It’s a shame Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.) didn’t release their proposal for a comprehensive federal privacy law three days earlier than they did.
If they had, it would’ve made a SeaWorld front row soak zone-style splash at the largest annual gathering of privacy professionals in the world.
But, as it happened, the IAPP’s Global Privacy Summit in Washington, DC, wrapped on a Thursday (April 4), and the draft dropped on Sunday.
Not that the proposed American Privacy Rights Act (APRA) didn’t make a helluva splash anyway. It’s the first serious attempt at a compromise to pass national privacy legislation since the American Data Privacy and Protection Act (ADPPA) failed to advance last year.
There are key similarities and differences between the APRA and the ADPPA, says Keir Lamont, director for US legislation at privacy-focused nonprofit and think tank Future of Privacy Forum.
The APRA, like its predecessor, would give consumers the right to access, correct, delete and export their data – table stakes at this point – plus the option to opt out of targeted advertising. But businesses would also be required to get an affirmative opt-in for collecting and sharing sensitive data with third parties.
And that brings up questions, like what exactly counts as “sensitive data”? (More on that below.) And will the same sticking points that stalled the ADPPA – preemption and a private right of action – stand in the way of APRA?
Time will tell, but it’s worth pointing out that lawmakers on both sides of the aisle appear highly motivated to push a comprehensive federal data privacy law across the finish line.
“I’m fired up – we’ve got to get this done,” declared Rep. Gus Bilirakis (R-Fla.) during a congressional subcommittee hearing last week where APRA was a big topic of discussion.
Still, it’s a little premature to buy party hats and noisemakers. The odds of the ARPA passing aren’t great during an election year. But it’s worth getting clued in on what’s in the draft and what it could mean for digital advertising.
I spoke with Lamont and Tatiana Rice, senior counsel for the Future of Privacy Forum’s US legislation team, for a quick crash course.
AdExchanger: Make me dangerous at a cocktail party where the topic is the APRA and most of the people there work in the online ad industry.
KEIR LAMONT: The main point that’s gotten a lot of attention is that the bill would create certain opt-out rights with respect to the use of personal data for targeted advertising. It’s a familiar model we’ve seen in state privacy laws and other jurisdictions across the globe.
Where this bill goes significantly further is how heavily it leans into the concept of data minimization, whereby a business could only collect and use personal information if it’s reasonably necessary to provide a requested product or service, or if it’s for a “permitted purpose,” such as maintaining data security.
And what could that mean for online advertising?
LAMONT: There is language in the bill that recognizes contextual and targeted advertising as a permitted purpose, as long as it doesn’t use sensitive data. What’s interesting is that sensitive data is defined very broadly under the APRA and includes personal information collected across devices and unaffiliated websites.
That would mean the data used for most targeted advertising today may not be permissible in future. But this is a discussion draft. I imagine conversations will continue and the language will likely be modified and amended if the bill is ultimately introduced.
I can’t go two minutes without getting a pitch in my inbox about a new generative AI startup or an ad tech company that wants to talk to AdExchanger about its AI-powered whatever. What does the APRA say about AI and algorithmic design?
TATIANA RICE: There are specific sections that relate to AI and algorithms, but it’s worth noting data privacy and protection would theoretically apply to all the provisions, meaning any time you use personal data for training an AI system.
Section 14 has to do with civil rights and algorithms, and says you can’t process personal data for use in an AI system if it results in discrimination.
Consumers also have the right to opt out of AI that is used for what’s referred to as “consequential decisions,” and the language includes a reference to advertising. That could apply to ads related to important life decisions, like employment, housing or other areas covered by civil rights laws.
Could a suppression list, which is a common online advertising practice, count as discrimination under the law?
RICE: There is an exclusion for advertising to underrepresented populations. But if there was some way to prove that an exclusion list was primarily focused on a certain protected class, there could be an argument there. It’s not clear right now. There are a lot of details that still need to be hammered out.
The APRA has, of course, triggered lobbying activity, including by ad trade organizations. Has the online ad industry and its trade orgs conflated restrictions on data collection with the supposed end of advertising?
RICE: There should be ethical limits on how data is used for advertising and everyone is moving in that direction: the FTC, US states and different countries. We would never say that advertising is bad by any means, but there will need to be a conversation about what advertising looks like in the future.
What’s your under/over on whether the APRA makes it to a vote and eventually gets passed into law? Not sure if you’re betting people …
LAMONT: We’re not! I mean, look, we’re only at the outset of what would be a very long legislative process.
I’ll say this: I was on a panel about federal privacy legislation at the IAPP conference and I said that I don’t see it happening this year – and then, just a couple of days later, this really significant bill drops! I’m probably the worst person to ask.
This interview has been lightly edited and condensed.
🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback. And here’s some live footage of an ad tech executive explaining how their company’s AI-powered cookieless first-party data-infused alternative identity solution works.