In the United States, state-level consent laws vary in requirements for opt-ins and opt-outs, or rights for erasure. In July of 2022, the Committee on Energy and Commerce approved a proposed bill that would have regulated the use of consumer data at the federal level – a la GDPR in Europe. Unfortunately, that bill did not advance to Congress, but it is still viewed as the path forward for federal privacy regulation.
The American Data Privacy Protection Act (ADPPA) is a promising bill that regulates – at the federal level – how personal information and data can be collected, processed, and stored by organizations. Notably, this bill has actual bipartisan support – something that is extremely rare in today’s political climate. This consensus speaks volumes to the importance of and need for such regulations – and provides an opportunity for companies to build trusted relationships with their customers and even use it as a source of differentiation.
In a recent consumer privacy survey by Cisco, 46% of respondents felt they couldn’t effectively protect their data today and 76% blamed it on the fact that it’s too hard for them to understand what’s going on and how their information is being used. As consumer privacy attitudes change, the demand for federal regulation over private companies and use of data will continue to pick up steam.
How does ADPPA compare to GDPR and CPPA?
The General Data Protection Regulation(GDPR) is a data privacy and security act that went into effect in the EU on May 25, 2018. Similar to ADPPA, it governs how personal data is collected and processed. It also regulates how data is to be erased as it includes the “right to be forgotten,” meaning individuals have the right to ask for their personal data to be deleted from an organization’s systems.
The California Consumer Privacy Act (CCPA), which went into effect in January 2020, granted California residents the right to know what data is being collected about them and how it is shared, the right to delete their information, and the right to opt-out of the sale of their personal information. Additionally, CCPA dictates that businesses cannot retaliate against those who opt out of sharing their information, granting consumers the “right to non-discrimination.”
The American Data Privacy and Protection Act (ADPPA) imposes stricter limits on targeted advertising and related data collection by completely prohibiting ads targeting minors and ads targeting “sensitive information,” including data pertaining to a person’s health, precise geo-location, and communications held in private. A major sticking point of the original bill is the pre-emption of state laws. If ADPPA were passed in its original form, it would have weakened stricter legislation enacted at the state level, such as CCPA. The bill is currently under revision with the Committee on Energy and Commerce.
How will ADPPA impact marketers?
We knew this was coming. With a lack of regulation at the federal level, the advertising industry has enjoyed and taken advantage of unfettered access to and use of personal data over the last two decades, often without consequence. Consumer confidence has taken a major hit over the last few years as innumerable data breaches have put them - and company reputations - at risk. Meta, for example, faced significant backlash when they were discovered collecting data from the Free Application for Federal Student Aid (FAFSA) website.
If passed, the ADPPA will require “affirmative express consent” (also known as “explicit consent”) and the minimization of data being collected to include only what is necessary. It’s yet another indication that the days of relying on third-party data to reach and engage your target audience are coming to an end. Due to data deprecation, collecting, unifying, and activating consented first-party data will become an essential element to any successful marketing campaign.
Marketers will need to review current processes and systems to ensure compliance with ADPPA if/when it goes into effect. Investing in technology that ensures compliance with privacy regulations will help relieve some of the burden, but marketers will need to remain vigilant and well informed on any regulatory changes.
What can you do to mitigate risk when it comes to consent and privacy?
BlueConic has always taken a privacy-first approach to data collection and storage and that will never change. Our platform facilitates compliance with all current data regulations, and we are poised to quickly adjust to any new laws or regulations. Even if ADPPA never comes to pass, marketers should prioritize consent to build relationships.
Collect consent in profiles. Consent management tied to profiles can be federated across your entire martech stack. For example, send segments of those who have consented to advertising directly to your ad platforms like Facebook, Google, and Amazon. Furthermore, a one-time set up of segments will continually reflect the most recent consent status for every individual.
Manage objectives based on geography. Consent management doesn’t have to be an all-or-nothing approach. With the right level of granular controls, you can ask individuals for explicit opt-ins or opt-outs based on what’s required by law.
Work closely with your legal or risk team. Building relationships with your security and risk team is a must. While marketers focus on the front-end experience, security and risk or data governance teams can help ensure the right process and protocols are being followed.
Stop collecting data for the sake of collecting data. Just because you can collect certain first-party data, doesn’t mean you should. As a marketer, or any team member responsible for customer engagement, your priority is to build relationships with customers. You can’t do that if customers don’t understand how and where you use their data. Providing transparency is one step. Next, evaluate what data you are actually using to drive experiences or insights, and attach every data point to a purpose.
Learn more about privacy and consent management for marketing with BlueConic. Request a demo today.