Ball in Pelosi’s and Cantwell’s courts to decide if a national privacy law will end ‘creepy’ targeting; advertisers worrying?

Privacy Beat

Your weekly privacy news update.



“Redline” version of amended ADPPA bill HR 8152

Ball in Pelosi’s and Cantwell’s courts to decide if a national privacy law will end ‘creepy’ targeting; advertisers worrying?

Bipartisan, round-the-clock drafting work by congressional staffers has sent to the floor of the U.S. House — days before a summer recess — a privacy bill that could end opaque data sharing and ad targeting that has dominated the Internet for more than 25 years.

“I believe [that is] the way the legislative process should be,” said Nora Benavidez, a justice and civil-rights lawyer with advocacy group FreePress. “It should be staffers, experts, civil society, coming together to come up with something.”  Benavidez was interviewed by Justin Hendrix, of TechPolicy.Press.

She was talking about the American Data Privacy and Protection Act (ADPPA), H.R. 8152, approved 53-2 by the House Energy and Commerce Committee on July 20 and sent to the House floor. The 132-page bill was substantially amended throughout before the vote. (REVIEW RED-LINED VERSION) | READ KEY DEFINITIONS

Chart compares federal proposal vs. California law 

Three advocacy groups, the Electronic Privacy Information Center (EPIC), the Lawyers Committee for Civil Rights Under the Law and the Center for Democracy and Technology put together a 11-page chart showing key provisions of California compared with provisions of the bill now headed for a potential U.S. House floor vote. The Washington Post’s Christiano Lima summarized the three groups’ point of view — that the House bill is better for consumers than the CPRA.

The bill contains key definitions of terms like opting out of targeted advertising; covered, derived and sensitive data; service provider, third party, transfer and addresses questions about loyalty programs and pricing.

Advertisers oppose in unison

Seven advertising and ad-tech policy organizations jointly said they oppose the measure, which would appear to largely outlaw — absent explicit user consent — the practice of opaquely collecting and sharing browsing habits and demographics of users across the web. They said H.R. 8152 would “severely damage the U.S. consumer economy.”

The law defines, and somewhat restricts the use of “covered data” and outright prohibits sharing of “sensitive data.”  Before a website may show a user an ad targeted to an individual’s web behavior, the user must be given an unambiguous chance to refuse it. Since that is how almost all advertising on the web is now placed, it’s no surprise ad-tech companies are worried.

Publishers — key beneficiaries of “contextual” rather than data-driven advertising — have not commented, so far. Contextual advertising would be unaffected by the measure.

Writing at DigiDay, Marty Swank quoted Lartease Tiffith, evp of public policy at the Interactive Advertising Bureau, whose members include mostly tech and ad-tech companies and some advertisers, publishers and agencies.  “If you lose the ability to reach people based on what they’re interested in, you end up getting billboard ads.”

Advertisers aside, the more general consensus seems to be that the just-amended bill does more for consumer privacy — and particularly for marginalized groups — than laws already in effect in Europe, California and several states. A last-minute amendment would allow California regulators to become enforcers of the federal law as well as existing state law — but with some of the teeth removed from the state statutes and replaced by a more detailed federal law.

House Speaker Nancy Pelosi, D-Calif., has said she would not support “pre-emption” of California’s public-initiative privacy laws; she is likely now studying H.R. 8152 to decide if she will let it come to a full House vote this week. And the current language is not acceptable to attorneys general of 10 states including California.

If H.R. 8152 clears the House, it would move to the Senate, where Sen. Maria Cantwell, D-Wash., chairs the relevant committee to hear it. She has been distinctly negative about earlier congressional proposals that preempted state laws and limited the right of citizens to sue over privacy violations. But H.R. 8152 is designed to be a compromise on both points.

Other reactions

Among supporter of the bill’s current language are Common Cause, by Consumer Reports, the Lawyers Committee for Civil Rights Under the Law and the Future of Privacy Forum, which notes the bill’s civil-rights protections in particular. But the Electronic Frontier Foundation is opposing it, seeking additional changes on the House floor. The ACLU also wants changes.  One of the closest followers of data privacy is lawyer Justin Brookman, director of technology policy at Consumer Reports.  He says the bill would create “dramatic . . . robus” privacy protections for the public if it becomes law. (See QUOTE OF THE WEEK, below, for more of Brookman’s thoughts).

More reaction from ad-tech 

The Interactive Advertising Bureau (IAB), which says it cannot support the bill, warned that the legislation will create a less friendly online environment not just for advertisers and small businesses but for the average online user whose speed and convenience of online experience depend on data.

“By some estimates, the proposed legislation is more punitive than EU regulations, which harm investments,” said Lartease Tiffith, EVP of public policy for IAB. “In an effort to ‘rein in Big Tech,’ Congress is stumbling down the same path, despite the consequences to small businesses and a vital industry.”

Perhaps the best-informed reporting on the ADPPA status is coming from Joseph Duball of the International Association of Privacy Professionals (IAPP).  He quoted Rep. Jan Schakowsky, D-Ill.: “It’s been a lot of work bringing these stakeholders together. I know almost everyone can probably find something that they wished were different in the bill. On the other hand, I do think we have a Band-Aid for the American people who are just fed up with the lack of privacy online.”

FTC told to enable “Safe Harbor” entities? 

In one features of H.R. 8152 relevant to the Information Trust Exchange Governing Association (, the sponsor of this newsletter, the measure’s language would authorize the U.S. Federal Trade Commission to seek and sanction private entities that manage data-privacy compliance programs, a concept known as “Safe Harbor.” (See: “Brookings privacy expert sees ‘safe harbor’ as part of bipartisan measure; says ITEGA might ‘fill the bill, but may be premature” (Privacy Beat, May 28, 2021)



ITEGA’s mission: Trust, identity, privacy and information commerce.

ITEGA calls for support of ‘public option’ user privacy/identity ecosystem — led by journalism-aiding nonprofit

Learn More


Drummond Reed, above, technologist among those behind “Decentralized Identifiers”

Over Google, Mozilla objections, W3C recommends “decentralized identifiers” as user-centric alternative to phone, email, social media IDs

A technology aimed at shifting more control of identity away from tech platforms, telecoms and other web operators and in the hands of individuals was embraced as a new “standard” last week by the World Wide Web Consortium (W3C).  It’s called “Decentralized Identifiers (DIDs)” or a form of globally unambiguous identifier.

The idea is to use cryptography — math-based software that includes digital “keys” — to supplement or even replace phone numbers or email addresses as the default way a person is represented across the web. As a result, supporters say, a person’s identity becomes portable and not controlled by some central authority or company.

Most email and social-network addresses are not “owned” by individuals, the W3C said in a July 19 announcement about the DIDs status, while DIDs “can be controlled by the individuals or organizations that create them, are portable between service providers, and can last for as long as their controller wants to continue using them.”

“One of the root causes of phishing (fraud) attacks is that most electronic communications addresses today (caller IDs, SMS, email addresses) are not cryptographically verifiable,” DID co-developer Drummon Reed told the news site PortSwigger. “They are easy to spoof. By contrast, control of a DID is cryptographically verifiable — the sener of a message can prove they control the private key for the DID.”

W3C is an unincorporated consortium hosted by MIT and three other global institutions with about 450 corporate members who’s technologists work on standards to make the World Wide Web more open and trustworthy.  It decided to “recommend” DIDs as a standard over the objections of member organizations Mozilla and Google, Reed said.

That’s because there are at least 120 registered methods being tried to implementing DIDs, and no consensus on which will become most common, promoting interoperability. The DID Working Group within W3C decided the market should decide, promoting innovation.





Why data matters — what food retailer Kroger says in its annual report — third-party revenue on 60 million households

It’s isn’t just Google, Facebook, Apple, Amazon and ad-tech companies that realize the value of user data, as is evident in the annual report (10-K) of The Kroger Co., the giant, Cincinnati-based supermarket chain and affiliates.  Here’s an excerpt from the report, filed with the U.S. Securities and Exchange Commission and sent to shareholders, which describes Kroger’s marketing strategy, in part, as delivering “billions of personalized recommendations . . . . “

“We are evolving from a traditional food retailer into a more diverse, food first business. The traffic and data generated by our retail supermarket business, including pharmacies and fuel centers, is enabling this transformation. Kroger serves over 60 million households annually and because of our market leading rewards program, 96% of customer transactions are tethered to a Kroger loyalty card.

“Our 20 years of investment in data science capabilities is allowing us to leverage this data to create personalized experiences and value for our customers and is also enabling our fast-growing, high operating margin alternative profits, including data analytic services and third party media revenue.”

“. . . Data governance failures can adversely affect our reputation and business. Our business depends on our customers’ willingness to entrust us with their personal information.”




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat






CR’s Brookman says “framework is great” on H.R. 8152; but with threat to targeting, he expects ad-tech reaction 

The following is an excerpt of remarks by Justin Brookman, an attorney and director of technology policy for Consumer Reports, the nonprofit product and service testing organization.  Brookman spoke to Justin Hendrix, of TechPolicy.Press, in a podcast that included Nora Benavidez, of They were discussing provisions of H.R. 8152, the American Data Privacy and Protection Act (ADPPA) as referred to the full House of Representatives on June 20 (see lead blog item, above).  A longer excerpt may be found HERE. 

“Yeah. I mean, I feel like 70% of privacy bills all kind of look the same, right? They have access rights, and deletion rights, and maybe correction rights. And this has correction rights. They have data security obligations. The trickiest thing is what the law does around secondary use, right? Primary use, we kind of get. I go to Amazon, I buy stuff and they process it and they charge my credit card and they give my information to FedEx, bring it to me. And that’s all directly in service of what I ask for. And that’s fine . . . . .

“It’s all of the other stuff, like the sharing data with data brokers, or for targeted advertising that like the law really needs to get to. And there’s usually three basic ways you can deal with that. You can ban it . . . You can say, this is super illegal. You can require opt-in consent for it. You have to… Someone has to click okay for them to do the extra stuff, or you can have opt-out rights. And like, you can go out of your way to say no, don’t do that. And they all have their flaws, I think . . . .

“But overall, that framework is great. I think the conversation has evolved beyond what we call notice and choice. Like people having to make informed decisions all time. No one wants to make privacy decisions all the time. They just want it to work, and to trust that it works. And I think that this bill was written with that in mind.than we’ve seen in Europe. That’s stronger, certainly, than we’ve seen at the state level . . . .

Consensus on ending targeted advertising?

“This market had been five, 10 years ago, there would’ve been concern about ‘targeted advertising, is the life blood of the internet, and we need our targeted ads.’ . . . But no one’s saying that anymore. There does seem to be the bipartisan agreement that people don’t don’t want their data collected and shared and sold all the time. And that privacy rules really should reign that in. And we shouldn’t buy these arguments that you’re not going to get free content anymore, unless you’re allowed… [unless] we allow hundreds of companies to watch everything we do. That bargain is no longer on the table. So I was really surprised by how little disagreement there was, on the actual substance of the bill . . . .

Expected reaction from ad-tech industry . . .

“They’re going to do everything they can to try to find ways to track, to try to find loopholes. We saw this with the CCPA, the California law that allowed people to opt-out of selling their data.


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2022 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp