Technology
Services
Resources
Derek Zolner is Basis Technologies’ General Counsel. Here, he offers insights into the draft APRA legislation and its potential impact on digital advertising.
Since its introduction in early April, the American Privacy Rights Act (APRA) has generated significant buzz due to its potential implications for the digital advertising industry in the United States. This proposed federal legislation aims to establish the first generally applicable national data privacy framework and represents Congress’ best chance yet to pass such a law, given that it appears to have both bicameral and bipartisan support.
It’s unclear, however, whether this legislation will escape the congressional purgatory where previous attempts at a federal data privacy framework have stalled. And the fact that it is moving through the legislative process during an election year could either help or hinder its progress, depending on how it aligns with key players’ legislative priorities.
Despite these uncertainties, the bill’s initial hearing in front of the House Energy and Commerce Committee garnered significant praise from witnesses and members of the Committee on both sides of the aisle. And the bill’s sponsors have described this draft legislation as “the best opportunity we’ve had in decades to establish a national data privacy and security standard.”
Given its potential to change both how digital advertising teams collect and utilize data and how audiences can control their personal data, it’s worth unpacking the APRA in its current form and examining its potential wider impacts on the digital advertising industry.
The APRA has the potential to truly change the landscape of data privacy in the US, as it would represent the first federal, comprehensive privacy act. Though there are currently sector-specific privacy laws, such as HIPAA for the healthcare industry and the Gramm-Leach-Bliley Act (GLBA) in financial services, the US has yet to enact a national data privacy framework that would be applicable to most businesses. Digital advertisers today are left navigating these sector-specific laws, alongside a varying patchwork of state-level data privacy laws.
The APRA would change that, establishing federal guidelines for how consumers’ personal online data can be collected and used, as well as what actions consumers can take when their data is misused. Much of the draft legislation mirrors what we currently see in state-level laws, such as the CCPA, which allow consumers to ask companies what personal information they have about them and how they are using it. These state laws also give consumers the right to correct that data, to delete it, or to opt out of its use in certain ways. The APRA includes similar consumer access and data rights provisions.
Unlike state laws such as the CCPA, which only permit private lawsuits in case of data breaches or provide no private right of action at all, the APRA would allow individuals to sue for any violation of the act. For instance, if a company fails to honor a California consumer’s personal data access request, that consumer cannot sue the company for its failure to do so. If the APRA was passed in its current form, however, that consumer would be able to pursue direct legal action against the company. As such, this inclusion of a private right of action for any violation of the APRA represents a significant and potentially costly shift, as it expands the range of circumstances in which individuals can pursue legal action against companies.
Beyond these consumer access and rights features, the APRA has an added focus on large social media companies and companies that process large volumes of personal data. Tech behemoths such as Meta and Google would fall into this category, as well as many adtech companies that have DSPs, SSPs, and DMPs, all of which handle substantial amounts of personal data for ad targeting and optimization.
This section of the APRA is a novel feature, not previously seen in state laws or even comprehensive laws in other jurisdictions, like the GDPR. It outlines very specific and expanded data security and reporting requirements that address these companies’ data handling practices. These requirements include designating a data privacy officer and chief data security officer as well as new annual reporting obligations.
Another notable feature of the APRA is its inclusion of a preemption provision, meaning that the APRA would preempt state laws that cover the same subject matter.
This is something that digital advertisers have long wanted: Instead of legal, data security, and privacy teams having 50 different state law compliance targets, the APRA would provide one comprehensive, standard law that would preempt any similar state laws. At the same time, its expanded scope would present a new compliance challenge in instances when the APRA would be stricter than the standards set by existing state-level laws. This would add an additional layer of complexity for digital advertisers who would have to adjust their practices to meet these new requirements.
What, then, could the APRA mean for digital advertisers?
While advertisers have speculated about the possibility of the bill banning targeted advertising in the US, a more probable scenario is the implementation of an express or implicit requirement for user opt-in regarding cross-site tracking and targeting. Currently, when a user visits a website and encounters a cookie consent banner, opting out often requires several steps. The APRA could simplify this process by requiring a banner with clear options like “accept all” or “reject all.”
In fact, technological barriers—such as browsers deprecating third-party cookies—play an as big or bigger part in the future of targeted advertising. Even if users are allowed to opt-in under the APRA, if browsers are already blocking third-party cookies, then the “accept all” choice would be meaningless, because cookies aren’t supported.
So, while advertisers likely don’t have to worry about the APRA banning targeted advertising, the looming loss of cookies in Chrome remains. This means that advertising leaders should be exploring and embracing cookieless solutions, regardless of the outcome of this legislation.
Apart from the impact on cookies, adtech companies would also face increased data security and reporting requirements that would come into effect under the APRA, particularly for companies that would need to meet the obligations outlined for large data handlers. Beyond having to hire for new positions related to data security and privacy, these teams would also face a new compliance layer, including significant reporting requirements. And like with GDPR, the APRA would require a host of new contracts or amendments with customers, partners, and vendors.
As with all new regulation, this will be a boon for lawyers and other professional advisors at a significant cost to companies trying to comply. Companies would need a meaningful opt out mechanism and a solid process for allowing people to make data subject access requests. Teams would also have to prepare for more of these requests, since people in all 50 states—not just those with enacted privacy laws—would be able to make such requests.
In addition to representing what might be Congress’ most viable attempt yet at establishing a federal data privacy framework, the APRA’s development underscores the pressing need for industry-wide adaptation to an evolving regulatory landscape. While its fate remains uncertain, the potential implications of the APRA are undeniable and represent a pivotal opportunity for those in the digital advertising industry to embrace a privacy-centric approach to connecting with audiences.
__
Want deeper insights into how your peers feel about privacy and user data, specifically within the context of signal loss? Learn how advertisers are navigating third-party cookie deprecation, data privacy, and more in our report, Identity vs. Privacy: Digital Advertising in a Cookieless World.