Proposed US federal privacy bill, which would limit ad targeting, ‘has legs’

Led by Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA), the discussion draft bill, dubbed the American Privacy Rights Act (APRA), proposes national standards on the collection, use and transfer of consumer data online.

If enacted, APRA would mandate that companies collect only necessary data about consumers, empower consumers to access, delete and move their data between digital services and enable users to opt out of certain data practices, including targeted advertising.

The lawmakers said in a joint statement that the proposal represents the culmination of a years-long push to come to an agreement on data privacy at the federal level.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information … It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress,” they said.

A bombshell in adland

If enacted, the legislation would have significant impacts on the digital advertising ecosystem.

Beyond enabling users to opt out of targeted advertising, APRA also requires affirmative, express consent to transfer personal data to third parties.

“This could have massive implications for the adtech ecosystem and have a disproportionate impact on social media ad networks versus [digital platforms] operated by other companies,” says Marci Rozen, a data security attorney and the legal director at DC-based firm ZwillGen.

What’s more, APRA would establish a national registry of data brokers and require these companies to give consumers the choice to opt out of having their data sold.

Additionally, the bill expands the definition of ‘sensitive data’ beyond that outlined in existing state-level laws to include “information revealing an individual’s online activities over time and across websites or online services that do not share common branding or over time operated by a high-impact social media company.” This provision could potentially limit companies’ ability to track user-level behavior across apps.

However, this broad definition of ‘sensitive data’ might spark adtech workarounds, predicts Arielle Garcia, consultant, advisor, fractional chief privacy officer at ASG Solutions and the former chief privacy officer at IPG’s UM Worldwide. “This will likely revive the ‘everyone is a service provider’ approach that adtech companies took to avoid honoring opt-outs before the California Consumer Privacy Act closed the loophole,” she says. “Under ARPA,” for instance, “data brokers aren’t data brokers when they’re acting as ‘service providers.’”

The bill’s exemption for de-identified data, or information about an individual that isn’t linked to direct or indirect identifiers about who the person is, “leaves room for edge-skirting” in adtech, Garcia says. For example, “adtech companies will likely claim that browsing data, audience segments or hashed identifiers don’t qualify as ‘reasonably linkable’ to a person or device until told otherwise.”

Garcia says that the enactment of APRA might also have “indirect impacts” as a result of the industry’s interpretation of its various provisions. For instance, the ability to opt out of data transfers and targeted advertising is likely to impede targeting and addressability at large.

However, while digital advertisers are likely to face a swath of new challenges under an APRA regime, the silver lining is that compliance with a single federal law is likely to be, in some ways, much simpler than the complex patchwork of state-level privacy laws they’re currently forced to navigate.

As Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), puts it: “Online advertisers may actually find that even with a higher hurdle to clear, that a consistent national standard that is predictable, understandable and provides strong guardrails and rules of the road for them to operate, is a vastly preferable situation than the current unease and the really complex risk environment that they operate in today.”

For context, Maryland this week became the 16th state to pass comprehensive privacy legislation in the US. Laws across states, including California, Colorado, Washington, Virginia and others, vary in their provisions.

Broadly speaking, the bill’s focus on limiting the ad industry’s reach, Garcia says, “underscores the need [for the digital advertising industry] to rebuild consumer trust through less invasive, less disruptive advertising experiences.”

Gauging APRA’s chances at success

Some experts believe that the APRA is more likely to succeed than the bill’s predecessor, the American Data Privacy and Protection Act (ADPPA), which was introduced in 2021.

Though the ADPPA garnered decent bipartisan support, it sputtered out in committee. One key hurdle to its advancement was pushback from lawmakers in states with comprehensive privacy legislation in place, like California, who worried that a federal law would preempt state laws and hamper states’ enforcement authority. California regulators were also concerned about the ADPPA’s lack of an opt-out mechanism for automated decision-making.

Among the critics who initially voiced such concerns was Maria Cantwell, the Senator who is now sponsoring the APRA – suggesting that significant structural changes have been built into this bill. It’s true: while APRA largely preempts various state privacy laws, it would allow some specific state rules to remain intact. Plus, APRA includes a private right of action, or the ability for consumers to sue companies for violating their data privacy rights and forbids companies from enforcing mandatory arbitration. It also includes an opt-out for automated decision-making.

The private right of action, in particular, which allows individuals to seek monetary damages as well as attorneys’ fees for APRA violations, ZwillGen’s Rozen says, is “a key concession to liberals.”

Some experts say that bridging some preemption and arbitration gaps is likely to give APRA a better chance of advancement than previous efforts to codify privacy laws at the federal level (although ongoing debate about federal preemption across party lines is expected).

“My impression within the privacy community is that there is more buzz about this bill than the ADPPA, and people seem to think it has a better chance of passing because of the compromise on the preemption and private right of action point,” says Rozen.

The assessment is shared by the IAPP’s Hughes. But there are also a number of what Hughes calls relevant “environmental factors” likely to benefit the APRA’s prospects.

One is its timing – the proposal arrives as the 2024 US presidential election cycle begins to heat up. “[We’re] very close to the frenetic cycle of campaigning and fundraising that leads up to a presidential election,” Hughes says. “It would be odd to introduce a bill and essentially use political capital and time and energy if you didn’t think it had a very good chance of getting across the finish line.”

Another critical environmental factor, Hughes says, is federal lawmakers’ growing appetite to regulate digital platforms and emerging technology.

For one, the growing risks of AI are catching lawmakers’ attention; in late 2022, following the release of OpenAI’s ChatGPT, the Biden White House published a proposed blueprint for an AI Bill of Rights in the US. Meanwhile, at least 12 states have taken it upon themselves to establish new AI laws.

An additional key policy priority is restricting the transfer of data to foreign entities – China has posed particular concern to lawmakers due to the widespread popularity of TikTok, which is owned by Chinese company ByteDance. A bill designed to force ByteDance to divest TikTok within six months or face a nationwide ban in the US advanced to the House floor last month.

A final related concern among lawmakers is children’s online privacy and safety. The CEOs of five leading social media platforms – Meta, TikTok, X, Snap and Discord – testified before lawmakers in a wide-ranging Congressional hearing in January. They answered lawmakers’ questions about everything from content moderation and teen mental health to combating child sexual exploitation online.

Many of the concerns raised by policymakers around AI, data transfers to foreign entities and children’s online safety, Hughes suggests, might be solved with a robust data privacy framework like the APRA. “It’s cool to want to do digital policy work in those areas, but if you don’t have privacy legislation as a baseline, as a foundational support, you’re kind of putting the cart before the horse.”

Of course, despite bipartisan support and efforts to expedite the legislative process, the fate of ARPA remains uncertain, especially in light of impending elections and potential opposition from state leaders affected by potential federal preemption. Nonetheless, proponents view the bill as a significant step toward establishing robust privacy standards in the digital age.

There’s a lot of evidence “[to] suggest that this bill has legs, that it’s viable,” Hughes says. “It would not be introduced unless there were very good reasons to think that we might see national privacy legislation in the US.”

As it stands, over 130 countries have national privacy legislation in place, covering nearly 80% of the world’s population. The US remains an outlier.

“For the largest economy in the world, for the leading technological exporter in the world, to not have national privacy legislation is very notable,” Hughes says. “Everyone expects that it will be rectified at some point. The question has always been, ‘When will the political stars align?’ This very well may be that moment.”

For more, sign up for The Drum’s daily newsletter here.