Usually, when Congress is working on major tech legislation, the inboxes of tech reporters get flooded with PR emails from politicians and nonprofits either denouncing or trumpeting the proposed statute. Not so with the American Data Privacy and Protection Act. A first draft of the bill seemed to pop up out of nowhere in June. Over the next month, it went through so many changes that no one could say for sure what it was even designed to do. For such an important topic, the bill’s progress has been surprisingly under the radar.
Now comes an even bigger surprise: A new version of the ADPPA has taken shape, and privacy advocates are mostly jazzed about it. It just might have enough bipartisan support to become law—meaning that, after decades of inaction, the United States could soon have a real federal privacy statute.
Perhaps the most distinctive feature of the new bill is that it focuses on what’s known as data minimization. Generally, companies would only be allowed to collect and make use of user data if it’s necessary for one of 17 permitted purposes spelled out in the bill—things like authenticating users, preventing fraud, and completing transactions. Everything else is simply prohibited. Contrast this with the type of online privacy regime most people are familiar with, which is all based on consent: an endless stream of annoying privacy pop-ups that most people click “yes” on because it’s easier than going to the trouble of turning off cookies. That’s pretty much how the European Union’s privacy law, the GDPR, has played out.
“The reason I really like this bill is, it takes a data-minimization approach first,” says Sara Collins, senior policy council at Public Knowledge, a consumer advocacy group in DC. “The bill at the outset is like, ‘One, you don't collect any more data than you reasonably need, and, two, here’s a list of reasons you might need this data.’”
A major caveat is that the list of reasons includes targeted advertising, which is the economic driver of most commercial surveillance in the first place. So the bill falls well short of simply banning the practice, which is what many data-privacy advocates would prefer. On the other hand, it imposes much stricter limits on targeted advertising—and the data collection supporting it—than any law in the US and perhaps the world. It would completely prohibit targeting ads to minors, something Joe Biden called for in his 2022 State of the Union address. It would ban targeting ads based on “sensitive data.” That category includes things like health information, precise geolocation, and private communications—as well as “information identifying an individual’s online activities over time and across third-party websites or online services.” In other words, companies would no longer be allowed to follow you around the internet, gathering data on everything you do and using it to sell you stuff.
“I think it’s a pretty fundamental shift,” says Alan Butler, executive director and president of the Electronic Privacy Information Center. “It gets at the heart of what I see as the major privacy problem in the way that ad tech has developed over the last 20 years, largely because there was no privacy law in effect. What’s developed is an ad tech industry that just gorges on personal information in every possible way it can, grabbing every possible piece of data they can find about people.”
Most PopularThe End of Airbnb in New YorkBusiness
Under the new version of the ADPPA, Butler says, some forms of targeting would remain common, particularly targeting based on first-party data. If you shop for shoes on Target.com, Target could still use that information to show you ads for shoes when you’re on another site. What it wouldn’t be able to do is match your shopping history with everything else you do on the web and on your phone to show you ads for stuff you’ve never told them you wanted. Nor could Facebook and Google continue to spy on you by placing trackers on nearly every website or free app you use, in order to build a profile of you for advertisers.
“If they’re tracking your activity across third-party websites, which they certainly are, then that’s sensitive data, and they can’t be processing that for targeted advertising purpose,” says Butler.
To the extent that the new bill would still allow targeted advertising, it would require companies to give users the right to opt out—while prohibiting the sorts of tricks that companies often use to nudge users to click “Accept all cookies” under the GDPR. And it would direct the Federal Trade Commission to create a standard for a universal opt-out that companies would have to honor, meaning users could decline all targeted advertising in one click. (That’s an important feature of California’s recently adopted privacy law.)
The ad industry seems to agree that the bill would mark a fundamental shift. Yesterday, the Association of National Advertisers, a trade group, issued a statement opposing the bill on the grounds that it would “prohibit companies from collecting and using basic demographic and online activity data for typical and responsible advertising purposes.”
Apart from its data-minimization approach, the new bill contains quite a lot of provisions that data privacy experts have long called for, including transparency standards, anti-discrimination rules, increased oversight for data brokers, and new cybersecurity requirements.
Federal privacy legislation has been something of a white whale in DC over the last few years. Since 2019, a bipartisan agreement has supposedly been just around the corner. The effort kept stalling because Democrats and Republicans were divided on two key issues: whether a federal bill should preempt state privacy laws, and whether it should create a “private right of action” allowing individuals, not just the government, to sue companies for violations. Democrats are generally against preemption and in favor of a private right of action, Republicans the reverse.
The new bill represents a long-sought compromise on those issues. It preempts state laws, but with some exceptions. (Most notably, it empowers California’s brand-new privacy agency to enforce the ADPPA within the state.) And it contains a limited private right of action, with restrictions on the damages that people can sue for.
The bill has other shortcomings, inevitably. The universal opt-out requirement is nice, but it won’t mean much until the largest browsers, especially Chrome and Safari, add the feature. The bill gives the FTC new authority to issue rules and enforce them, but it doesn’t direct any new resources to the agency, which already lacks the staff and funding to handle everything on its plate.
Most PopularThe End of Airbnb in New YorkBusiness
As a result, not everyone in the privacy camp is on board. On Tuesday, a group of mostly blue-state state attorneys general sent a letter to the committee objecting to the preemption provision. And the Electronic Frontier Foundation tweeted on Wednesday that it is “disappointed” by the compromises in the bill.
On the whole, however, the ADPPA seems wildly popular both on the Hill and among advocacy organizations. It has the support of leading privacy and civil rights nonprofits, and the House Commerce Committee voted to advance it by a 53-2 margin—an overwhelmingly bipartisan consensus that bodes well for the bill’s prospects when the full House votes on it. During yesterday’s markup hearing, several members noted that while the bill isn’t perfect, it’s simply politically impossible to pass a federal privacy law that doesn’t involve compromise on those two key issues.
Even the tech industry hasn’t launched any public campaign to kill the bill. You could take this as a sign that it’s actually too weak to trouble the industry. But Adam Kovacevich, the CEO of Chamber of Progress, a Big Tech lobbying group, points out that even the bill’s liberal critics have acknowledged that it goes further than any of the state laws it would preempt—even California’s. “I don’t think anyone in industry is crazy about the idea of the private right of action, the idea of more lawsuits,” he says. But, he adds, tech companies have already spent years learning to comply with the growing web of privacy regimes around the world. A somewhat stricter law might not be so bad if it provides a clear, fixed national standard.
None of this means that the ADPPA is sure to become law, of course. In the Senate, Maria Cantwell, the top Democrat on the Commerce Committee, has not gotten behind the effort yet, though her Republican counterpart has. And time is running out for that sclerotic body to pass any major laws before next year, when Democrats will almost surely lose their governing trifecta.
Still, privacy advocates are cautiously optimistic. “You’re looking at a situation where you have bicameral, bipartisan support, with Republicans and Democrats on board on the House and Senate side,” says Butler. “I don’t think we’ve ever been this close.”