Under the new version of the ADPPA, Butler says, some forms of targeting would remain common, especially targeting based on first-party data. If you buy shoes on Target.com, Target may still use that information to show you ads for shoes when you’re on another site. What it couldn’t do is link your shopping history to everything else you do on the web and on your phone to show you ads for things you never told them you wanted. Nor can Facebook and Google continue to spy on you by putting trackers on almost every website or free app you use to build a profile of you for advertisers.
“If they’re tracking your activity on third-party websites, which they certainly are, that’s sensitive data and they can’t process it for targeted advertising purposes,” Butler says.
To the extent that the new bill still allows targeted advertising, it would oblige companies to give users the right to opt-out, while the kind of tricks companies often use to urge users to “Accept all cookies” under the GDPR. clicking is prohibited. And it would instruct the Federal Trade Commission to create a universal opt-out standard that businesses should respect, meaning users can opt-out of all targeted ads with one click. (That’s a key feature of California’s recently passed privacy law.)
The ad industry seems to agree that the bill would represent a fundamental shift. Yesterday, the Association of National Advertisers, a trade group, issued a statement against the bill on the grounds that it would “prohibit companies from collecting and using demographic and online activity data for typical and responsible advertising purposes.”
Aside from the data minimization approach, the new bill includes quite a few provisions that data privacy experts have long called for, including transparency standards, anti-discrimination rules, increased oversight for data brokers, and new cybersecurity requirements.
Federal privacy law has been something of a white whale in DC for the past few years. Since 2019, a two-party agreement would be just around the corner. The effort stalled because Democrats and Republicans were divided over two key issues: whether a federal law should take precedence over state privacy laws, and whether it should create a “private right of action” that would allow individuals, not just the government, to take action. companies can sue for violations. Democrats are generally against pre-emption and for a private right to action, Republicans the opposite.
The new bill represents a long-sought compromise on these issues. It pre-empts state laws, but with some exceptions. (Most notably, it allows California’s brand new privacy agency to enforce the ADPPA within the state.) And it includes a limited private right of action, with limits on the damages people can sue for.
The bill inevitably has other shortcomings. The universal opt-out requirement is nice, but it won’t mean much until the major browsers, especially Chrome and Safari, add the feature. The bill gives the FTC new powers to make and enforce rules, but it doesn’t divert new resources to the agency, which lacks all the staff and funding to handle everything on its plate.