Revised Version of APRA Advances Out of U.S. House Subcommittee

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Revised Version of APRA Advances Out of U.S. House Subcommittee

A new version of the draft American Privacy Rights Act of 2024 (APRA), a proposed national comprehensive privacy law, was published Tuesday and then passed out of the Innovation, Data and Commerce Subcommittee. The bill will now advance to the full House Energy and Commerce Committee.

TAKEAWAY

The new version of APRA maintains the same general structure as the original draft, but with several revisions. One notable change is that a clarification was added to the data minimization exception regarding targeted advertising, which excludes “sensitive covered data” (i.e., the data minimization requirements do not prohibit use of data for targeted advertising, except with respect to sensitive covered data). This created an inconsistency in the original draft, because the definition of “sensitive covered data” included “data collected over time and across websites or online services that do not share common branding or over time on any website or online service operated by a covered high-impact social media company”, which essentially describes third-party targeted advertising. The updated draft added a clarification that the exception to data minimization for targeted advertising excludes “sensitive covered data (other than covered data collected over time and across websites or online services that do not share common branding or over time on any website or online service operated by a covered high-impact social media company)”, meaning that the data minimization requirements do not prohibit or require opt-in consent for targeted advertising, as long as it does not involve other forms of sensitive covered data and the individual has not opted out. 

Europe

European Council Gives Final Approval for EU AI Act Adoption

A final version of the EU AI Act has been approved by the European Council, meaning that, once published (expected within the next month), a clock for the law’s phased application will begin. Certain provisions (banning certain “unacceptable” AI systems, such as those involving cognitive behavioral manipulation and social scoring, and regulating general purpose AI) will apply 6 months and 1 year after publication, respectively, while most provisions will apply 2 years after publication, and some restrictions on AI developed in the US and sold to the EU will apply 3 years after publication. 

TAKEAWAY

For most businesses involved in limited-risk AI use, the primary obligation under the EU AI Act will be transparency (ensuring, for example, that users are informed or aware that they are interacting with an AI system and that outputs are marked as artificially generated or manipulated). Additional requirements and restrictions will apply to use, development and deployment of higher-risk AI, including implementation of certain risk-management, data governance, documentation, record-keeping, human oversight, cybersecurity and notification requirements. Providers of general-purpose AI models will be subject to certain documentation, policy and disclosure requirements regarding, for example, the capabilities and limitations of the AI model and the content used for training, will be required to designate a representative to perform certain tasks, and, if systemic risk is involved, will be required to perform certain additional evaluations, assessments and reports and apply additional cybersecurity protections.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.