The American Privacy Rights Act (APRA) is a proposed comprehensive US data privacy law. It was proposed in April of 2024, and it remains to be seen if and when it will become law. And if it does become law, it remains to be seen how it will be modified. All statements below are subject to change.
The APRA would be much broader than HIPAA in that more entities are covered and more kinds of data are covered. Whereas HIPAA covered entities are primarily healthcare providers and insurance companies, APRA would cover “common carriers” as defined by the Communications Act of 1934.
The APRA would cover a broad range of data, and designates some kinds of data as sensitive: biometric and genetic data, precise geolocation data, phone logs, privacy communications, etc.
Two controversial aspects of the law are that (1) it would preempt state privacy laws (with some exceptions) and (2) that it would allow for a private right of action, i.e. individuals could sue covered entities for violations. The private right of action provision may be the most controversial part of the proposed law, which also means it is the part most likely to be modified or at lest debated.
The APRA would distinguish between large business and small businesses, based on annual revenue, and between large data holders and small data holders, based on the number of individuals represented in the data.
If enacted, the law would become effective 180 days later.