Yesterday, the US House Committee on Energy and Commerce voted to pass the country’s first comprehensive privacy bill, the American Data Privacy and Protection Act. This is a milestone as the bill moves through the legislative process. For marketers who don’t have time to read 132 pages, we’ve broken down the key takeaways.
What Is This Bill?
The American Data Privacy and Protection Act (ADPPA) was first introduced last month. Drafted by Sen. Roger Wicker (R-MS), Rep. Frank Pallone (D-NJ), and Rep. Cathy McMorris Rodgers (R-WA), the bill is off to a strong start. It was authored by lawmakers from both sides of the aisle and both chambers of Congress. In short, it reflects a wider range of perspectives than earlier bills, some of which were longshots from the get go, such as the Banning Surveillance Advertising Act.
Next, the bill is moving out of committee and onto the House floor (here’s a quick reminder of the US lawmaking process). It still has numerous points of contention, such as the existence of or limitations to a private right to action, significant exemptions for sharing data with law enforcement, and preemption over existing state laws. There will be many negotiations ahead — but the heart of the bill and its aim to protect consumer privacy is something all marketers must acknowledge.
What Do Marketers Need To Know?
The bill outlines many requirements for businesses. Keeping in mind that it is a living document and subject to amendments and revisions, here are the current key takeaways for marketers specifically:
- Individuals will get new rights — to access, correct, delete, or port their data and opt out of targeted advertising. The data subject rights from the GDPR made their way to California and are now being considered for everyone in the US. The right to opt out of targeted advertising is similar to CPRA’s “Do not share my information” guidance, but the specifics on how this would work practically aren’t fully baked.
- Geolocation sharing requires express consent. If an app wants to share a user’s precise geolocation with a third party, the user has to give opt-in consent. This is a huge step for protecting consumers’ privacy, as anonymizing geolocation data is virtually impossible.
- Consent requirements look a lot more like GDPR. When consent is required to collect or process consumer data, this consent must be clear and affirmative — meaning no passive consent. The bill also calls out deceptive design (aka dark patterns) as invalid.
- The definition of sensitive data broadens. The bill expands on the California Privacy Rights Act’s definition of sensitive data. It has the usual suspects but also includes precise geolocation, private communications (emails, texts, DMs, etc.), and information “identifying an individual’s online activities over time and across third-party websites of online services.”
- Targeted advertising is defined murkily. This definition is a contentious one, as “first-party advertising” is based on a store visit, product purchase, or site visit — so theoretically could be defined so broadly as to include retargeting. This will likely evolve as the bill progresses. Unique identifiers include device IDs, IP addresses, or cookies.
- There are specific requirements for data brokers and “large data holders.” Data brokers would have to register with a federal registry (inspired by Vermont’s data broker registry law) and honor consumer opt-outs handled by the registry. Large data holders (revenue of $250 million or more that collect, process, or transfer data on 5-million-plus individuals or devices) have additional requirements, such as conducting privacy impact assessments.
What Do Marketers Need To Do?
Rather than wait and see what happens with the bill, marketers must read the writing on the wall. Whether it be the death of the third-party cookie or a new law that puts in new consent requirements, the steady drumbeat of data deprecation continues. Marketers must act now to identify opportunities where they can be more transparent with consumers about what data they’re collecting and why (in a way that is not buried in legalese). And they must identify opportunities to not capture data at all.
If you want to learn more about the impact of current/pending privacy legislation on your marketing strategy, schedule a guidance session. And stay tuned for new tools that will help you understand the impact that Apple and browser privacy features have on marketing strategies.