The American Privacy Rights Act (APRA) is a new legislation to protect American peoples’ online privacy; it is currently in “discussion draft” and is being promoted into federal law.
Parts of the bill appear to mirror the EU’s GDPR – arguably the most comprehensive regulation – in order to fill gaps in previous US legislation, while also providing protection higher than the state level and keeping up with the evolving nature of technologies.
What is APRA?
Some key aspects of the APRA legislation are:
- Private right of action: Individuals will have the right to sue bad actors that don’t comply.
- Right to prevent the transfer and sale of their data.
- Right for their data to be deleted, similar to GDPR’s “the right to be forgotten”.
- Right to opt out of targeted advertising.
Read Tech Radar’s comprehensive overview of the unfolding news.
🚨 NEWS: @HouseCommerce Chair @CathyMcMorris and @CommerceDems Chair @SenatorCantwell are leading on bipartisan legislation to create a national data privacy and security standard. #APRA
Read how the bill gives YOU the right to control your personal data ⬇️ pic.twitter.com/0O5Mz7qJ46
— Energy and Commerce Committee (@HouseCommerce) April 7, 2024
While this will be a nationwide legislation, some aspects of consumer data will continue to vary from state to state. According to Tech Radar, these include “specifically targeted issues like civil rights, consumer protection, health, and financial data”.
What APRA Means for Marketers
Having experienced working towards GDPR first-hand, preparing for a stronger regulation takes a cross-functional effort in collaboration with CISO/IT teams.
- Annual reviews of algorithms: While this is currently mandated in the US, the number of algorithms that organizations are implementing is increasing. One would assume that Salesforce conducts strict reviews of the algorithms that their “Einstein” product offerings use. However, there’s still the risk that others in your organization are using algorithms in ‘the shadow’ that could unintentionally introduce bias and toxicity in their results – especially if the algorithm is working with a subset of data. This could lead to discrimination when profiling/segmenting audiences. It’s important to know who in your organization is leveraging algorithms, when, and how (what data set).
- Stronger data security standards: Mitigating any vulnerabilities when data is stored or transferred via integration. Keeping data on a select few platforms, like Salesforce, means your organization has less to monitor in terms of security standards. Minimizing the privilege to export data is a good option here.
- CDPs: Matching (reconciliation) of individuals’ data from disparate sources should be monitored to ensure that the rules are functioning correctly (i.e. not too weak match rules) to avoid unintentional matches with other (similar) individuals’ data.
- Activation to advertising audiences: When segments are generated and are ready to be sent to advertising platforms, ensure that this excludes individuals who opt out of targeted advertising. Also, highly targeted, ‘creepy’, advertising should be avoided to show that you are not over-profiling individuals.
- Data deletion: Have in place a mechanism to collect, and steps to fulfill, data deletion requests in a timely manner. This involves maintaining one’s tech stack and process to ensure that a request actioned in one place is carried through any other repositories of data. For example, if a contact record is deleted in one place, is it deleted everywhere else?
- Gaining and recording consent: Explicit consent means that the individual is acknowledging that they are giving permission to allow their data to be used in a certain way. For example, when subscribing to a brand, it should be clear that they will only receive emails for that particular brand. Cross-pollinating lists of individuals has to be stopped unless it is clear (in plain language, not legal jargon) to the individual, plus an action to check a box to opt into such terms. How and when your organization gained that consent should be time-stamped on their record.
Summary
While I’m no expert on US legislation, the steps to follow make sense – one just needs to keep conscious of one’s data and how it flows through the tech stack. Having data and technology run away from your control is generally a bad place to be. Get familiar with aspects of your marketing operations so you are literate in your data, AI usage, and consent management.
I hope that the news of the draft APRA serves as a good reminder to treat individuals’ data correctly. While not an exhaustive list, the way that technology has advanced since the introduction of GDPR (European Union) in 2018, has presented a number of additional considerations. Marketers working with their CISO/IT counterparts means they will be able to sleep more easily at night.
Finally, I’m interested to hear your thoughts. Others have labeled APRA a ‘historical’ legislation that will work as effectively as GDPR in protecting consumer data – do you agree?