A House panel advanced a sweeping privacy bill that, if passed, could require ad-tech companies to obtain consumers' affirmative consent to collect much of the data that fuels targeted online ads.
The bipartisan “American Data Privacy and Protection Act,” unveiled in draft form earlier this month and officially introduced this week, would impose sweeping new restrictions on companies' collection and use of online data.
The House Subcommittee on Consumer Protection and Commerce unanimously voted by voice Thursday morning to send the bill to the Energy & Commerce committee.
Despite today's move by House lawmakers, the bill's prospects remain unclear.
Senate Commerce Chair Maria Cantwell (D-Washington) reportedly said earlier this week that the measure is not yet strong enough for her to support.
While the current version of the bill differs from the earlier draft, the measure would still require companies to obtain users' opt-in consent before collecting, processing or transferring their aggregated online search or browsing history.
That provision has some exceptions, including a narrow one for research and analytics, but not for advertising.
A separate provision allows consumers to opt out of targeted advertising, even if they previously consented to the collection and use of their search and browsing history. The bill would also prohibit companies from serving minors under 17 with targeted ads.
(Targeted advertising is defined in the proposed law as displaying ads to a device or unique identifier based on “known or predicted preferences, characteristics, or interests” associated with the device or identifier. The definition excludes contextual advertising, meaning ads served based on content on the same page.)
Among numerous additional provisions, the bill also would require large online companies with more than $250 million in annual revenue to study their algorithms for potential bias.
If passed in its current form, the legislation would override some state laws, but not others. Among the laws that would remain in effect are the Illinois biometric privacy law and a data-breach provision in California's privacy law.*
The measure would allow for private individuals to sue over violations, but not until four years after enactment.
Some digital rights groups including Public Knowledge and Center for Democracy & Technology indicated they support the bill, but would like to see additional revisions -- including changes making it easier for consumers to sue.
Ad industry groups, which generally oppose the idea that companies must obtain users' opt-in consent before collecting data used to target ads, are likely to push back against that requirement.
Late Thursday, the group Privacy for America -- a coalition that includes the Interactive Advertising Bureau, Association of National Advertisers, American Association of Advertising Agencies, Digital Advertising Alliance, and Network Advertising Initiative -- stated the bill "needs additional improvements to preserve the responsible use of data that drives a vibrant economy and benefits consumers."
*This column was updated to reflect that a data-breach provision California's privacy would not be preempted by the proposed federal bill.