The following is a guest post by Hugo Loriot, partner at data company fifty-five. Opinions are the author’s own.
In late June, the Energy and Commerce Committee formally introduced the American Data Privacy and Protection Act (ADPPA) to the U.S. House, marking a major step forward for congressional data privacy negotiations. The bipartisan bill aims to create a comprehensive national data privacy framework, focusing on a robust set of consumer privacy rights, and serves as the U.S. equivalent to the GDPR, a European law on data protection and privacy that has served as the golden standard for privacy compliance. While there are still concerns surrounding whether the bill will pass and the ADPPA’s provisions on “sensitive covered data” — specifically information related to health care treatment and biometric data that have arisen in light of the Supreme Court’s overturning of Roe v. Wade — the introduction of the bill to the legislative arm of the U.S. government should tell marketers one thing: national privacy regulations are coming — and now is the time to get prepared.
The ADPPA will regulate what are known as “covered entities,” which are most organizations that collect, process or transfer “covered data.” Covered data is information that identifies or is linked to an individual or a device that identifies or is linked to an individual and may include derived data and unique identifiers. Unlike other U.S. privacy regulations such as the California Consumer Privacy Act, this means that the ADPPA applies to nonprofits and small businesses. Under the ADPPA, these entities would be required to establish and maintain practices to protect such covered data against unauthorized access and acquisition, an idea known as privacy by design. All privacy policies must be made public and ADPPA-covered entities would be prevented from denying a service or product based on an individual’s agreement to waive their privacy rights.
For consumers, this means greater control over their data. Americans will have the right to access their personal data collected by ADPPA-covered entities, restrict certain uses of their data and even have the data deleted, a process which will give ADPPA-covered entities somewhere between 30 and 60 days to comply with the consumer’s request. For marketers, the path forward is still complex and will require them to take stock of their current processes, and perhaps even invest in privacy-centric technology. The biggest benefit ADPPA offers marketers is providing wide-sweeping consistency and predictability in privacy compliance for marketers in the U.S.
Setting up privacy by design
Privacy regulations aren’t new, their focus is just shifting from obtaining consent from the end user before dropping a cookie to embracing a privacy-forward cookie-less model. This means most organizations already have a broad definition of what personal data is and how they track it with privacy in mind. Many marketers have ditched their Data Management Platforms (DMP) for Consent Management Platforms (CMP) to categorize cookies and block retargeting vendors upon request. Analytics tools like Google Analytics 4 (GA4) and Google Tag Manager (GTM) have privacy-centric solutions such as Consent Mode, which makes it easier to block specific data collection and activation features across Google products while still providing marketers with analytics through the use of anonymous AI modeling.
Complying with ADPPA is complex, but feasible. To be able to allow users to access and request deletion of their data, organizations need to know where the personal data is, and with the proliferation of cloud technology, CMPs, CRMs and data lakes, it is difficult to keep an up-to-date record of personal data. The truth is that data is typically scattered across an organization’s systems — making that data almost impossible to delete once shared with third parties. In order to remain compliant with ADPPA, marketers can use Consent Management Platforms (CMPs) such as OneTrust to automate data deletion requests through a data subject access request (DSAR) workflow. Additionally, GA4’s data deletion API technically does what is needed to delete data from the Google platform, assuming a U.S. citizen knows what their Google Advertising ID is.
There is also a strong push from organizations like Google and Facebook for marketers to go server-side with their data management — a privacy workaround already approved in Europe for compliance with GDPR. Going server-side sends an organization’s data collected by Google or Facebook to their servers for processing. This process gives marketers more control over data, but the implementation is more complex and may require working closely with the IT department. As privacy and data regulations mature in the U.S., marketers may consider working closely with the technology leaders within their organizations to collaborate on privacy-centric tracking processes and decide what data is most important to the organization.
If the ADPPA is signed into law, marketers should welcome the new federal guidelines as they will put an end to compliance uncertainty and allow marketers to focus on U.S. privacy policies. For now, of all the privacy regulations currently in effect, the GDPR is the most conservative approach to data privacy, and many savvy organizations already have data deletion request processes in the works even if doing so isn’t mandated yet. As congress deliberates, marketers should take a maximalist approach by making themselves GDPR-compliant. Doing so will ensure marketers future-proof themselves ahead of the passing of new privacy regulations in the U.S.