Butler said some forms of targeting are still common under the new version of ADPPA, especially targeting based on first-party data. If you buy shoes on Target.com, Target can still use this information to show you ads for shoes when you’re on other sites. What it can’t do is match your shopping history with everything you do on the web and on your phone to show you ads for things you never told them you wanted. Nor can Facebook and Google continue to spy on you by putting trackers on nearly every website or free app you use in order to build your profile for advertisers.
“If they’re tracking your activity on a third-party site, which they definitely are, then that’s sensitive data, and they can’t process it for targeted advertising purposes,” Butler said.
While the new bill still allows targeted advertising, it would require companies to give users the right to opt out, while barring various tricks companies often use to push users to click “accept all cookies” under GDPR. It will direct the FTC to create universal opt-out standards that companies must adhere to, meaning users can reject all targeted ads with one click. (This is an important feature of California’s recently passed privacy law.)
The advertising industry seems to agree that the bill would mark a fundamental shift. Yesterday, the trade group the National Association of Advertisers issued a statement opposing the bill, arguing that it would “prohibit companies from collecting and using basic demographic and online activity data for typical and responsible advertising purposes”.
In addition to data minimization methods, the new bill contains a number of provisions that data privacy experts have long called for, including transparency standards, anti-discrimination rules, increased oversight of data brokers and new cybersecurity requirements.
For the past few years, federal privacy legislation has been a bit of a white whale in Washington. Since 2019, a bipartisan deal is said to be on the horizon. That effort has stalled as Democrats and Republicans disagree on two key issues: whether federal bills should take precedence over state privacy laws, and whether they should create a “private right of action” that would allow individuals, not only Just the government, suing companies for violations. Democrats generally oppose pre-emption in favor of private rights of action, while Republicans do the opposite.
The new bill represents a long-sought compromise on these issues. It takes precedence over state law, with some exceptions. (Most notably, it empowers California’s brand-new privacy agency to enforce ADPPA in the state.) It contains limited private action rights that limit the damages people can sue.
The bill inevitably has other shortcomings. A universal opt-out requirement is nice, but it doesn’t make much sense until the biggest browsers, especially Chrome and Safari, join the feature. The bill gives the FTC new powers to issue rules and enforce them, but it doesn’t provide any new resources to the agency, which already lacks staff and funds to handle everything on its plate.