19 April 2024

American Privacy Rights Act Unveiled: Applies To More Entities Than Any Current State Privacy Law

Foley & Lardner


Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
The American Privacy Rights Act (APRA) was unveiled on April 7, 2024 and has a long way to go before becoming law.
United States Privacy
To print this article, all you need is to be registered or login on

The American Privacy Rights Act (APRA) was unveiled on April 7, 2024 and has a long way to go before becoming law. But if it does become law, it would apply to many more businesses than any current state privacy law, such as the California Privacy Rights Act - a law long heralded as the grandfather for state privacy laws in the U.S. A section-by-section summary of the APRA is available here.

First, unlike most state-level general privacy laws that include a blanket exception for non-profit entities, the APRA would include non-profit organizations to potentially be in scope.

Second, only two state laws currently have financial thresholds to be met before a business is considered in scope. In California, a for-profit entity must earn at least US$25m in annual revenue before they are in scope or meet one of the other thresholds discussed below. In Texas, a for-profit entity must not be deemed a small business by the federal Small Business Administration or meet one of the thresholds discussed below. The APRA, if passed, would make any entity, for profit or non-profit, subject to the APRA if it exceeds US$40m in annual revenue or meets one of the other thresholds.

Third, while most of the current state privacy laws require a for-profit organization to process the personal information of at least 100,000 people that are residents in that state, the APRA proposes a modest increase to 200,000, but those 200,000 would be residents of the U.S. - a significantly easier threshold to meet when adding up residents of the entire country.

And finally, while most state laws apply to organizations that make a significant part of their revenue from the sale of personal information (sometimes with a lower minimum volume threshold), the APRA would bring any entity in scope if they earn any revenue from the transfer of personal information to third-parties. It is yet to be seen if this would include revenue in the form of "other valuable considerations" as is the case in many of the state general privacy laws, and if such revenue would include such considerations derived from disclosures through advertising or analytics cookies. If it does, any company that operates a website that uses analytics cookies may be in-scope, regardless of the number of website visitors, the amount of revenue earned, or the percentage of compensation (monetary or otherwise) received from such disclosures.

The Foley Cybersecurity & Data Privacy team will continue to review the proposed APRA and provide further guidance as (if) the proposed legislation progresses towards enactment. But close followers of privacy laws in the United States will have a sense of deja vu and recognize that we have been here before. The last time (a mere two years ago) Rep. Nancy Pelosi and other members of the California congressional delegation objected to a proposed legislation because it preempted the California CPRA. The APRA also preempts state general privacy laws, and it remains to be seen if it will face the same or similar objections.

Key definitions include:

Covered entity—any entity that determines the purpose and means of collecting, processing, retaining, or transferring covered data and is subject to the FTC Act, including common carriers and certain nonprofits. Small businesses, governments, entities working on behalf of governments, the National Center for Missing and Exploited Children (NCMEC), and, except for data security obligations, fraud-fighting non-profits are excluded.

Small business—businesses that have $40,000,000 or less in annual revenue; collect, process, retain, or transfer the covered data of 200,000 or fewer individuals (not including credit card swipe and other transient data); and do not earn revenue from the transfer of covered data to third parties. Small businesses are exempt from the requirements of the Act.


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More