Federal Privacy Legislation Should Create a Gateway for Industry Self-Regulation
Apr 5, 2023 by Divya Sridhar, Ph.D., Director, Privacy Initiatives, BBB National Programs
In my last blog, I covered takeaways from TikTok CEO Shou Chew’s March 24th testimony at the U.S. House Energy & Commerce Committee “How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms” hearing. That hearing further emphasized the need for a comprehensive federal data privacy law, as well as a better understanding of existing industry practices and protections for children and minors, as required under COPPA.
While coverage of Chew’s testimony focused on the atmospherics surrounding the strong feelings regarding TikTok, it is important to view the hearing, not as an isolated incident, but as part of a broader federal exercise to review the impact of industry data privacy practices and potential harms for consumers. Indeed, it was just one additional data point in the series of inquiries, hearings, and policy proposals that Congress has undertaken over the last decade to develop a robust framework to further standardize the best practices that will govern the use of consumer privacy data.
For example, last year, bipartisan bicameral federal privacy legislation moved through the House farther than ever before in a decade, producing a palpable policy solution for the U.S. to consider. And this year, there have already been three hearings in the House on the need for federal consumer privacy legislation.
There appears to be momentum in discussing the need for a uniform standard for data processors and controllers across the United States and in building a harmonized framework to support and enhance consumer protections while ensuring a clear set of rules of the road for businesses of all sizes.
Recent Comprehensive Privacy Proposal: the American Data Privacy and Protection Act (H.R. 8152)
At present, the United States lacks a federal privacy law – lagging behind 125+ other countries in the world that have existing national laws that provide consumers with enhanced protections for sensitive data and ensure that children and our most vulnerable communities receive more robust protections. The United States must keep up with its developed and developing world allies if it wants to be seen as an equal and trustworthy partner as well as a dynamic global trade and economic competitor.
To that end, last fall, Congress advanced a draft of federal privacy legislation - H.R. 8152, the American Data Privacy and Protection Act (ADPPA). This is a comprehensive framework that may be a viable blueprint for legislation that could potentially be introduced in the 118th Congress.
Where ADPPA May Fall Short
ADPPA moves the nation a step in the right direction, creating a workable framework demonstrating transparency, choice, and strengthened protections across the data privacy ecosystem.
But there remain additional considerations that still need to be addressed to motivate both industry and consumers to come to the table on a practical approach:
1. Practices impacting the processing of sensitive children’s data should be sharpened.
ADPPA appropriately defined “sensitive covered data” to include children’s data as an important element that requires heightened protections. That bill also created Section 205, which establishes an array of robust action steps and plans to strengthen data protection for children and minors.
To avoid unintended consequences, the anticipated new federal privacy legislation may want to revise ADPPA to permit additional consideration in the following critical areas:
Align Federal Privacy Provisions to COPPA and Bolster Existing Protections to Strengthen COPPA: ADPPA Section 406 acknowledges that COPPA would remain intact, yet also leaves wiggle room for future regulations to be promulgated should ADPPA pass. As part of any rule changes to COPPA, there are a few areas where protections for minors could be strengthened:
- Revising the definition of “website or online service directed to children” to require operators to obtain and analyze demographics on audience composition to ensure COPPA protections are provided to children.
- Revising the definition of personal information to include biometrics.
- Given these considerations which require revisions to COPPA, the ADPPA Section 406 - where there is wiggle room for future regulations to be promulgated - would benefit from additional study, including a broad range of stakeholders, to determine the most appropriate framework to uphold protections for minors and children.
Consider Common Sense AdTech Protections for Minors: ADPPA Section 205 (data protections for children and minors) establishes an explicit ban that created a prohibition on all targeted advertising to children and minors, if the entity has knowledge that the individual is a minor.
- ADPPA would benefit from additional nuance to align to (or potentially strengthen existing protections in) the Children’s Online Privacy Protection Act (COPPA). The language could be revised to require commonsense protections for children that ensure targeted ads and tracking are prohibited “beyond what is necessary to fulfill functions of the online service”.
- In addition to revisiting this provision in ADPPA, there are additional opportunities to tighten and modernize the definition of “support for internal operations” and similar language to prevent targeted and tracking under the guise of internal operations.
Simplify to Avoid Untested Obligations on Minors: ADPPA revises the definition of “knowledge” in Section 2 and created a series of untested obligations for large data holders and social media companies – based on their data processing scope – through a potential tiered, constructive knowledge or similar framework.
A simplified framework for all operators would limit the unnecessary, additional collection of data required to verify the age of children and minors, which is the unintended consequence of a constructive knowledge standard.
2. ADPPA should permit the continuance of a free and open internet that supports consumer choice and autonomy.
ADPPA as drafted last Congress remained vague regarding the treatment and delivery of ads, processes that need to be further clarified. ADPPA defined sensitive data to include information identifying an individual’s online activities over time and across third-party websites, which would necessitate these data elements to require consumers to opt-in to the data collection. At the same time, ADPPA contained a blanket statement about an opt-out of targeted advertising.
The definition of targeted advertising needs to be further sharpened to reflect the nuances between targeted advertising and contextual advertising. The legislation should more directly permit the continuance of a safe and robust advertising ecosystem that ensures consumers have the right to opt out of targeted advertising – as currently written into state laws - and allow for the continuance of the free and open internet. Otherwise, the cost to support an ad-free ecosystem will ultimately fall on consumers, which will exacerbate the existing digital equity gaps grounded in socioeconomic status. This provision is especially beneficial for the small- and medium-sized businesses that are the backbone of the U.S. economy.
3. ADPPA should simplify and streamline the process for self-regulatory programs.
ADPPA as drafted would require the FTC to promulgate regulations that establish a process for the proposal and approval of “technical compliance programs” – credible self-regulatory programs provided by independent entities that are used by a covered entity (essentially companies covered under the law) to assess that its practices comply with the federal law. These programs would establish guidelines for industry compliance that meet or exceed requirements in the Act. The FTC is to develop the proposal within 180 days of the law’s enactment. Companies participating in this program are assessed by the technical compliance program for a specific technology, product, or service and the companies would individually apply to the FTC for approval of 1 or more sets of compliance guidelines.
To streamline and expedite the review, an updated ADPPA should consider: 1) permitting programmatic compliance programs, as opposed to product-level programs – which will serve to greatly streamline the review of industry data privacy practices, and 2) permitting the compliance assessors to submit the compliance programs on behalf of individual companies.
Industry Self-Regulation as a Critical Supplement to Federal Regulation
With the previously noted revisions, ADPPA would serve well as the comprehensive law of the land on data privacy, but its passage does not eliminate the need for self-regulatory programs, the “soft law” mechanisms that use industry guidelines, codes of conduct, standards, and other best practices to level the playing field for business and improve everyday life without being codified into binding law.
Successful self-regulatory programs have earned the respect of government regulators because they help achieve policy goals by providing companies with early accountability to take steps to be prepared for compliance. They provide vigilance, with independent accountability agents conducting proactive inquiries into the practices of companies that may require constructive feedback and support regarding their data privacy and advertising practices – and would be a beneficial supplement to the FTC, as it works to build up its full capacity to enforce a comprehensive federal privacy law.
For example, BBB National Programs’ Digital Advertising Accountability Program, Children’s Advertising Review Unit COPPA Safe Harbor Program, and the latest CPRA verification program are all examples of privacy self-regulation programs that help companies comply with various federal and state privacy laws. To-date, self-regulatory programs are already grounded in many of the principles and provisions in ADPPA. The COPPA Safe Harbor Program guidelines are grounded in strengthened protections for children and minors. This makes self-regulatory programs viable candidates to strengthen compliance and enforcement.
Independent industry self-regulation programs provide a harmonized, transparent accountability framework for businesses to uphold robust consumer protections, uphold consumer rights, mitigate bias and risk, and support enforcement (ADPPA’s titles I – IV i.e., the duty of loyalty and care, consumer rights, corporate accountability, and enforcement sections). They also reinforce and strengthen opportunities for enforcement in title IV, providing companies with proactive approaches to compliance with the law. Self-regulatory programs can provide companies with early accountability to take steps to be prepared for compliance. Further, self-regulatory bodies are here to provide vigilance, while the FTC works to build up its full capacity to enforce the law.
Self-regulatory programs also provide proactive safe harbors and accountability mechanisms aligned to COPPA and other sectoral laws, to provide industry with peace of mind that it is complying and upholding best practices. Such programs further encourage accountability agents conducting proactive inquiries into the practices of companies that may require constructive feedback and support regarding their data privacy and advertising practices.
Self-regulation is fundamental to the broader data privacy ecosystem. Self-regulatory programs aren’t a replacement but a good adjunct to support the FTC and other agencies that are subject to limited scope, resources, and capacity to regulate the privacy environment.
Additional opportunities to benchmark and ensure compliance for the industry will produce important gains for consumers and continue to ensure a fiscally responsible use of taxpayer dollars.