The state of privacy and data in America is in shambles.
Recently, President Biden signaled how important privacy legislation is by addressing it at the State of the Union for the first time. We all recognize that state privacy laws are here, with many more to come. At this point, we desperately need universal privacy legislation that supersedes state laws to create a level playing field for credibility, stability, and protection for consumers and businesses.
At RampUp 2023, “Stay on the Forefront of Privacy Legislation” was a session where Washington D.C.-based ad tech counsel and a VP at the U.S. Chamber of Commerce shared their perspectives on what’s happening right now and what the industry can do to streamline the process. One common denominator among the three session participants was that now was the time for one federal privacy law.
The Time Is Now
Data is highly regarded because it helps to deliver impactful services to consumers and customers. It unlocks the potential of the information economy to communities and helps ensure that consumers have access to important and useful information for free. It makes the open web a lot like the public library. Also, with the right data, consumers can access personalized apps and services that make life easier.
And, for the ad tech ecosystem, it powers the pipeline, bringing the right message to the right consumer at the right time. However, this all goes out the window if we do not establish a reasonable and well-thought-through national policy for data.
In a study conducted by Privacy for America, we learned that consumers enjoy over $30,000 a year in subsidized content and services online. A law restricting that flow of data availability could increase what we consider an online tax by over $30,000.
We must ensure we continue to provide consumers with this same access. This isn’t just an ad tech issue. With six state data privacy laws already on the books and many different bills under consideration, delivering the impactful information and services consumers expect grows harder and harder.
“Without a preemptive national standard, we risk that the policy, and how we can engage with consumers and build audiences, will be left to just a handful of companies,” explained Michael Signorella, co-chair of the Technology and Innovation Group at Venable law firm. “They will decide how we can address media to consumers online, think of ATT.”
The Tragedy Associated With State-led Privacy Legislations
According to a recent U.S. Chamber of Commerce report, 80% of small businesses stated that tech platforms, ads, and payment apps enabled them to compete with larger corporations. So limiting access to data and the ability to use data will constrict their business operations.
“There are currently about 20 states that have introduced bills being considered now,” said Jordan Crenshaw, VP at the U.S. Chamber of Commerce. “The problem is that we’re seeing multiple models emerge, and even when we have very similar models, they are still somewhat different. If you’re a food truck with about 270 customers daily, complying across state lines would be nearly impossible.”
The California Consumer Privacy Act was the first comprehensive law in the U.S. to go into effect. It gives consumers the right to delete data, opt out of data sales, and know what data companies hold about them. Nonetheless, the private right of action associated with this act could be problematic when it comes to data breaches.
Virginia’s Consumer Data Protection Act, which went into effect in January, gives consumers the right to opt out of data sales and targeted advertising. Like California, Virginia consumers can also delete data, but they also can correct data and opt-in for sensitive data. There is no private right of action in Virginia, which is good because it leaves enforcement up to the state’s attorney general. It also doesn’t allow for broad rulemaking authority to any agencies in the state, keeping the terms and conditions concrete.
When it comes to federal privacy, the Chamber of Commerce currently sees states embracing the American Data Privacy and Protection Act (ADPPA) and opt-in frameworks where businesses have to get consent to use data outright, like in Oklahoma. All these differences are a huge red flag for compliance for small businesses.
Where Are We Seeing Specific Privacy Regulations?
Health Data: Since the Roe v Wade decision, there has been a call to create privacy protections around abortion data or data that might lead to that. The problem is that now that issue has worked into massive health bills creating an even larger issue. In Washington, the state has a bill in review that would require consumers to opt-in for data usage, thus harming data flows for things like health research, clinical trials, for example. That bill also has a private right of action.
Children’s Data: States are proposing updates to the Children’s Online Privacy Protection Act (COPPA). Utah even has a social media bill that would shut off social media usage after 10 pm, substituting the role of a parent with a private right of action and age verification.
Biometric Data: An example of this is facial recognition technology. States like Illinois already passed laws related to biometrics, whereas a company could be subject to private lawsuits if it failed to get consent to use biometric data.
Convos on Capitol Hill
As Principal at Emergent Strategies, a Democratic government affairs firm in Washington, DC, Michael Claunch spends much time on Capitol Hill. While conversing with Congress, he knows they are working to solve many of these privacy issues, whether conflated purposefully or unintentionally.
On the Hill, they are working on complex issues like privacy, whether online markets are competitive enough, and Section 230 reform. Members of Congress feel extremely passionate about these issues, but if they try to address each silo, they will affect the other; privacy is a great example.
“When I interact with Congress, I’m very consistent in my message that a federal privacy law will be the competition law for the next decade,” Claunch explained. “There will be winners and losers as some entities will have better access to more rich data and be able to use it. Market impacts need to be taken into consideration.”
Why Not the ADPPA?
While the ADPPA is an admirable attempt, it’s just not it for many reasons. Experts see many weaknesses regarding its impact on competition and the fact that it has an overly broad definition of sensitive data. It can eliminate the ability for brands and third parties to use data to get a complete look at the consumer and target them across the web.
The ADPPA presents unequal treatment between first and third-party marketers; as we know, if a company has a first-party relationship with a consumer, it’s way easier for them to get opt-in consent on that sensitive data.
Currently, the way the ADPPA is written, third parties are at a significant competitive disadvantage compared to first parties. Thankfully the three legal professionals on this session — Jordan Crenshaw, Vice President, U.S. Chamber of Commerce; Michael Signorelli, Partner, Venable LLP; and Michael Claunch, Principal, Emergent Strategies — are working to change that. With a new Congress in place, it presents an opportunity to reset and build up the good work regulators have done. It also gives them ideas to ensure that a federal privacy law considers all stakeholders.