Congress may actually pass ADPPA, the American Data Privacy and Protection Act: In the new version of the ADPPA, Butler said, certain types of targeting will be common, particularly targeting based on first-party data. If you shopped for shoes on Target.com, Target may still use that information to show you ads for shoes when you’re on another site. It can’t do that by matching your shopping history with everything you do on the web and on your phone, showing you ads for what you want. Facebook and Google can’t keep spying on you by placing trackers on almost every website or free app you use to create your profile for advertisers.
“If they’re tracking your activity on third-party websites, sure, that’s sensitive data, and they can’t process it for the purpose of targeted advertising,” Butler said.
While the new bill would still allow targeted advertising, it would require companies to give consumers the right to opt-out — a trick companies often use to click “accept all cookies” under the GDPR. And directs the Federal Trade Commission to create a standard for universal opt-out that companies must respect, meaning consumers can opt out of all targeted ads with a single click. (This is an important feature of California’s recently passed privacy law.)
The ad industry seems to agree that the bill represents a fundamental shift. Yesterday, the Association of National Advertisers, a trade group, released a statement opposing the bill on the grounds that it “prohibits companies from collecting and using basic demographic and online activity data for general and responsible advertising purposes.”
Apart from its data-minimization approach, the new bill contains many provisions long sought by data privacy experts, including transparency standards, anti-discrimination rules, increased oversight for data brokers and new cybersecurity requirements.
Federal privacy law has been something of a white whale in DC over the past few years. As of 2019, a bilateral agreement is just around the corner. The effort has stalled as Democrats and Republicans are divided on two key issues: whether the federal bill preempts state privacy laws and whether it creates a “private right of action” that would allow individuals to sue companies for violations, not just the government. . Democrats are generally against preemption and Republicans are in favor of a private right to take adverse action.
The new bill represents a long-sought compromise on those issues. It preempts state laws, but with some exceptions. (Notably, it authorizes California’s newest privacy agency to enforce the ADPPA in the state.) And it includes a limited private right of action with limits on the damages that individuals can sue.
There are inevitably other flaws in the bill. Requiring a universal opt-out is nice, but it won’t mean much until the major browsers, especially Chrome and Safari, add the feature. The bill gives the FTC new authority to issue regulations and enforce them, but it doesn’t give new resources to the agency, which already lacks the staff and funds to handle everything on its plate.