Lawmakers in the House Energy and Commerce Committee on Wednesday voted 53-2 to advance a sweeping bipartisan privacy bill that would outlaw a common form of online behavioral ad targeting.
The version of the American Data Privacy and Protection Act approved Wednesday would prohibit companies from collecting or processing data about web users' online activity across sites and over time for ad purposes. That ban would effectively prevent companies from serving ads to web users based on their browsing activity.
Rep. Frank Pallone (D-New Jersey), who was among the bill's authors, stated Wednesday that the measure “puts people back in control of their data.”
Major ad industry organizations including Privacy for America, the Association of National Advertisers and the Interactive Advertising Bureau opposed the bill, argued in a Tuesday letter to lawmakers that the provisions regarding cross-site tracking “would stifle that data-driven economy by prohibiting the collection and use of basic demographic and online activity data for efficient, responsible advertising.”
The Association of National Advertisers on Wednesday reiterated its objections.
“The bill would prohibit companies from collecting and using basic demographic and online activity data for typical and responsible advertising purposes, thus slashing advertising revenue, hurting small businesses, and jeopardizing popular ad-supported digital services, all with little to no consumer benefit,” Chris Oswald, executive vice president for government relations for the organization, stated after the vote.
A prior version of the bill would have allowed ad tech companies to draw on consumers' online activity for advertising, but only with their explicit consent. The ad industry also objected to that earlier version, arguing that companies should be able to serve consumers ads based on cross-site activity on an opt-out basis.
Advocacy group Consumer Reports, which supports the current bill's ban on cross-site data collection, on Tuesday urged lawmakers "to not backtrack on the changes ... especially when it comes to online tracking and targeted advertising."
The bill that advanced to the floor would still allow companies to draw on data collected from their own sites in order to serve targeted ads to adults, on an opt-out basis. The measure prohibits companies from serving targeted ads to children or teens younger than 17.
The bill could be revised again before the full House votes on it. Even if passed in the House, the bill's fate in the Senate remains uncertain, given that Maria Cantwell (D-Washington), head of the Senate Commerce Committee, reportedly has said the measure should be strengthened.
Can you please put links to the bill and the other sources in this report? Thanks!
Here's the most recent version of the bill: https://docs.house.gov/meetings/IF/IF00/20220720/115041/BILLS-117-8152-P000034-Amdt-1.pdf
Okay, some thoughts.
Fiirst, like the GDPR (and other EU laws and regs, extant and forthcoming), this bill presumes, tacitly if not explicitly, that nearly all agency belongs to sites and services ("covered entities"), and not to what it thankfully calls individuals. (Not "users" or "data subjects," though it does in places call us "consumers"—a diminished stature (we only consume), sadly also used by the CCPA.)
Second, while it enumerates ten rights (e.g. "Individual data ownership and control" and "Data security and protection of covered data), they again presume that individuals live entirely within capabilities provided sites and services. Not that they have any tech of their own, providing protections that can be operated firsthand. That we don't yet have those protections does not mean we won't or can't.
So, what this bill does, or attempts to do, is regulate the current surveillance economy. While that may seem fine, it may further reify that economy by permitting too much of it to persist while also creating a thriving secondary industry in circumvention.
To see how big that secondary industry can get, do this Google Search: https://www.google.com/search?q=gdpr+compliance . Nearly all the 200+ million results you get in that search will be for businesses selling obedience to the letter of the GDPR while screwing its spirit. This "GDPR compliance" business is now a many-$billion (also £ and €) economy that did not exist prior to May, 2018, when the GDPR's rules became enforceable. How much bigger new laws will make the circumvention economy is anybody's guess. But it is sure to grow.
Big Tech lobbies are already fighting it. Marketing, which now largely reposes in the surveillance economy, also won't be happy with this bill.
I also see nothing (but maybe I'm missing it) in this bill that relieves us of the need to opt out of personal information used by others, rather than opt into those—or to prevent those uses by our own means.
There is nothing about the Internet that prevents us from acting as first parties in dealing with the sites and services of the world, and having them assent or agree to our terms and policies. And to have means built into those assets and agreements for auditing later—mechanisms sorely missing in today's "consent" mechanisms
This is why we have an IEEE working group, P7012, Standard for Machine Readable Personal Privacy Terms, here: https://standards.ieee.org/ieee/7012/7192/ The hope here is that this standard will encourage the tech we need, for that horse to lead the regulatory cart, rather than always the other way around.
Respectful to the Association of National Advertisers, I think this will improve advertising. The idea and concept that online advertising should be about data misses the point. The bill will put the point back on building brands and products value first in the big picture.