The American Privacy Rights Act sharply deviates from the prevailing regulatory approach to targeted advertising under state privacy laws, such as the California Consumer Privacy Act and Colorado Privacy Act.
It would preempt those laws and create European-like consent requirements for transfers of online activity data and other data deemed as sensitive that are commonplace in targeted ad use cases. The online service models that rely upon targeted ads will be stymied by what effectively will become a requirement to obtain “affirmative express consent.”
Targeted ads deliver more relevant ads to consumers. Therefore, they generate more revenue for publishers than non-targeted ads, helping publishers avoid the need to charge subscription fees for content access in order to have a viable business model. Existing opt-out schemes recognize and enable consumer rights without placing significant compliance or operational burdens on businesses, as an affirmative express consent requirement would do.
A Federal Trade Commission study in 2020 noted these factors and warned that “[p]olicy makers must carefully consider the ramifications of altering the current targeted ad-supported regime, which generates significant consumer and economic value.”
Beyond addressing these broader policy and economic issues, legislators should clarify the draft bill’s ambiguities. Otherwise, businesses will be left guessing how to interpret confusingly drafted requirements, and that will open the door for enterprising plaintiffs’ lawyers to bring claims that challenge good-faith compliance efforts.
Lack of Clarity
The draft bill is unclear about whether sensitive and previously collected data could even be used for purposes of targeted ads. It would prohibit companies from obtaining consent to process covered data for uses that don’t qualify as permitted purposes—unlike the data minimization and secondary use provisions in many state privacy laws.
Section Three of the draft bill vaguely defines permitted purposes and could be construed to mean companies can’t use, for targeted advertising, previously collected data. This section, which also addresses other non-targeted advertising use cases, must be fixed so that companies that have spent the last several years developing state privacy law compliance programs can keep using previously lawfully collected data.
Other parts of Section Three must be clarified as well to eliminate ambiguity about using sensitive covered data in targeted ads. One interpretation would restrict targeted ads involving sensitive covered data regardless of an opt in, which can’t be the intent. This could be fixed by clarifying what appears to be the actual intent—collection of sensitive personal data for targeted ads is “opt-in” and transfer of it to others for targeted ads is “opt-out.”
However, the better policy approach would be to apply an opt-out approach to all targeted ad use cases, including transfers.
Free Content Threats
Another concern is the breadth of Section Eight’s prohibition on different prices or service levels based on exercise of rights, including refusal to give consent. This would preclude publishers from adopting “pay or OK” or “freemium” models where consumers can choose between paying for access to content or accepting targeted ads to obtain access for free.
Even under less prescriptive opt-out state privacy laws, this kind of practice is generally permitted, while the draft bill’s approach aligns closely with the way European authorities are applying the EU’s General Data Protection Regulation.
This could drive many publishers out of business, and those that survive may be forced to charge all users some amount for access to offset ad revenue losses and avoid prohibitions of differential treatment. This approach could further the digital divide for less affluent Americans.
Opt-Out Uncertainty
The draft privacy bill allows individuals to opt out of data transfers and separately data processing that services targeted advertising. Unlike the opt-out rights in California’s and Colorado’s privacy laws, the draft bill’s data transfer opt-out right has no exception for transfers to service providers.
There also are additional provisions suggesting that opt outs should apply to service providers, which isn’t appropriate because service providers are limited in their processing purposes and activities.
The lack of such an exception will disrupt the ability to use service providers for basic advertising functions such as contextual and first-party ad serving, measurement, and frequency capping. It also could affect data processing outside of targeted ad use cases, given the necessity for businesses to engage others to help them process data.
This could be fixed by exempting transfers to service providers from the opt-out rule, if the transfers aren’t processed for targeted ads, as state privacy laws provide. This also could also be fixed by exempting transfers to service providers for certain non-intrusive processing purposes from the opt out. Other provisions suggesting that opt outs should be applied to service providers would also need to be changed.
Aligning With States
There are other provisions implicating opt outs that are like concepts found in the state privacy laws. The draft bill contemplates a “centralized mechanism,” such as global privacy control, and a “registry of identifiers” for consumers to communicate opt outs.
The FTC is empowered to develop the operational details of these programs. Because businesses already have compliance programs to address similar state requirements, the federal privacy act should direct the FTC to do so in a way that mirrors current state privacy laws.
Outlook
The intent to protect privacy is laudable, and creating a uniform national standard serves both consumers and industry. But Congress should better balance individuals’ privacy preservation with the wide-ranging ripple effects the American Privacy Rights Act would have on the digital advertising ecosystem, the free and open internet, and businesses more broadly.
It can do so by more closely following the opt-out approach of the existing state privacy laws and cleaning up significant ambiguities in the current draft.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Alan Friel is chair and Kyle Fath is partner in Squire Patton Boggs’ data privacy, cybersecurity, and digital assets practice in Los Angeles.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.