Introduction
The House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (‘APRA’). The APRA Bill is intended to loosely reflect principles of the General Data Protection Regulation (‘GDPR’). Currently there are fifteen US state privacy laws, adopting what is known as a ‘patchwork’ approach. Fourteen of these US state privacy laws follow a model that was initially drafted by industry giants.
Analysis of this Federal Bill shows that there are also several exemptions that have been included that would exempt major tech companies from many of the provisions. Big City Tech giants, such as Google, gather vast quantities of personal data and build personal profiles of people. They use first-party cookies to do this, which are no different from third party cookies. However, the Bill would outlaw their third-party competitors that use third-party cookies, while providing exemptions for the Big City Tech first-party cookies. This creates a counterintuitive, bizarre situation where the proposed Bill will favour Big City Tech and restrict Small Town Tech.
This is in line with a continuing effort by Big Tech to try to use “privacy” as a disguise for their anticompetitive conduct. Despite these companies’ messaging, privacy and competition have no such tension. The key point is that privacy regulation should be drafted to ensure that major tech platforms must also comply, ensuring that they do not get an exemption that allows them to continue their Personal Data collection and processing while restricting smaller competitors from working with supply chain partners using less risky, interoperable data.
What data is protected?
Under the APRA, ‘covered’ data is defined as data that “identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals.” (S2.9). This is very similar to the definition of Personal Data under the GDPR too (Article 4(1)). APRA also provides requirements for ‘sensitive covered data’, which includes data relating to health, precise geolocation or data about minors.
What entities are covered?
The APRA would apply to “covered entities” defined as “any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data.” Again, this is very similar to the wording in the GDPR (Article 4(7), 4(8))). Covered entities include entities subject to FTC jurisdiction under the FTC Act, “common carriers” as defined by the Communications Act of 1934, and nonprofits. Just like “data processors” under the GDPR, the APRA also imposes obligations on “service providers” that perform functions on behalf of covered entities and “third parties” that receive covered data from any entity, except those that are service providers with respect to that covered data.
What privacy rights?
Sections 5 and 6 offers a series of privacy rights. These include, for instance the right to access the individual’s covered data and receive information about covered data transfers, the right to correct the individual’s covered data that is incorrect or incomplete; the right to portability of the individual’s covered data held by the covered entity, and the right to opt out of the use of the individual’s covered data for targeted advertising.
The unequal application of obligations to covered entities.
APRA identifies several exemptions from obligations which benefit several Big Tech players over smaller rivals. Here are four of the most notable:
- Search Engines (like Google), will be exempted from targeted advertising obligations because they ‘provide advertising or marketing content to an individual in response to the individual’s specific request for information or feedback.’ (section 2.39.B.i).
More than 80% of Alphabet’s (Google’s parent company) revenue comes from Google Ads, much of which comes from Google Search (Google’s own search engine). The caveat will neatly protect Google by ensuring that its ad revenues will not suffer too greatly from the potential passage of APRA.
- Google’s Privacy Sandbox proposal, which intends to remove support for rivals’ third-party cookies and only allow first-party cookies, will mean that Google will be exempt from certain obligations about processing covered data (see 2.39b(ii)). Advertising rivals that use third-party cookies will nevertheless have to comply. The unequal application of the obligations is inconsistent given that both Google and its rivals will use covered data.
- Google will be exempted from being considered a ‘data broker’ and will also therefore be exempted from one-click opt outs (see 2.13.A).
- Individuals will have the right to opt out only of transfers of covered data to third parties (S6.A.1) and opt out of targeted advertising only by third parties (S.6.A.2). This will strengthen Google and other major tech players’ position in the market as they are first parties, while considerably weakening third parties (their rivals) ability to help smaller publishers compete against such large platforms’ own online advertising.
Privacy and competition – why pit them against each other?
Privacy and security have been used by many tech platforms to consolidate, strengthen, and expand their market share. The draft APRA is no exception. For instance, Google’s proposed Privacy Sandbox, by which it intends to degrade support for rivals’ cookies and only allow first-party cookies, is being justified by enhanced privacy protections for end-users. The key problem with this logic is that Personal Data (which is the higher risk privacy-infringing data) can be stored in both first and third-party cookies, as can non-personal data. Whether the cookie comes from a first party (Google) or a third party (an advertising rival) does not bear on the nature of the data stored in that cookie.
Similarly, Apple has implemented its App Tracking Transparency (‘ATT’) to stop rival businesses from tracking end-users’ activity across other companies’ apps. Again, this is done under the guise of privacy, even though there is no ‘Decline’ option for Apple to stop tracking activity.
The APRA Bill falls completely in line with this strategy, except this time the Big Tech companies have done this through regulators as opposed to the tech company themselves. Nevertheless, the key point remains – false definitions of “privacy” should not be used to legitimise the Personal Data mining practices of Big Tech while restricting rivals’ use of safer interoperable data.