Data Privacy Accelerates Amid New Legislation, Industry Standards

Legislators and industry advisory groups have made significant strides in recent months in addressing consumer data privacy concerns, with a landmark U.S. federal privacy bill making its way through Capitol Hill and the IAB and World Web Consortium penning new digital consumer privacy standards, among other updates. The European Parliament passed two landmark privacy laws: the Digital Markets Act (DMA) and the Digital Services Act (DSA), while Connecticut became the fifth U.S. state to adopt comprehensive consumer data privacy legislation. Combined, these developments are pushing advertisers, brands, and consumers closer to a more privacy-focused future.

American lawmakers recently introduced the American Data Privacy and Protection Act (ADPPA), H.R. 8152, which would create a comprehensive federal consumer privacy framework. ADPPA represents the first federal privacy legislative bill with bipartisan and bicameral support, breaking a decades-long stalemate on federal data privacy negotiations. After releasing a discussion draft of the bill earlier this year, the ADPPA quickly gained support from industry watchdogs and advocacy groups, including the Future of Privacy Forum, Common Sense Media, and Fair Play for Kids. Similarly, Morning Consult reports more than 80 percent of voters support the major provisions of the new federal data privacy bill. 

The American Data Privacy and Protection Act would: 

Establish a national framework to protect consumer data privacy and security,

Grant broad protections for Americans against the discriminatory use of their data,

Require covered entities to allow consumers to turn off targeted advertising,

Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval,

Establish regulatory parity across the internet ecosystem, 

And more. 

In its current form, the ADPPA applies to “any entity that collects, processes, or transfers ‘covered data’ and is subject to the jurisdiction of the Federal Trade Commission (FTC).” Covered data includes any information that’s “identifying, linked, or reasonably linkable to an individual or device linkable to an individual.” The legislation would preempt state consumer data privacy laws, helping to overwrite the patchwork of state data privacy legislation across the U.S. to create a true national standard for consumer data privacy. 

As it relates to advertisers, the ADPPA draft bill defines targeted advertising as the means of “displaying to an individual or unique identifier an online advertisement that is selected based on knowns and assumptions derived from covered data collected.” With the legislation equipping consumers with the ability to “turn off targeted advertising,” the ADPPA, as it stands today, poses a significant threat to the business models and revenue streams of Big Tech platforms, such as Google and Facebook, if signed into law and a significant number of users opt-out of targeted advertising. In contrast, Apple CEO Tim Cook is in support of the ADPPA, calling on U.S. lawmakers in a letter to Congress to pass federal privacy legislation “as soon as possible,” and that “the areas of agreement appear to far outweigh the differences.” 

With the ADPPA subject to committee reviews and additional hearings in the months to come, changes to the text of the bill are expected, as the bill faces strong opposition by both legislators and privacy advocates. Analysts are not expecting the ADPPA to reach its final form for many months, and if it becomes law, the FTC will establish further guidance for covered entities and organizations within one year of passage. 

Across the Atlantic, the European Union passed the Digital Services Package (DSP), a bundle of legislation aimed at regulating Big Tech platforms. First proposed in 2020, the DSP consists of two parts: the Digital Markets Act (DMA) and the Digital Services Act (DSA). 

According to the Competitive Enterprise Institute, “The DSA is primarily focused on content moderation and advertising. It would impose certain transparency requirements on platforms to disclose how their algorithms operate and curtail the use of targeting advertising, particularly when it comes to minors. The DMA…would most notably ban ‘self-preferencing’ by large established platforms [as it aims to regulate ‘core platform services’ such as app stores and search engines]. It would likely prohibit Apple from pre-installing its Safari browser or FaceTime app on the iPhone. And Amazon could face penalties for promoting its private-label brand, Amazon Basics, or providing perks on products included under its Prime membership.” 

The Council of the European Union will formally adopt the package of laws later this year, and compliance with the DMA and DSA is expected to be in full swing by 2024. 

To help advertisers navigate legislative changes and platform updates, the IAB Tech Lab unveiled its Global Privacy Platform (GPP) to consolidate domestic and international privacy signals for digital advertising programs. As a single protocol for streamlining the transmission of privacy, consent, and consumer choice signals across sites and apps, the GPP enables advertisers, publishers, and ad tech vendors to adapt to regulatory demands across regions as needed. 

The IAB Tech Lab’s GPP will: 

Reduce the cost of managing privacy compliance across regional regulations,

Provide CMPs a single framework to encode and transmit consumer privacy preferences,

Grant consumers more privacy, transparency, and control over their personal data.

In the announcement, IAB Tech Lab confirmed that the GPP integrates with existing privacy signals from Europe’s Transparency & Consult Framework and the California Consumer Privacy Act (CCPA) in the U.S., and will be available to advertisers in the coming months.

Related: Meta and other tech giants form metaverse standards body

With these developments, the data privacy landscape is increasing in complexity and fragmentation, requiring advertisers to swiftly navigate overlapping privacy laws and protocols. Across the ADPPA, DMA, DSA, and GPP, there’s little consensus on what a more privacy-focused internet and advertising model should look like—but advertisers don’t have the luxury of waiting to find out. Given the uncertainty, advertisers must first focus on ensuring they’re getting as much value out of the strategies that aren’t going away while testing approaches to mitigate the effects of those that are. While these changes, legislative and otherwise, pose significant challenges for the industry, they are not insurmountable and will deliver a more durable and transparent digital advertising ecosystem and operating model for brands to engage with consumers in the future. 

It’s more important than ever for advertisers to execute, and elevate, the fundamentals across channels to ensure they aren’t missing out on a unique opportunity to engage with consumers. As first-party data becomes the bedrock that future marketing efforts are built on, a larger emphasis will be placed on the customer experience, and in turn, improving brand loyalty. Adopting and maintaining an agile testing approach will be critical for advertisers in the coming eighteen months, turning emerging challenges into new, privacy-forward opportunities to connect and engage.