Centre for Trustworthy Technology

From State Patchwork to Federal Framework

StatePatchwork Blog featured Image

The Promise and Challenges of APRA

In the United States Congress, the nation’s first comprehensive federal privacy law is at major crossroads amidst debates and concerns from industry and civil liberties advocates alike. The American Privacy Rights Act (APRA) is the much-anticipated U.S. regulatory regime which aims to “put people in control of their own personal data” and “eliminate the patchwork of state laws” through a unified privacy standard. The debates and concerns raised by stakeholders across industry and civil society offer an insight into the defining challenges of future-proofing policy for emerging technologies. As businesses become increasingly data-driven and multi-national, the implications of APRA are transformative for a wide range of industries and individuals. StatePatchwork Blog image potrait.

APRA arrives at a critical juncture ahead of coming decisions on AI governance. This timing positions APRA to both overhaul existing state data and privacy policies and establish an influential framework for future U.S. AI regulation. The preemptive nature of the federal legislation and the convergence of privacy policy with artificial intelligence policy are the two main challenges in enacting this comprehensive technology regulation.

Preemptive Federal Technology Policy

In lieu of a federal policy, many U.S. states have enacted their own laws to protect citizens from privacy violations amidst specific digital emerging technologies– for example, the laws protecting AI regulation in Colorado, internet privacy in Maine, healthcare and tenant privacy in New York, and biometric privacy in Illinois.  As of June 2024, 19 states have their own privacy legislation. As APRA is characteristically preemptive, if it is passed it will supersede respective state-established regulations. Because some states have already granted more specific or more protective rights than APRA is set to pursue, privacy advocates have raised that this bill would be walking back privacy rights for citizens in those states. Further, critics of the preemptive approach are concerned this will obstruct states from responding to emerging technology developments and public sentiment, therefore, “freezing further action.” At the same time, a coalition of industry groups, including the U.S. Chamber of Commerce, are conversely concerned that the legislation won’t be adequate in preventing states from further regulating on top of the national standard, destroying the standardized vision of regulation which the APRA aims to serve. This tension grapples with the balance between preserving a responsive agility to technology regulation and establishing a stable cohesive regulatory landscape for companies to operate across locales.

The convergence of privacy and AI

Privacy principles have often served as one of many pillars in upholding responsible technology frameworks, yet recently, they are playing an increasingly central role in conceptualizing the risks of data-driven technologies like artificial intelligence. The blending of AI and privacy principles in policy is an important alignment, but differences in terminology and key concepts between these two communities can fracture potential effective implementations.

The APRA draft had directly engaged with AI regulation in a section on “covered algorithms”, which referred to automated decision-making algorithms. APRA used the new terminology of “covered data” to discuss personal or individualized data. This departure from terminology used in other state laws or comparative global standards like the GDPR introduces APRA-specific nuance to privacy regulation. According to the APRA draft, “covered data” is “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.” Experts have noted the leeway this affords, as under this definition, covered data can likely include derived or inferred data, which is especially relevant for advertising technology and artificial intelligence as they often rely on new data generated on previously collected data.

The bill’s stance on data minimization also exemplifies the unsaid convergence of privacy and AI frameworks and impacts in the proposed regulation. While the section on data minimization does not directly mention AI, it will have a directly relevant impact on whether algorithms can be trained on sensitive data which was originally collected for other purposes. The data minimization provisions assert that businesses should not process data “beyond what is necessary, proportionate, and limited to provide or maintain a specific product or service.” Interestingly, just this week, OECD has brought forth considerations to align the two adjacent approaches and harmonize AI’s advancements with privacy principles, such as, fairness, transparency and data protection.

APRA stands at a pivotal point in the history of U.S. privacy legislation. Its passage could significantly reshape the regulatory landscape, harmonizing a patchwork of state laws into a unified federal standard. Yet APRA also faces considerable challenges. The tension between preserving state-specific protections and establishing a comprehensive federal policy underscores the complexity of preemptive federal technology regulation.

Moreover, the convergence of privacy and AI regulation within APRA introduces further complications. As privacy principles become increasingly central to the regulation of data-driven technologies, discrepancies in terminology and conceptual frameworks between privacy and AI communities pose significant obstacles.

The ongoing debates and concerns surrounding APRA illustrate the critical need for both multi-stakeholder approach and agile policy making to build societal consensus on emerging technology regulation.  As the U.S. approaches crucial decisions on AI governance, APRA’s role in setting a precedent for comprehensive technology regulation cannot be understated. Engaging diverse stakeholders iteratively in this dialogue will be vital for crafting effective and future-proof policies that balance the protection of individual rights with the needs of innovation and economic growth.

The Promise and Challenges of APRA

In the United States Congress, the nation’s first comprehensive federal privacy law is at major crossroads amidst debates and concerns from industry and civil liberties advocates alike. The American Privacy Rights Act (APRA) is the much-anticipated U.S. regulatory regime which aims to “put people in control of their own personal data” and “eliminate the patchwork of state laws” through a unified privacy standard. The debates and concerns raised by stakeholders across industry and civil society offer an insight into the defining challenges of future-proofing policy for emerging technologies. As businesses become increasingly data-driven and multi-national, the implications of APRA are transformative for a wide range of industries and individuals. StatePatchwork Blog image potrait.

APRA arrives at a critical juncture ahead of coming decisions on AI governance. This timing positions APRA to both overhaul existing state data and privacy policies and establish an influential framework for future U.S. AI regulation. The preemptive nature of the federal legislation and the convergence of privacy policy with artificial intelligence policy are the two main challenges in enacting this comprehensive technology regulation.

Preemptive Federal Technology Policy

In lieu of a federal policy, many U.S. states have enacted their own laws to protect citizens from privacy violations amidst specific digital emerging technologies– for example, the laws protecting AI regulation in Colorado, internet privacy in Maine, healthcare and tenant privacy in New York, and biometric privacy in Illinois.  As of June 2024, 19 states have their own privacy legislation. As APRA is characteristically preemptive, if it is passed it will supersede respective state-established regulations. Because some states have already granted more specific or more protective rights than APRA is set to pursue, privacy advocates have raised that this bill would be walking back privacy rights for citizens in those states. Further, critics of the preemptive approach are concerned this will obstruct states from responding to emerging technology developments and public sentiment, therefore, “freezing further action.” At the same time, a coalition of industry groups, including the U.S. Chamber of Commerce, are conversely concerned that the legislation won’t be adequate in preventing states from further regulating on top of the national standard, destroying the standardized vision of regulation which the APRA aims to serve. This tension grapples with the balance between preserving a responsive agility to technology regulation and establishing a stable cohesive regulatory landscape for companies to operate across locales.

The convergence of privacy and AI

Privacy principles have often served as one of many pillars in upholding responsible technology frameworks, yet recently, they are playing an increasingly central role in conceptualizing the risks of data-driven technologies like artificial intelligence. The blending of AI and privacy principles in policy is an important alignment, but differences in terminology and key concepts between these two communities can fracture potential effective implementations.

The APRA draft had directly engaged with AI regulation in a section on “covered algorithms”, which referred to automated decision-making algorithms. APRA used the new terminology of “covered data” to discuss personal or individualized data. This departure from terminology used in other state laws or comparative global standards like the GDPR introduces APRA-specific nuance to privacy regulation. According to the APRA draft, “covered data” is “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.” Experts have noted the leeway this affords, as under this definition, covered data can likely include derived or inferred data, which is especially relevant for advertising technology and artificial intelligence as they often rely on new data generated on previously collected data.

The bill’s stance on data minimization also exemplifies the unsaid convergence of privacy and AI frameworks and impacts in the proposed regulation. While the section on data minimization does not directly mention AI, it will have a directly relevant impact on whether algorithms can be trained on sensitive data which was originally collected for other purposes. The data minimization provisions assert that businesses should not process data “beyond what is necessary, proportionate, and limited to provide or maintain a specific product or service.” Interestingly, just this week, OECD has brought forth considerations to align the two adjacent approaches and harmonize AI’s advancements with privacy principles, such as, fairness, transparency and data protection.

APRA stands at a pivotal point in the history of U.S. privacy legislation. Its passage could significantly reshape the regulatory landscape, harmonizing a patchwork of state laws into a unified federal standard. Yet APRA also faces considerable challenges. The tension between preserving state-specific protections and establishing a comprehensive federal policy underscores the complexity of preemptive federal technology regulation.

Moreover, the convergence of privacy and AI regulation within APRA introduces further complications. As privacy principles become increasingly central to the regulation of data-driven technologies, discrepancies in terminology and conceptual frameworks between privacy and AI communities pose significant obstacles.

The ongoing debates and concerns surrounding APRA illustrate the critical need for both multi-stakeholder approach and agile policy making to build societal consensus on emerging technology regulation.  As the U.S. approaches crucial decisions on AI governance, APRA’s role in setting a precedent for comprehensive technology regulation cannot be understated. Engaging diverse stakeholders iteratively in this dialogue will be vital for crafting effective and future-proof policies that balance the protection of individual rights with the needs of innovation and economic growth.

Related Blogs

Red Teaming

Last month, 28 countries and several industry stakeholders convened at the second iteration of the AI Safety Summit in Seoul, South Korea.

Read More
Scroll to Top