The legislation would establish national standards for data privacy and security, requiring certain entities to be transparent about how they use data and give consumers the right to access, correct, delete and export their data.
Last week, Rep. Cathy McMorris Rodgers (R-Washington), chair of the U.S. House Committee on Energy and Commerce, and Sen. Maria Cantwell (D-Washington), chair of the U.S. Senate Committee on Commerce, Science and Transportation, unveiled the American Privacy Rights Act of 2024. The legislation would establish national standards for data privacy and security.
The bill would require certain entities to be transparent about how they use data and give consumers the right to access, correct, delete and export their data, as well as opt out of targeted advertising and data transfers. The measure would set standards for data minimization that would allow companies to collect and use data only for necessary and limited purposes and prohibit the transfer of sensitive covered data to third parties without the consumer's affirmative express consent. The legislation authorizes the Federal Trade Commission and state attorneys general to enforce against violations and includes a private right of action.
Importantly, the American Privacy Rights Act includes several preemption provisions. Entities subject to and in compliance with other federal privacy laws, including the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) shall be deemed in compliance with the American Privacy Rights Act.
Additionally, small businesses are largely exempt from the requirements of the act. The exemption defines a small business as meeting all the following criteria: a business that has $40 million or less in annual revenue; collects, processes, retains, or transfers the covered data of 200,000 or fewer individuals; and does not earn revenue from the transfer of covered data to third parties.
The Big “I" has successfully advocated for a small business exemption in previous legislative efforts by these committees and is pleased to see the inclusion in this legislation.
This week the Big “I," along with the American Property Casualty Insurance Association (APCIA), the National Association of Mutual Insurance Companies (NAMIC) and other insurance trade associations, sent a joint letter to the respective leaders of the House and Senate Commerce Committees offering additional suggestions as they craft this legislation.
Last year, the U.S. House Committee on Financial Services advanced the Data Privacy Act of 2023, which was introduced by committee Chairman Patrick McHenry (R-North Carolina). The legislation would create a uniform national data privacy standard while updating the GLBA, which became law in 1999. GLBA requires insurance agencies, insurers and other financial institutions to disclose their information-sharing policies and inform consumers of their ability to prevent the sharing of nonpublic personal information with certain nonaffiliated third parties.
The Big “I" reminded committee members that the state regulatory system has worked well in this area for more than 20 years and there is no public policy rationale for abandoning it. The committee agreed and the legislation kept state insurance regulators in charge of implementing and enforcing any federal privacy standards regarding the insurance industry.
As Congress continues to work on data privacy legislation, the Big “I" will continue to advocate for independent insurance agents and provide updates through the News & Views e-newsletter.
Raaed Haddad is Big “I" director of federal government affairs.