RDR Endorses the American Data Privacy and Protection Act

Share Article

RDR’s 2022 Big Tech Scorecard underlined the dire state of privacy among digital platforms. None of the 14 companies we ranked topped a score of 60 percent, and privacy was the lowest-scoring of our three categories (the others being governance and freedom of expression and information). We have been calling for federal privacy legislation for years, highlighting it as an essential first step to reducing companies’ rampant data collection, and mitigating the harmful surveillance capitalist business model it supports.

We’ve written op-eds, revised our methodology, produced stand-alone reports, given academic presentations, submitted comments to federal agencies and to the United Nations, and we’ve participated in congressional testimony. We have steadily made the case that government-enforced privacy protections are  a cornerstone of holding Big Tech to account for not only users’ rights but also healthy information ecosystems. This is why we enthusiastically endorse the American Data Privacy and Protection Act (ADPPA).

On Wednesday, the House Energy and Commerce Committee voted 53-2 to advance the bill, also known as H.R. 8152, thus clearing the way for a floor vote. This is the first time that a comprehensive federal privacy bill has made it this far in the legislative process. This victory comes after years of negotiations between House and Senate leaders of both parties. It was also informed by intense lobbying from industry groups eager for a federal standard that would preempt robust state laws, notably California’s recently passed privacy acts. Against long odds, however, the resulting ADPPA is actually stronger than the California privacy laws. Among the most notable improvements to the status quo are:

  • No more notice-and-consent: The ADPPA finally ends the broken “notice-and-consent” paradigm, where to use a service, internet users are compelled to accept the company’s terms, whatever they are. Unfortunately, most policies are far too legalistic and onerous for users to actually read through and often fail to fully disclose all data practices. Instead, the ADPPA centers the concepts of data minimization and purpose limitation. This provides users with positive rights over their data through direct limitations on how it can be used, collected, and shared. In fact, companies would only be allowed to collect data for one of the 17 purposes laid out in the bill. Any other data collection would simply be prohibited.
  • Individual data rights: The ADPPA allows users themselves to access, correct, delete, and export their data directly to competing services.
  • Civil rights protections: Thanks to years of advocacy from civil and human rights organizations, the ADPPA includes civil rights protections from online discrimination based on demographic and behavioral data—one of surveillance advertising’s most direct harms. It would be the first piece of legislation to explicitly extend civil rights protections to the digital realm. This would include, among other things, mandating that companies correct for algorithmic discrimination.
  • Surveillance advertising: The ADPPA bans targeted advertising for under-17s; prohibits targeting based on specific categories of sensitive data, which include health information and geolocation; and creates a global opt-out mechanism from targeted advertising for everyone.
  • Impact assessments: The ADPPA requires “large data holders” (companies with annual revenues of at least $250 million that collect data on more than 5 million people) to conduct impact assessments on both their privacy and algorithmic practices. These assessments must include details about how the platform is mitigating potential harms. The algorithmic assessments would have to be submitted to the FTC.
  • Enforcement: The bill creates a new Bureau of Privacy at the Federal Trade Commission to enforce the law. It would empower state authorities (notably attorneys general and state privacy agencies like the California Privacy Protection Agency) to bring forward enforcement cases as well as provide a private right of action for many violations. Enforcement was a major sticking point in the drafting process, and has continued to be one since the bill’s introduction in June. We expect to see further amendments on enforcement as the ADPPA winds its way through the legislative process.

Would we be even happier with a stronger bill that ends surveillance advertising once and for all? Yes, of course. Legislators from both parties and both chambers, as well as privacy advocates, should continue working together to improve the bill’s protections. But we should not scuttle a law that will provide significantly more privacy protections while doing a good bit to rein in surveillance-based advertising in service of an ideal that remains out of reach. We can’t ignore that this will likely be the last chance to pass federal privacy legislation under the Biden Administration.

Although this bill may not alone spell the end of the ad tech business model, it will make notable progress by limiting the endless data collection upon which the model sustains itself and by giving millions of people protections they currently lack. This is a major first step, and it’s far past time we take it.

 

 

Highlights

A decade of tech accountability in action

Over the last decade, Ranking Digital Rights has laid the bedrock for corporate accountability in the tech sector by demanding transparency from both Big Tech and Telco Giants.

RDR Series:
Red Card on Digital Rights

A story of control, censorship, and state surveillance during the FIFA World Cup in Qatar

Related Posts

Sign up for the RADAR

Subscribe to our newsletter to stay in touch!