UPDATE — JULY 2025: This article accurately reflects the draft American Privacy Rights Act of 2024 (APRA), introduced on April 7, 2024, by Representatives Cathy McMorris Rodgers and Maria Cantwell. The bipartisan proposal aimed to establish a national privacy framework to regulate personal data, including biometric, genetic, geolocation, and online identifiers. It also proposed individual data rights such as access, correction, deletion, and on-device control.
Although formally introduced on June 25, 2024, as H.R. 8818, the bill has not passed. It underwent several changes before committee markup, including the removal of civil rights protections, AI provisions, and enforcement mechanisms. Negotiations also led to key changes affecting state law preemption and private rights of action.
As of mid-2025, APRA remains under congressional review. In the meantime, privacy regulation in the U.S. continues to evolve at the state level. New laws in Tennessee and Minnesota have further fragmented the privacy landscape.
In short, APRA continues to shape national debate, but no federal privacy standard has been enacted. Organizations must still comply with a growing patchwork of state-level laws.
ORIGINAL NEWS STORY:
Pair of U.S. Lawmakers Unveil American Privacy Rights Act Proposal
On April 7, U.S. House Committee on Energy and Commerce Chair Cathy McMorris Rodgers and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell unveiled the draft for the American Privacy Rights Act of 2024. The Act is a comprehensive legislative proposal designed to enhance privacy protections for individuals and regulate the collection, use, and sharing of covered data by entities. This Act introduces various provisions aimed at safeguarding personal information, granting individuals greater control over their data, and establishing mechanisms for enforcement and accountability.
Covered Data and Privacy Rights
The draft defined “covered data” broadly. It included biometric and genetic data, geolocation data, and online identifiers. The Act’s scope reflected growing concerns about how companies handle sensitive digital information.
To improve transparency, the Act required entities to publish clear privacy policies. These policies must describe what data is collected, how it’s used, and what rights individuals have. Entities must also log major changes to their privacy policies, ensuring users stay informed.
On-Device Rights and Control
One of the Act’s standout features was its support for on-device data rights. Users could access, delete, or correct data stored on their devices. These rights could be exercised through easy-to-use tools, supporting stronger data autonomy.
Civil Penalties and Enforcement
Under the bill, users could file civil lawsuits in cases of violations. If successful, courts could award damages, injunctive relief, or reimbursement of legal costs. Special provisions covered violations involving biometric and genetic data, aligning with existing state laws.
Large data holders had added obligations. They needed to file annual reports disclosing how they use and manage data, which would promote transparency and accountability.
Technology and Collaboration
The bill encouraged collaboration between covered entities and federal agencies to promote privacy-enhancing technologies. It also called for a study by the Comptroller General to review the impact of these technologies and suggest improvements.
Civil Rights Integration
For broader impact, the bill directed the Federal Trade Commission (FTC) to share potential civil rights violations with other federal agencies. Additionally, the FTC had to submit annual reports to Congress on these activities. These mechanisms aimed to support privacy and civil rights in parallel.
Need Help?
If you have questions or concerns about how to navigate the U.S. and global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
