A national data privacy bill is gaining traction, but not everyone is yet on board
Major digital advertising regulation is finally getting traction in Congress, but advertising and consumer advocates alike say there are still plenty of kinks to sort out.
The U.S. House Energy & Commerce Committee voted on Wednesday to pass the American Data Privacy And Protection Act (ADPPA), which would have a widespread impact on how data can be collected, used and shared for marketing and other purposes. The bipartisan bill—which passed 53 to 2—marks the first time data privacy legislation has made it past the committee stage, despite years of efforts by top lawmakers on both sides of the political aisle.
Although there is not yet a timeline for next steps, the landmark legislation still needs to gain the support of key members of the House and the U.S. Senate. However, industry groups said changes are needed while privacy advocates look to prevent the federal law or states’ equivalents from being watered down.
Key aspects of the ADPPA include requiring companies covered by the bill to only collect and use data that is “reasonably necessary, proportionate, and limited” for their business and also to let people turn off targeted ads. The bill would also ban targeted ads for children, limit companies from profiting from sensitive topics—including health, race, religion, finances, and precise location data—and give more enforcement powers to federal and state officials, while also giving consumers the right to sue companies over data privacy matters.
Since 2018, Democrat and Republican lawmakers have tried to pass data privacy legislation after the Cambridge Analytica scandal shed light on the range of ways consumers often unwittingly share their personal data. Until now, no bill has gained traction in Congress, prompting five states—California, Colorado, Utah, Connecticut and Virginia—to pass their own limits on data collection and usage. While privacy advocates have pushed for a U.S. law applied equally across the country, state-led initiatives have prompted companies and trade groups to push for ending what they describe as a “patchwork” approach to regulation.
Complexities lead lawmakers to differing paths
Despite the major milestone, there’s no guarantee the ADPPA will become law. Key members of the U.S. Senate have yet to express a willingness to support it and some House members that voted to move the bill forward said they wouldn’t necessarily approve it on the House floor. Issues that still need to be hashed out include whether to create regulations around forced arbitration and how federal law would pre-empt strong privacy laws in states such as California. (The two committee members that voted against the bill were both Democrats from California: U.S. Representatives Anna Eshoo and Nanette Barragan.)
Others expressed an urgency to pass national legislation during the current congressional session. In her remarks during the hearing, U.S. Rep. Jan Schakowsky said the legislation is “groundbreaking.” However, she added that it’s “not the bill I would have written in my perfect world, but we have a mandate to move forward.
“This legislation will for the first time in our history create fundamental digital privacy rights for all Americans,” Schakowsky said.
Consumer advocates said the ADPPA will help transfer the responsibility of data privacy from consumers to corporations while also requiring more transparency about companies’ practices across the online data ecosystem. Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, said the ADPPA “is not a perfect bill,” but that it offers a number of new protections to consumers.
“Part of the big problem with online privacy these days is that the ecosystem is so complex that people can’t even truly grasp what happens with every little tiny bit of data our phones are generating about us, everyone online search is generating about us,” Fitzgerald said. “…There are so many third parties that the vast majority of Americans simply can’t grasp the impacts of that and the breadth of that.”
Advertising trade groups have been pushing for federal privacy legislation for years and have so far endorsed the direction of the ADPPA. However, some say updates made this week create new disagreements. Ahead of the hearing, the Interactive Advertising Bureau and other organizations sent a letter to lawmakers saying the way sensitive data is defined was “overly broad and poorly constructed.”
“If you lose the ability to reach people based on what they’re interested in, you end up getting billboard ads,” said Lartease Tiffith, executive vice president of public policy at the IAB.
Big Tech is drawing big scrutiny
Tech giants are facing increased pressure on a number of fronts. U.S. and European lawmakers are also considering new antitrust regulations while federal agencies are putting pressure in other ways. On Monday, Federal Communications Commission chairwoman Jessica Rosenworcel sent letters to 15 top mobile carriers including Verizon and AT&T requesting information about how they collect and protect location-based data.
Last week, the Federal Trade Commission said it is “committed to fully enforcing” laws related to the illegal use of sensitive data and warned the tech industry against deceptive claims about “anonymized data” that’s actually identifiable.
Other aspects of the ADPPA would create more transparency and restrictions around third-party data, especially for companies that are in the so-called category of “data brokers.” For example, brokers would be required to register their company on a public database as well as a “do not collect” registry similar to a “do not call” list used for avoiding robocalls.
Advertisers would still be able to largely use first-party data for ad-targeting under the proposed regulations. However, some ad industry execs think the bill could give more power to giants like Google, Facebook and Amazon. On the other hand, some privacy advocates are worried about loopholes related to regulating data brokers and enforcing regulations for telecommunications companies. Others with concerns include a group of 10 state attorneys general, who co-signed a letter calling on Congress to adopt privacy legislation that “sets a federal floor, not a ceiling.”
Privacy advocates say the changes shouldn’t be a surprise for the industry and might not affect companies already keeping up with compliance related to other data privacy legislation in the European Union and with state laws like California’s. However, some lawyers representing parts of the tech industry say there are still key differences.
“I see this as comparing apples and kiwis,” said Mark Brennan, an attorney leading the global tech and telecommunications practice at the law firm Hogan Lovells. “They’re in the same category of regulation but when you get down to it, they’re going to taste very different.”