The American Privacy Rights Act (APRA) was formally introduced on June 25. The bill is sponsored by Rep. Cathy McMorris Rodgers and co-sponsored by Reps. Pallone, Bilirakis and Schakowsky. The new bill was scheduled for a full House Energy and Commerce Committee markup on June 27, but that session was canceled abruptly right before it was scheduled to start.
The federal privacy bill has been on a bit of a legislative roller coaster. Senate Democrats and House Republicans first released a discussion draft of APRA in April. The draft represented a compromise brokered by Washington state Sen. Maria Cantwell (the Democratic chair of the Senate Committee on Commerce, Science and Transportation) and Washington state’s Rep. McMorris Rodgers (the Republican leading the House Committee on Energy and Commerce). With 19 states passing their own consumer privacy laws, the call for a comprehensive federal privacy law only continues to grow.
Since that first discussion draft in April, the draft legislation has been updated twice. First, a revised draft was released on May 21 (May APRA Draft)—just in time for a markup by the Innovation, Data, and Commerce Subcommittee that was scheduled for May 23. That markup never came, but the May APRA Draft (with a version of COPPA 2.0 as Title II) was unanimously advanced out of the House Energy and Commerce Subcommittee on Innovation at the end of May. Since then, APRA was revised again, with a draft that was released on June 20 (Updated APRA Draft), as reported by Punchbowl News. This new draft was released just days before a scheduled markup by the full House Energy and Commerce Committee on June 27 (which meeting was abruptly canceled minutes before it was due to start).
Even though the full House committee did not take up the recently introduced bill, the Updated APRA Draft is still worth paying attention to, as it could very well set the new baseline for states that are still eyeing their own consumer privacy laws. Notably, the Updated APRA Draft makes meaningful changes to various advertising provisions and includes a new Title II, “Children’s Online Privacy Protection 2.0,” which amends the Children’s Online Privacy Protection Act of 1998 (COPPA).
To learn more about the original April draft, see our summary here.
New Definitions Related to Advertising
The May APRA Draft revised the definition of “targeted advertising” and added definitions for “first-party advertising” and “contextual advertising.” The Updated APRA Draft further revised some of those definitions and added definitions for “direct mail” and “email” targeted advertising.
- Targeted Advertising: "Targeted advertising” is no longer advertising based on “known or predicted” data but now includes online advertising if the advertisement is selected (in whole or in part) based on known or predicted preferences or interests associated with an individual or a device identified by a unique identifier. The May APRA Draft included a number of fairly common exclusions, including (1) advertising or marketing to a consumer in response to their specific request for information or feedback, (2) first-party advertising based on the consumer’s visit to or use of a website or online service that offers a product or service related to the subject of the ad, and (3) processing data for ad measurement or reporting (including media performance, reach or frequency). The Updated APRA Draft deletes these carve-outs, and the only exclusions to “targeted advertising” are now contextual advertising and “first-party advertising.”
- First-party advertising and first-party data: The May APRA Draft introduced new definitions for “first party,” “first-party advertising” and “first-party data.” Under the Updated APRA Draft, “first-party advertising” is now defined as advertising or marketing by a first party using that first party’s first-party data and no other forms of covered data through direct communications with an individual (such as direct mail, email or text message communications). First-party advertising also includes advertising or marketing by the first party (1) in a physical location operated by the first party and (2) on a website, online service, online application or mobile application operated by a first party to display or present an online advertisement that promotes a product or service (whether offered by the first party or not offered by the first party). First-party advertising does not include contextual advertising.
- First-Party Data means covered data collected directly from an individual by a first party, including based on a visit by the individual to or use by the individual of a physical location, a website, an online application or a mobile application operated by the first party.
- A First Party is a consumer-facing covered entity with which the consumer intends and expects to interact. Under the Updated APRA Draft, a first party now includes any entities with which the covered entity shares common branding. (The “common branding” definition remains unchanged from the first APRA draft and is defined as a name, service mark or trademark that is shared by two or more entities.)
- Contextual Advertising: The Updated APRA Draft includes a revised definition for “contextual advertising” (which was first added in the May APRA Draft). Contextual advertising now includes displaying or presenting an advertisement that (1) does not vary based on the identity of the individual recipient and (2) is based solely on either the content of a webpage or online service, a specific request for information or feedback, or coarse geolocation information (essentially, location at the ZIP code level).
Direct Mail and Email Targeted Marketing
The Updated APRA Draft includes new definitions and provisions for direct mail and email targeted marketing.
- Direct Mail Targeted Marketing is advertising or marketing based on third-party data through direct communication with an individual via direct mail.
- Email Targeted Marketing is advertising or marketing using third-party data through a direct communication with an individual via email.
Both Direct Mail and Email Targeted Marketing are considered “First-Party Advertising.” Accordingly, both direct mail and email targeted marketing are “permitted purposes,” provided that no sensitive covered data is used for either type of marketing (and any covered data required has been collected in compliance with APRA’s data collection provisions).
What New Restrictions Apply to Marketing and Advertising?
First-party and contextual advertising are both allowed, provided that the covered entity uses data collected in accordance with APRA’s data collection provisions. However, no sensitive covered data may be used for either first-party or contextual advertising. Consistent with the other “permitted purposes” in APRA, the use of any covered data for first-party or contextual advertising must be necessary, proportionate and limited to the provision of such advertising.
Provided an individual has not opted out, targeted advertising is also permitted; however, the Updated APRA Draft prevents a covered entity (or a service provider acting on behalf of a covered entity) from engaging in either targeted advertising or first-party advertising if the covered entity has knowledge that the individual is a covered minor (a “covered minor” is an individual under the age of 17, and any data collected from a covered minor is considered “sensitive covered data”). However, the Updated APRA Draft includes new language permitting a covered entity or service provider to present or display “age-appropriate advertisements” intended for an audience of covered minors (so long as no covered data is used, other than the fact that the ad was shown).
The Updated APRA Draft also allows as a “permitted purpose” the processing or transferring of covered data for measurement and reporting, frequency, attribution and performance for first-party advertising, contextual advertising and targeted advertising.
Similar to state consumer privacy laws (like California’s Consumer Privacy Act), the previous APRA draft provided individuals with the right to opt out of targeted advertising. Although the draft includes a targeted advertising opt-out, data required for targeted advertising (like data relating to “online activities over time and across third-party websites,” which is now defined as an “online activity profile”) is considered “sensitive covered data” for which the covered entity would need affirmative express consent. The broad definition of “sensitive covered data” and the targeted advertising opt-out would seem to severely limit the types of advertising entities are able to engage in without consent.
Building on the previous draft’s opt-out requirement, the Updated APRA Draft includes an “opt-out mechanism” or preference signal for targeted advertising. Notably, the opt-out preference signal must be registered and set by an individual. The Federal Trade Commission (FTC)—in consultation with the Secretary of Commerce—is tasked with establishing requirements and technical specifications for the targeted advertising opt-out mechanism.
Additional Provisions For Children’s Privacy
The original APRA discussion draft included few children’s privacy protections, aside from classifying data collected from a minor as “sensitive covered data” and requiring affirmative consent for uses of such data.
The May and Updated APRA drafts include a separate section, Title II, dedicated solely to children’s privacy. The new Title II is very similar to H.R. 7890 (the House version of the Children and Teens’ Online Privacy Protection Act, commonly referred to as COPPA 2.0).
Unlike H.R. 7890, the Updated APRA Draft does not extend its privacy provisions to teens; the bill retains COPPA’s definition of a “child” as an individual under the age of 13 (and does not raise the age of a “child” to under 17, like other children and teen privacy bills). Aside from APRA’s broader restrictions on targeted advertising and first-party advertising to a “covered minor” (an individual under 17), the new Title II does not have some of the more onerous targeted advertising restrictions seen in H.R. 7890.
Title II in the May APRA Draft removed COPPA’s “actual knowledge” standard entirely, such that the revised COPPA provisions in Title II would only apply to an operator of a website, online service, online application or mobile application that is directed to children (meaning that COPPA would no longer apply to operators who know they have child users regardless of the audience they intend to target). Critics of the May APRA Draft often cite Title II’s elimination of COPPA’s “actual knowledge” standard as being too weak to truly protect children’s privacy. The Updated APRA Draft reinstates COPPA’s “actual knowledge” standard and adds “knowledge fairly implied on the basis of objective circumstances” to COPPA’s “knowledge” definition. The FTC is tasked with issuing guidance (including best practices and examples) for covered entities to understand when they may be viewed as having “knowledge fairly implied on the basis of objective circumstances” that an individual is a child or teen.
What’s Next?
Since Rep. McMorris Rodgers canceled the full House committee markup, the future of the Updated APRA Draft is uncertain. While Rep. McMorris Rodgers seems dedicated to getting APRA through committee, it has been reported that House GOP leadership is decidedly not in favor of the bill and has threatened not to pass it, even if it were the bill to make it out of committee. Recently, it has been reported that Rep. McMorris Rodgers is dedicated to finding another hearing date, but the legislative calendar doesn’t appear to be in her favor. At this point, it seems unlikely that the Updated APRA Draft will get another markup date before the July recess, meaning the bill would need to move in August—in an election year—which seems increasingly unlikely. We don’t tend to see much legislation being passed in August of an election year, let alone bipartisan legislation like a comprehensive federal privacy bill.