The US Congress unveiled a new, bicameral federal privacy bill last month: APRA (short for American Privacy Rights Act). The proposal has been the talk of the town lately in the privacy space, but there’s a sour note for the marketing and ad tech folks: the rules on targeted advertising are incomprehensible.
Here is what APRA is about, what it says about targeted advertising, and how we feel about the law overall.
- Why is APRA such a big deal?
- What is in APRA?
- What does APRA mean for advertising?
- How is APRA overall?
- Conclusions
Let’s dive in!
Why is APRA such a big deal?
To this day, the US lacks a federal privacy law. This creates a dangerous regulatory gap and turns the digital economy into a data free-for-all that is ripe for harmful abuse- as we have seen in the post-Dobbs privacy and human rights nightmare.
The FTC is doing its best to fill the void and control the damage but lacks the authority to truly fix the situation. In the meantime, many States got tired of waiting for Congress and passed their own privacy laws- including California, home to the Silicon Valley giants.
APRA could close the regulatory gap, bring some degree of uniformity across the US, and enact some much needed privacy protections for Americans. Last but not least, the law may significantly impact the global digital economy as a whole, given the weight of GAFAM and other tech giants.
What is in APRA?
We can only provide a very general overview of APRA because it is a very complex piece of legislation. Let’s try and break down some of the most important stuff.
What is the scope of APRA?
The scope of APRA is quite wide but it does not apply to everyone, or to all kinds of data. Small businesses, the government, and services providers working for the government are exempt.
The notion of covered data, it is quite broad, not unlike the notion of personal data in the GDPR. However, employee data is exempt from APRA (which is a questionable choice). Additionally, APRA does not replace more specific laws like HIPAA.
What rights do you have?
APRA includes several rights such as the right to access covered data, the right to correct and delete, data portability, and the right to opt out of targeted advertising and data disclosures.
APRA also includes a private right of action: you can sue a business if it violates your rights. This is important because the US legal tradition has somewhat complicated rules on who can and cannot sue.
Certain types of covered data are considered sensitive data and can only be disclosed with opt-in consent (with some carve-outs). The list includes, among other, health data, precise geolocation information, data related to sexual behavior, the content of personal communications, government-issued identifiers like social security or plate numbers, and any data from a minor of 17.
Two specific types of sensitive data deserve special attention: cross-website user behavior, and behavioral and activity data collected by “high impact” social media. These are the data that you would typically use for retargeting. So, an explicit opt-in requirement for disclosures is a big deal for ad tech.
Data minimization
APRA includes a data minimization principle: the processing of covered data needs to be necessary, proportionate, and limited. The principle comes with a laundry list of “permitted purposes”- that is, specific types of processing that respect the principle of data minimization.
In practice, we have a broad rule and a long list of complicated exceptions. This results in a very complex and sometimes contradictory system. In all likelihood, it will take some time and case law to make sense of it all.
What does APRA mean for advertising?
Targeted advertising: opt-outs and limitations
At a surface level, APRA is clear enough: targeted advertising is allowed on an opt-out basis. Contextual advertising does not come with the same requirement.
Notably, advertising is only allowed based on data already collected under APRA. The rule is not 100% clear yet, but at face value it seems as though you cannot collect data solely for advertising. You can only advertise based on data you already control for a different purpose.
If that is the intent, then we really like the idea. Restricting advertising to the data you already control for other purposes, could limit the data hoarding we see everywhere and help reduce digital footprints without outlawing targeted advertising entirely.
Targeted advertising and sensitive data
Things get more complicated when it comes to sensitive data because it is not clear how the rules on sensitive data interact with the limitations on targeted advertising:
- Disclosures of sensitive data in general are opt-in, unless one of several specific purposes applies (Sec. 3(b)(1)).
- One of these purposes is targeted advertising. Targeted advertising is allowed on an opt-out basis but with the exception of sensitive data (Sec. 3(d)(15)).
These rules lead to potentially contradictory conclusions, as noted by the guys at Bloomberg Law. Their take on privacy is atrocious but they still make two valid points: first, taken at face value, APRA may very well ban targeted advertising based on sensitive data (which they would hate and we would absolutely love). Second, the law needs clarity.
Lack of clarity is a big deal because restrictions to the use of sensitive data apply to cross-site activity and behavioral data from social media- the stuff that powers most targeted ads around. The rules would massively impact ad tech but it would be nice to know just how.
TL:DR: targeted advertising based on sensitive data is either opt-in or outright illegal. Your guess is as good as ours.
How is APRA overall?
The law has quite a few good things going for it, mixed with some terrible ideas and unclear rules.
The good
The principle of data minimization shows a clear intention to move past the fiction of consent and give companies a list of do’s and don'ts instead. This is a great idea as consent is often extorted through unfair terms of contract or by hiding shady clauses in the fine print. With APRA, that stuff is out the window.
Incidentally, APRA forbits collecting consent through dark patters even in the specific scenarios where consent does matter. This is also a good call! We are tired of wrestling with impossibly obscure UIs that want more data for no good reason.
We also like that the list of sensitive data is fairly long and includes things like precise geolocation data, the content of personal communication, and cross-site online activity. We wish these data were sensitive under the GDPR as well.
Last but not least, APRA protects vast amounts of health data that fall outside the scope of HIPAA. These data have been a major issue since Dobbs v. Jackson ruling.
The bad
Many Sections of APRA are exempt from private action, including some crucial rules about data minimization. In other words, some of the most important APRA rules can only be enforced by Advocate Generals, the Federal Trade Commission, and other institutions- citizens can’t sue directly
The intent is to prevent a tidal wave of litigation against companies, which is understandable. Still, we feel that the exemption is too broad and could defang the law in practice.
Furthermore, as we mentioned, the rules on targeted advertising and sensitive data are obscure and contradictory. It doesn’t stop here: the rules on sensitive data are so poorly formulated, that they can be construed as being more permissive than the general rules in certain scenarios. This makes absolutely no sense and further adds to the uncertainty.
Last but not least, APRA does not apply to employee data. This is a god awful idea because bossware use is an urgent issue. If Congress feels that employee privacy is better addressed by a different law, so be it- but workers need that law yesterday.
The so-and-so
Finally, there is the thorny issue of State preemption. In a nutshell, preemption means that APRA “overwrites” State privacy laws (save for niche ones).
State preemption is a double edged sword. On the one hand, US privacy law is a messy patchwork right now, which makes compliance complicated for companies that do business nation-wide. Preemption would make the rules largely the same and ease the compliance burden.
On the other hand, some States have enacted laws that are quite strong and sometimes stronger than APRA. They don’t want to see them preempted by federal law and are pushing for APRA to set a floor rather than a ceiling in terms of privacy rights.
This is by no means a new problem. Not long ago the APRA's predecessor (ADPPA) was met with fierce opposition over preemption and the bill eventually went nowhere. Hopefully Congress will find a way this time around, even if that entails compromises.
Conclusions
In a relatively short time we have seen the TikTok ban, restrictions of data sales to “foreign adversaries”, the proposal of APRA, and House approval of the 4th Amendment Is Not For Sale Act (a less discussed but quite important development).
While some of these laws are controversial, there is no denying that privacy is gaining momentum at a policy level. This might just be the right time for Congress to seal the deal on a much needed federal privacy law. That being said, APRA's kinks still need to be ironed out and the issue of State preemption may throw a wrench in the negotiations.
All eyes are on Congress now. Given the US’ weight in the digital economy, a strong federal privacy law would be a major step forward not only for the US, but for global privacy as well.
We built Simple Analytics because we believe in a privacy-friendly web. We help our customers understand their traffic and expand their audience without collecting a single bit of personal data. Our web analytics tool is easy to learn, customizable, and comes with a hand AI assistant. If this sounds good to you, feel free to give us a try!