What marketers need to know about the American Privacy Rights Act and its future effects
First came the General Protection Regulation (GDPR) law in the European Union. Then came the California Privacy Rights Act (CPRA), followed by a storm of similar laws from other states designed to give consumers more power over how companies collect, use and store their data. Now, there’s a proposal for a federal privacy law, the American Privacy Rights Act (APRA), that would significantly impact the digital advertising ecosystem by restricting how data is shared and how consumers are targeted. We’re going to walk you through the APRA and what that means for marketers.
The APRA explained
After previous attempts to establish a national privacy law failed, a group of bipartisan lawmakers introduced the APRA last month to standardize data privacy rights across the United States and replace the patchwork of privacy laws currently in place by individual states. The Congressional Research Service provides an excellent overview of the APRA.
While the proposed legislation is still being debated and discussed, transparency is a big part of the proposed bill. The key parts include:
- Americans gain greater control of their data: Under the APRA, consumers can stop companies and data brokers from transferring or selling their data. Additionally, it requires a mechanism for consumers to request to have their data deleted. Consumers can also opt out of targeted advertising and must provide consent for companies to transfer sensitive data to a third party.
- Companies are limited in the type of data they can collect and use: Organizations will only be able to use consumer data for necessary reasons. They will also be required to have a privacy policy that details data collection processes and how consumers can opt-out. The APRA restricts the collection and transfer of specific types of data, such as biometric or genetic information, without the individual’s affirmative express consent unless expressly allowed by a stated permitted purpose.
- A national registry of data brokers will be created: As part of the legislation, the FTC will maintain a data broker registry. All data brokers will also need to keep a public website that identifies themselves as a data broker. Consumers must be able to control data and opt-out from collection on the website using a “do not collect” mechanism.
- Companies must designate a privacy or data security officer: While most companies can appoint either a privacy or data officer, large data holders must designate both along with following additional requirements such as filing with the FTC annually. Companies are not required to create a standalone position but can add these responsibilities to an existing role.
- Individuals harmed by data breaches can sue corporations: Drawing on language from the CCPA, consumers can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs.
What this means for marketers
In a nutshell, the APRA would shake things up by forcing companies to scale down the amount of data they collect on people. Some in the industry take a grimmer outlook. An article in AdAge, notes that the proposed legislation is striking “fear in internet ad industry,” with some equating it to a ban on targeted advertising. The Interactive Advertising Bureau (IAB) and other groups have concluded that the APRA would drastically change the advertising technology model we know today.
Still, there are important questions that still need to be clarified before we can fully understand the impact of the APRA if it becomes law. For example, it’s unclear if it requires opt-in consent or allows for an opt-out. The distinction is important for advertisers. In the AdAge article, Lartease Tiffith, executive VP for public policy at IAB, pointed out that sections of the bill refer to opt-out mechanisms for targeted advertising. At the same time, it also includes a clause that refers to opt-in requirements for sensitive data, which includes web browsing data. “It is slightly unclear, but I think at minimum, it requires opt-in, but even more, maybe even a total ban on the ability to have cross-site tracking and web browsing data being shared, and used, for targeted advertising.”
- Targeted advertising will most likely survive in some form, but it’s essential for marketers to think ahead and plan for how this policy will impact business. At the very least, you should be asking yourself questions like:
- How will we adjust our strategy so we can continue to engage with our customers?
How can we use this to build a stronger connection with our customers by leading with their rights first?
We shared tips for navigating data privacy laws last year, before APRA was introduced. At the time, we recommended organizations get ready for new laws by reviewing how opt-out requests are handled as well as taking another look at the company’s privacy policy. Those suggestions still hold. With more targeting rules being considered, and with the deprecation of cookies, it’s also a good idea to explore other targeting options and ways to collect data. That way, if the APRA does become law, you are prepared.
Looking ahead
Despite the handwringing about the potential effects of the APRA, there is a silver lining. Compliance with a single federal law is likely to be much simpler than navigating the various state-level privacy laws. Trevor Hughes, president and CEO of the International Association of Privacy Professionals, summed it up well in an article in The Drum, “Online advertisers may actually find that even with a higher hurdle to clear, that a consistent national standard that is predictable, understandable and provides strong guardrails and rules of the road for them to operate, is a vastly preferable situation than the current unease and the really complex risk environment that they operate in today.”
APRA is still winding its way through Congress and has already undergone some revisions. There will likely be more changes before it comes up for a full debate and vote. Inevitably this policy or one like it will pass in the coming years. Stay informed by keeping tabs on government websites and industry publications for all the latest developments. Appoint a team to actively address how you would implement the changes needed to be compliant with a policy like this one. It has the potential to transform how online businesses, publishers and ad tech vendors work together.
As always, consult your compliance and legal team or partners for specific advice on data privacy.
If you need help navigating how data privacy laws and regulations impact your marketing efforts or if you want to learn more about how to protect customer data, drop us a note.
We can also help you achieve success with your marketing strategy. Get tips for developing a marketing strategy that propels you toward your business goals.