right of action for certain provisions), executive responsibility, and pre-emption of most, but not all, state privacy laws. For a helpful overview, see this “top takeaways” summary from the International Association of Privacy Professionals (IAPP) as well as their other APRA resources, including this cheat sheet.)

This isn’t Congress’ first go at comprehensive federal privacy legislation. Members of both chambers have introduced literally dozens and dozens of bills over the years. Not one has passed. Two years ago, another bipartisan, bicameral group of legislators introduced the American Data Protection and Privacy Act (ADPPA) during the “hot privacy summer” of ’22. The ADPPA advanced out of the House Energy & Commerce committee but never made it to the House floor, due, in part, to strong opposition by the California congressional delegation and Senator Cantwell. The APRA appears to be the successor to that legislation, although there are some significant differences, especially on the flash-point issues of federal preemption and private rights of action.

Co-regulatory Compliance Codes

Will APRA face the same fate as its predecessor? It’s too early to know. There are a number of factors that could doom this attempt as well. Still, from ESRB Privacy Certified’s perspective as an FTC-authorized COPPA Safe Harbor program, it’s encouraging that the APRA – like the ADPPA two years ago – provides for business or industry-developed “compliance codes” based on the Act’s requirements as a mechanism for companies to comply with the APRA’s highly-complex privacy rules. Critically, the APRA would provide code participants with a “rebuttable presumption” of compliance if they adhere to an FTC-approved compliance code rooted in the APRA’s provisions and submit to compliance assessments by an independent organization.

Sounds familiar? Undoubtedly, for participants in COPPA Safe Harbor programs like ESRB Privacy Certified, the concept of a privacy compliance and certification scheme for a federal privacy law echoes the COPPA framework. Although the APRA’s provisions are not precisely the same as the those required by COPPA, they follow a similar model. In short, the APRA would permit “covered entities” – other than data brokers and large data holders – to submit compliance guidelines “governing the collection, processing, retention, and transfer of covered data” to the FTC for approval. Once approved by the FTC, companies would be required to publicly self-certify compliance with the approved guidelines subject to oversight by an independent organization.

Compliance Codes Criteria

To obtain FTC approval, a covered entity would need to submit:

• a description of how the proposed guidelines will “meet or exceed” the requirements of the APRA;
• a description of the entities or activities the proposed guidelines are designed to cover;
• a list of the covered entities, to the extent known at the time of application, that intend to adhere to the proposed guidelines;
• a description of an independent organization, not associated with any of the participating covered entities, that will administer the proposed guidelines; and
• a description of how the independent organization would assess participating covered entities for adherence to the proposed guidelines.

In turn, the draft requires the FTC to approve an application for proposed compliance guidelines, including the independent organization that will administer the guidelines, if the applicant demonstrates that the proposed guidelines:

• “Meet or exceed” the APRA’s requirements;
• provide for the “regular review and validation” by an independent organization; and
• include a means of enforcement if a covered entity does not meet or exceed the requirements in the guidelines, which may include referral FTC or appropriate state attorney general for enforcement.

The discussion draft further provides for a “rebuttable presumption” of compliance for covered entities that participate in and are assessed to be in compliance with such guidelines. The APRA framework differs slightly from the ADPPA model, which contained separate sections on “technical compliance programs” (Sec. 303) and “Commission approved compliance guidelines” (Sec. 304). For the former, the draft legislation directed the FTC and other enforcement agencies to consider the history of any covered entity’s history of compliance with any technical compliance program approved by the FTC, as well as any action taken by the covered entity to remedy noncompliance with the program before commencing an investigation or enforcement action, and in determining liability or a penalty. For the latter, the bill stated that a covered entity that participates in Commission-approved compliance guidelines would “be deemed in compliance with the relevant provisions of this Act if such covered entity is in compliance with such guidelines.” Although these differences suggest that some fine tuning of the APRA “safe harbor” provision might be necessary, the practical effect of the APRA’s provision would largely be the same.

Regulated Self-Regulation in Modern Privacy Frameworks

We welcome APRA’s recognition that compliance and certification mechanisms should be part of a modern privacy law, especially at a time when some observers have criticized “pure” privacy self-regulation. Last fall, FTC Bureau of Consumer Protection Director Sam Levine made headlines when he stated bluntly that “self-regulation around digital privacy is not working,” a criticism he repeated more recently when addressing the privacy challenges posed by artificial intelligence. But Levine’s statements were much more nuanced than reported.

Although Levine bemoaned Congress’ failure to pass comprehensive privacy legislation and instead leave the development of privacy rules to “a handful of tech giants,” he offered a model of successful self-regulation that essentially is “regulated self-regulation.” Levine explained that,

In sum, the FTC’s chief privacy enforcer recognized that self-regulation can be an important and effective complement to government regulation and agency oversight when (i) underpinned by explicit legislative authorization, (ii) implemented by independent organizations, and (iii) backstopped by a privacy enforcement authority.

The FTC followed this approach in the Notice of Proposed Rulemaking it issued in December to update the COPPA Rule. There, the agency recognized that the COPPA Safe Harbor program “serves an important function in helping companies comply with COPPA . . . .” As part of its review, the agency made several recommendations for “enhanced oversight and transparency” to “further strengthen the COPPA safe harbor program.” ESRB Privacy Certified filed a comment agreeing, with a few exceptions, with the FTC’s proposed changes. We also offered some additional proposals to improve the Safe Harbor program, including, for example, by including in the COPPA Rule minimum expectations for Safe Harbor programs’ technological capabilities and assessment mechanisms.

COPPA, of course, is not the only privacy law that incorporates robust self-regulatory mechanisms to ensure accountability. The European Union’s General Data Protection Regulation (“GDPR”) provides for codes of conduct and certification mechanisms such as seals and marks in Articles 40 and 42 of the GDPR, respectively, noting, in Recital 100, that certification schemes allow consumers to “quickly assess the level of data protection of relevant products and services” and “enhance transparency.” The European Data Protection Board and EU member state data protection authorities have approved several industry codes (including EU-wide cloud computing codes) as well as data privacy seal programs under these provisions.

And the United Kingdom, which has long featured codes of conduct and certification schemes as part of its consumer protection laws, has embraced this type of self-regulation under the UK GDPR. The UK’s data protection authority, the Information Commissioner’s Office (“ICO”) has encouraged the development of sector-specific codes of conduct and certification schemes. Although the ICO has not yet approved any codes of conduct, it has authorized five certification schemes, including the Age Appropriate Design Code Certification Scheme (AADC certification), which aims to help businesses comply with the United Kingdom’s Age Appropriate Design Code, aka the “Children’s Code.” (ESRB Privacy Certified has an arrangement with the UK Age Check Certification Scheme, an accredited conformity assessment body, which administers the AADC certification. Contact us here for more information about the program.)

There will undoubtedly be a lot to consider as the APRA makes its way through Congress from policy, enforcement, and operational perspectives. The text of the discussion draft will likely change as legislators and a wide array of stakeholders debate any resulting bill. We don’t know if the APRA will be enacted this year or ever. (We are taking bets, though, on whether Congress will pass comprehensive privacy legislation before the next total solar eclipse over North America. It’s in 2044.) What we do know is that APRA’s inclusion of a regulated self-regulatory mechanism is an important feature that can help companies in the video game industry and beyond comply with a comprehensive federal privacy law and, in turn, help provide greater privacy protections for consumers.

• • •

As senior vice president of ESRB Privacy Certified (EPC), Stacy Feuer ensures that member companies in the video game and toy industries adopt and maintain lawful, transparent, and responsible data collection and privacy policies and practices for their websites, mobile apps, and online services. She oversees compliance with ESRB’s privacy certifications, including its “Kids Certified” seal, which is an approved Safe Harbor program under the Federal Trade Commission’s Children’s Online Privacy Protection Act (COPPA) Rule. She holds CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals.