Consumer data is still a prime target for threat actors, and organizational consumption of data must be aligned to protect it. The new rights act seeks to do some of this, but it still needs tweaking.
COMMENTARY
The American Privacy Rights Act of 2024 (APRA) is the most comprehensive proposed national legislation defining privacy for Americans to date — something that historically has meant difficulties in federal approval. We're looking at legislation that holds organizations accountable at a level we've not yet seen. With APRA, these companies will need:
- Annual CEO-signed certification of compliance
- Mandated reporting lines for privacy and security officers (You can't have a figurehead chief privacy officer with no reports or budget.)
- To conduct biennial audits and Privacy Impact Assessments (PIAs)
- To publish the privacy policies for the past 10 years and deliver annual reports on consumer requests related to privacy
There's a reason why the United States has not passed any comprehensive data privacy laws in recent history: Companies largely monetize consumer data. Data is profitable, and restricting that cash flow would have economic ripple effects. However, while well-intentioned, APRA does warrant some scrutiny. Notably, its Civil Rights and Algorithm section lacks concern about transparency and ethics.
_Brain_light_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
