Private Rights of Action in US Privacy Legislation

Additional Insights

• Enacted Federal Statutes with PRA (Chart)

The discussion draft of the American Privacy Rights Act has set the privacy community abuzz. At the heart of the draft is one of the most politically charged topics in privacy legislation: the inclusion of a private right of action. In the press release introducing the draft bipartisan, bicameral bill, U.S. Rep. Cathy McMorris Rodgers, R-Wash., and Sen. Maria Cantwell, D-Wash., were adamant that robust enforcement mechanisms that "give consumers the ability to enforce (privacy rights)" are necessary in a federal data privacy law. However, another stakeholder, Sen. Ted Cruz, R-Texas, the ranking member of the Senate Committee on Commerce, Science and Transportation, publicly wrote he "cannot support any data privacy bill that empowers trial lawyers" in a post on X. PRAs have a rich history in legislation and regulations. Although now considered more controversial, they have been employed in federal legislation in the U.S. for over a century. The more recent political debates concerning PRA inclusion in privacy, data and technology legislation sparked an uptick in research that seeks to examine their history and opine on their effectiveness. This article examines the enforcement provisions contained in the revised discussion draft of the APRA, as released 9 April.

What are PRAs?

Broadly, U.S. legislation is primarily focused on after-the-fact, or ex-post, enforcement. Compared to regulatory schemes that aim to regulate before a harm occurs, after-the-fact enforcement regulates by placing repercussions on a violator for failure to comply with an applicable law or regulation after a violation or harm occurs. The main enforcement mechanisms under this ex-post regulatory structure are public enforcement, private enforcement or a hybrid of both.