Under the new version of the ADPPA, Butler says, some forms of targeting would remain common, particularly targeting based on first-party data. If you shop for shoes on Target.com, Target could still use that information to show you ads for shoes when you’re on another site. What it wouldn’t be able to do is match your shopping history with everything else you do on the web and on your phone to show you ads for stuff you’ve never told them you wanted. Nor could Facebook and Google continue to spy on you by placing trackers on nearly every website or free app you use, in order to build a profile of you for advertisers.
“If they’re tracking your activity across third-party websites, which they certainly are, then that’s sensitive data, and they can’t be processing that for targeted advertising purpose,” says Butler.
To the extent that the new bill would still allow targeted advertising, it would require companies to give users the right to opt out—while prohibiting the sorts of tricks that companies often use to nudge users to click “Accept all cookies” under the GDPR. And it would direct the Federal Trade Commission to create a standard for a universal opt-out that companies would have to honor, meaning users could decline all targeted advertising in one click. (That’s an important feature of California’s recently adopted privacy law.)
The ad industry seems to agree that the bill would mark a fundamental shift. Yesterday, the Association of National Advertisers, a trade group, issued a statement opposing the bill on the grounds that it would “prohibit companies from collecting and using basic demographic and online activity data for typical and responsible advertising purposes.”
Apart from its data-minimization approach, the new bill contains quite a lot of provisions that data privacy experts have long called for, including transparency standards, anti-discrimination rules, increased oversight for data brokers, and new cybersecurity requirements.
Federal privacy legislation has been something of a white whale in DC over the last few years. Since 2019, a bipartisan agreement has supposedly been just around the corner. The effort kept stalling because Democrats and Republicans were divided on two key issues: whether a federal bill should preempt state privacy laws, and whether it should create a “private right of action” allowing individuals, not just the government, to sue companies for violations. Democrats are generally against preemption and in favor of a private right of action, Republicans the reverse.
The new bill represents a long-sought compromise on those issues. It preempts state laws, but with some exceptions. (Most notably, it empowers California’s brand-new privacy agency to enforce the ADPPA within the state.) And it contains a limited private right of action, with restrictions on the damages that people can sue for.
The bill has other shortcomings, inevitably. The universal opt-out requirement is nice, but it won’t mean much until the largest browsers, especially Chrome and Safari, add the feature. The bill gives the FTC new authority to issue rules and enforce them, but it doesn’t direct any new resources to the agency, which already lacks the staff and funding to handle everything on its plate.