How Brands Can Prepare for a Federal Privacy Law
The American Data Privacy and Protection Act inched its way closer to reality earlier this month, advancing in the House and moving to the full Energy and Commerce Committee for approval. With support from both House and Senate committee leaders, it’s beginning to look like advertisers and marketers might finally be getting uniformity in privacy and data regulations across all 50 states.
Surveys show that consumer support for privacy regulations is strong. Ninety-four percent of consumers say they feel it’s important to have control over the data they share with companies and to know how brands use their information, according to a recent survey from Qonsent. Although 88% of marketers are concerned with data privacy laws, and 78% say they believe impending privacy laws will negatively impact consumer engagement and personalization, there’s greater support for federal regulation than the current state-by-state approach.
The ADPPA’s purpose is to provide consumers with foundational data privacy rights and establish meaningful enforcement. The effort has been years in the making, coming more than half a decade after the European Parliament passed the GDPR. Experts say the ADPPA would function as the American equivalent of the GDPR. Where differences are most apparent is between state privacy laws.
As it stands currently, provisions of the ADPPA would preempt the state privacy laws enacted in California, Colorado, Connecticut, Utah, and Virginia. Exceptions would still be made for the Illinois Biometric Act and the employment element of the CPRA. Unlike certain state privacy laws, the ADPPA would apply to many nonprofit organizations and small and mid-size businesses. Large data holders, including companies with revenues in excess of $250 million annually, would be required to employ a data protection officer, perform assessments, and engage in heightened security.
Truyo President Dan Clarke believes uniformity in preemption, definitions, and private rights of action will make it easier and more cost-effective for businesses to comply with new privacy regulations. He says it’s encouraging that the latest version of the ADPPA includes a compromise around preemption, which paves the way for having one uniform national law, as opposed to the patchwork of states.
“As of right now, there’s no conflict between state laws. However, that could change,” Clarke says. “New York has a draft bill that would conflict with CPRA and cause more confusion for businesses and underscores the need for a federal law.”
The Interactive Advertising Bureau (IAB) is one of a number of industry groups voicing public support for the Act. But in a public statement, IAB Executive Vice President for Public Policy Lartease Tiffith noted some concern among digital advertisers about the ADPPA’s impact on smaller businesses.
Clarke says the real question digital advertisers should be asking is what Senator Maria Cantwell, chair of the Senate Commerce Committee, is going to do.
“Senator Cantwell is very influential and said publicly she is not going to support ADPPA in its current form, largely because the threshold for private right of action isn’t high enough, and [she] finds issue with class action and private arbitration,” Clarke says. “These seem like bridgeable gaps, and it’s encouraging that privacy groups have shown strong support.”
With the substantial restrictions placed on third-party data-collecting entities, Clarke says he suspects many of those entities will cease to exist if the ADPPA passes, and as a practice, purchasing this data simply won’t be worth the risk for brands.
“There’s simply too much at stake, and with the data minimization requirements within the ADPPA, it will be difficult to get away with utilizing data without consent,” Clarke says. “This is clearly a focus of the federal law, upcoming enforcement by the CPPA, and potential enforcement by the FTC.”
Clarke recommends that brands get started now preparing for the potential impact of the ADPPA by getting a handle on their data and shoring up their understanding of how data moves within their businesses.
“Whether it comes in the form of a federal or state law, organizations will eventually have to comply [with] some sort of privacy law,” Clarke says. “Getting compliant now and implementing best practices for data protection as well as opt-ins will set them up for success in the near future.”
