WTF is the American Privacy Rights Act

WTF is the APRA?

It would shake things up in advertising by forcing companies to scale down the amount of data they collect on people while also empowering them to manage, correct, and even export their own data. That control would also give them the power to say “no” to targeted ads and the transfer of their own data. Plus, they’d have the option to opt out of algorithms influencing major life decisions for them, like where they live or who they’re able to work for. And of course, there’s a big focus on beefing up security measures to keep everyone’s info safe and sound. Oh and don’t forget about dark patterns; companies would be barred from using these sneaky tactics to sway users away from exercising their newfound rights on privacy settings.

Wait, this sounds like the General Data Protection Regulation in Europe.

Yep, APRA is designed to mirror it. Just as the GDPR did across the pond, APRA would step in to supersede state privacy laws, with a few exceptions like civil rights and consumer protection.

How is this different than the California Consumer Privacy Act (CCPA)?

The CCPA is specific to the state, applying only to California businesses, APRA aims to become a federal privacy law applicable nationwide. Both laws grant rights such as access and deletion of personal data, but they diverge in terms of enforcement, scope, and definitions of personal information. CCPA zeroes in on California-based businesses and includes identifiers like IP addresses. In contrast, APRA’s details are still being ironed out, potentially preempting state laws and introducing federal enforcement. Essentially, APRA strives for a standardized approach to privacy protection across the entire U.S., while CCPA caters specifically to California and its unique regulations.

So APRA is a good thing right? 

Well, there are certainly some positives to consider. Standardizing compliance requirements for advertisers across the U.S., akin to what GDPR achieved in Europe, could lighten the compliance load for organizations. Before GDPR, dealing with state-specific privacy laws was like juggling multiple country-specific regulations in Europe, which made meeting all requirements a real challenge. This move could benefit both companies aiming to mitigate compliance risks and consumers alike.

Why does it feel like there’s a catch? 

Because there is. While the GDPR’s enforcement is mainly managed at the country level by data protection agencies, leading to some inconsistencies, APRA takes a different approach. It introduces a three-tier enforcement system involving the FTC, states, and individual actions. This ramps up compliance risks for advertisers and could lead to inconsistencies in enforcement.

Why is all this unfolding now? 

Well, previous attempts at federal privacy legislation, like the American Data Privacy and Protection Act (ADPPA), didn’t quite hit the mark. Certain politicians, like Senator Maria Cantwell, weren’t satisfied with them. Others, mainly from California, were concerned that a national law would override their state’s data protection laws. But now, the political landscape has shifted. Some lawmakers have retired or lost power, changing the game. Plus, Washington’s growing interest in AI policy hinges on strong privacy standards, a fact not lost on the White House. The recent focus on ByteDance, TikTok’s parent company, and efforts to ensure its data security, along with concerns about child online protection, as reflected in the Children and Teens’ Online Privacy Protection Act, all make a compelling case for nationwide rules.

So, APRA’s a done deal, right? 

Not exactly. The tricky part lies in the details, particularly in section 19 of the legislation, as noted by Lucas Long, head of global privacy strategy at InfoTrust, a data governance consulting company. This section, which grants enforcement powers to individuals, makes the legislation a tough sell, he continued. Historically, Long said the inclusion of a private right of action has been a major hurdle in comprehensive state privacy laws, and it’s largely absent here too. This has been a headache for privacy offices at major advertisers dealing with laws like California’s Invasion of Privacy Act and the federal Video Privacy Protection Act. It’s likely that both trade industry groups and big advertising technology platforms will push back, especially on this point, Long added.

What happens next?

For the APRA to become law, it must first be introduced in Congress, undergo review by relevant committees, be debated and voted on in both the House and the Senate, and potentially reconciled if there are differences between versions. Finally, it needs approval from the President. This process entails various stages of consideration, negotiation, and possible amendments before it can be enacted. Public input, lobbying efforts, and political dynamics all influence the bill’s journey through Congress

Will the upcoming election affect APRA’s path?

Probably not. The fact that APRA is bipartisan, with support from members of both parties, should insulate it from any turbulence caused by the presidential race. Recent Senate hearings on social media platforms reinforce this view. At most, the election might slow down discussions and passage of the legislation, but it’s unlikely to dictate its fate.

How has the ad industry taken the announcement?

Pretty much as expected. The IAB, for instance, acknowledged the progress made but emphasized the need for further refinements. In a statement following the proposal for APRA, the trade body stressed the importance of full preemption of state laws to establish a consistent national code. It also expressed concerns about a potential flood of lawsuits with the inclusion of a private right of action, urging for ironclad language. Additionally, the organization advocated for a grace period of at least a year for companies to comply before enforcement kicks in.

Anything more to add? 

Well, let’s zoom out and put APRA’s proposal into context. As InfoTrust’s Long pointed out, this move suggests that the era of big tech exceptionalism is fading. With FTC investigations and actions focusing on big tech, both from antitrust and privacy perspectives, it’s evident that federal regulators are shifting their priority back to consumers and away from shielding big tech.