GDPR in the USA? Here’s what the American Privacy Rights Act of 2024 says
Will the United States soon have its own national version of Europe’s GDPR? In April of this year, a Democrat and a Republican introduced the American Privacy Rights Act of 2024, which could eventually be America’s first-ever national privacy bill.
While 17 states have created their own consumer privacy laws, led by California in 2022 with CCPA, there isn’t yet a national framework for US citizen’s digital privacy. In contrast, Europe’s General Data Protection Regulation was adopted in 2016 and became an enforceable law in 2018.
If indeed the American Privacy Rights Act of 2024 proceeds and becomes law, it will result in significant changes for how American companies — including mobile app and game companies — do business. So what I’d like to do in this post is summarize the American Privacy Rights Act of 2024, compare it to GDPR, and discuss what this means for mobile marketers.
At the same time, let’s be honest: it’s an election cycle, and bipartisan legislation is unbelievably hard to pass right now in the existing hyper-partisan US government. It’s more likely that the APRA will serve as the framework for a future law than get passed on its own right now … although it’s probably more likely to pass if the Democrats prevail in the next election.
States with privacy laws: lots!
Let’s start here: At least 17 states have privacy legislation on the books, although for some states the laws won’t become effective until 2026. The American Privacy Rights Act of 2024 isn’t appearing out of a vacuum.
In general, US states have focused on consumer rights (access to personal information held by companies, correction and deletion of that data, the ability to opt-out, and the ability to transfer information to other service providers). Business obligations include getting consent, providing transparency, and minimizing the amount of data collected.
In addition, businesses are required to both implement security measures to safeguard consumer data as well as notify users or customers in the event of a security breach.
Here are the states with privacy legislation, in chronological order of when they adopted or are adopting consumer digital privacy laws:
- California: California Consumer Privacy Act (CCPA), January 1, 2020
- Also: California Privacy Rights Act (CPRA), January 1, 2023
- Virginia: Virginia Consumer Data Protection Act (VCDPA), January 1, 2023
- Colorado: Colorado Privacy Act (CPA), July 1, 2023
- Connecticut: Connecticut Data Privacy Act (CTDPA), July 1, 2023
- Utah: Utah Consumer Privacy Act (UCPA), December 31, 2023
- Texas: Texas Data Privacy and Security Act, July 1, 2024
- Florida: Florida Digital Bill of Rights, July 1, 2024
- Oregon: Oregon Consumer Privacy Act, July 1, 2024
- Montana: Montana Consumer Data Protection Act, October 1, 2024
- Delaware: Delaware Personal Data Privacy Act, January 1, 2025
- New Hampshire: New Hampshire Data Privacy Law, January 1, 2025
- Iowa: Iowa Consumer Data Protection Act, January 1, 2025
- New Jersey: New Jersey Data Privacy Act, January 15, 2025
- Tennessee: Tennessee Information Protection Act, July 1, 2025
- Maryland: Maryland Online Data Privacy Act, October 1, 2025
- Indiana: Indiana Consumer Data Protection Act, January 1, 2026
- Kentucky: Kentucky Consumer Data Protection Act, January 1, 2026
As is pretty obvious by the dates, there’s been a rush of legislation in many states since 2023 to get a digital privacy protection law on the books. That digital privacy push is continuing, as at least 8 other states have new privacy laws pending or under consideration:
- Hawaii
- Massachusetts
- New York
- Pennsylvania
- Washington
- Wisconsin
- Minnesota
- Ohio
At this accelerating rate, pretty much every state will have a digital privacy act in the next few years. The challenge, of course, is that if there are minor differences between them all — and how could there not be — businesses will need to support a patchwork of legislation depending on where their users, players, or customers are.
Which … doesn’t sound efficient.
That’s one of the reasons for the American Privacy Rights Act of 2024: a universal country-wide law about digital privacy.
The American Privacy Rights Act of 2024
What is the American Privacy Rights Act of 2024 all about? Well, if you’re familiar with GDPR, there’s a lot that’s similar. The APRA is a bill to “establish national consumer data privacy rights and set standards for data security.”
If passed, it will have a significant impact on how marketers, adtech companies, and large digital platforms like the GAFAM or FAANG conglomerates collect data. It will also impact what data they collect, how they process that data, and whether they can run targeted, personalized advertising campaigns.
Here are some of the key focus points of the APRA:
- National data privacy standard
APRA, if signed into law, would establish a uniform national privacy standard that supersedes the existing patchwork of state laws. It is also likely to provide stronger protections than most current state laws, and perhaps all. - Consumer rights
The American Privacy Rights Act grants consumers rights like the ability to access, correct, delete, and export their data, as well as to prevent the sale of their data. Americans would also be able to opt out of data processing and targeted advertising. - Consent for sensitive data
APRA requires companies to obtain explicit consent before transferring sensitive data to third parties. - Data minimization
As we see in GDPR and many state laws, companies would be required to limit data collection, storage, and usage to what is necessary to provide their services. In other words, no more free-for-all. - Enforcement mechanisms
APRA provides individuals the right to sue for damages if their privacy rights are violated and prevents mandatory arbitration in significant privacy harm cases. It also authorizes enforcement by the Federal Trade Commission (FTC), state attorneys general, and private individuals. - Protection against discrimination
The American Privacy Rights Act prohibits the use of personal information for discriminatory purposes and mandates annual reviews of algorithms to prevent harm, including discrimination. How these annual rev - Data security obligations
Companies must implement strong data security measures to protect against data breaches and identity theft, and have a data security officer. - Small business exemption
Small businesses that do not sell personal information are exempt from the Act’s requirements. A “small business” is one with less than $40 million annual revenue and process data for less than 200,000 people. - Algorithm exemptions
The American Privacy Rights Act would give consumers the right to opt out of the use of algorithms for “consequential decisions” like which consumers should be offered credit, health care, insurance, employment, and so on.
Data the APRA covers includes personally identifiable data and sensitive covered data, such as health information, biometrics, genetic information, financial data, precise location data, login credentials, private photos and recordings, and more. It does not include ”de-identified data, employee data, publicly available information, inferences made from multiple sources of publicly available information.”
Large businesses will have special obligations, and they are defined as companies with $250 million or more in annual revenue and who process data for more than 5 million people (or 15 million smartphones, or sensitive data for just 200,000 people). Large businesses will need to file annual certifications of their internal controls with the FTC.
How similar is the American Privacy Rights Act to GDPR?
Ultimately, the 2 pieces of legislation have very similar goals.
Very obvious in both are a focus on individual rights and allowing individuals with rights to access, correct, delete, and export their data. In other words: you own your data. Both APRA and GDPR have the concept of consent, and both require explicit consent for processing sensitive personal data.
Both also require companies to engage in data minimization, requiring that companies limit data collection to what is necessary for specific purposes, and both provide for significant enforcement mechanisms, including penalties for non-compliance.
There are also some key differences:
GDPR applies to all organizations processing the personal data of EU citizens, regardless of the organization’s location. (Which is why it required significant investment by American companies as well as European.) APRA focuses on creating a uniform standard within the U.S.
The opt-out rights are slightly different, as well:
- GDPR allows individuals to opt out of data processing for direct marketing at any time
- The American Privacy Rights Act includes the right to opt out of targeted advertising
In addition, APRA specifically prevents mandatory arbitration in cases of significant privacy harm, a feature not explicitly addressed in GDPR. And the American Privacy Rights Act mandates annual reviews of algorithms for discriminatory impacts, which is more specific than to GDPR’s general requirements for data impact assessments.
Also, GDPR has an understanding of data controllers versus data processors, which don’t appear in the APRA. Instead, the American Privacy Rights Act has a concept of a data broker, which would appear to be a significantly different thing. The APRA does recognize that processing data is something that needs to happen, however, and does allow for “processing covered data solely for measuring or reporting advertising, marketing, or media performance, reach, or frequency.”
This bill would need to go through multiple iterations before becoming actual law; it’s possible that some of these definitions and use cases will be further spelled out if it proceeds.
Impact on digital marketers and user acquisition pros?
Clearly, a law like the American Privacy Rights Act would accelerate adoption of privacy frameworks like Apple’s SKAdNetwork and Google’s Privacy Sandbox.
The APRA might also necessitate them.
Privacy Sandbox, in particular, includes privacy-safe mechanisms for targeting, audiences, and retargeting, and those could be not just nice to have but absolutely necessary in a world in which people can opt out of targeted advertising. Currently, “targeted advertising” is defined in the bill as something that happens in the presence of a unique persistent identifier, which seems to indicate that the American Privacy Rights Act views old-school IDFA or GAID behavioral targeting as potentially problematic, but not necessarily anonymized targeting.
Even so, however, Americans would have much more control over the collection, use, and storage of their data, and adtech in general would need to adapt.
Third-party data would be the most vulnerable, as usual.
Ultimately, it’s likely that any impacts of the APRA are already kind of “priced in” to the cost of doing data-driven performance marketing today, especially for companies also doing business in Europe, and adopting Apple’s SKAN, and working on Google’s Privacy Sandbox. Also, for companies using data processors like Singular, pretty much everything they’ll need in terms of transparency and delete-ability is already available.
Also as usual?
First-party data is king, queen, and the prime minister all in one. Knowing your users, players, or customers deeply, and developing a strong relationship of trust with them, will be ever-more-critical in the years to come.