Rulemaking in privacy legislation can help dial in ad regulation

In the debate over federal privacy legislation, advertising and marketing loom large. Social psychologist Shoshana Zuboff coined the term “surveillance capitalism” to describe the advertising business model as built on monetizing the collection, use, and sharing of digital information and testified to a House committee that the model is “founded on the premise that privacy must fall.” Her concept has been echoed by the Federal Trade Commission (FTC) in their privacy rulemaking notice last August, which framed its inquiry as about “commercial surveillance.”

Regardless of how it is characterized, digital advertising is a significant factor in the unbounded spread of personal information. Under the status quo, most companies can set the rules for what data they collect and what they do with it. Without boundaries around the collection, use, and sharing of personal data, the complex systems that support digital advertising have become online tornadoes, rapidly sucking up data and spreading it across the landscape. The American Data Privacy and Protection Act (ADPPA), a House bill reported out of committee by a 53-2 vote, goes further than any other comprehensive privacy bill proposed or enacted to put objective boundaries around the collection, use, and sharing of personal information and to change digital advertising practices.

These are needed changes. Their net effect will be to curtail opportunities to collect and monetize personal information while limiting the current spread of personal information across digital advertising networks beyond the privacy expectations of most individuals. Nevertheless, no one can predict precisely how these changes will affect a variety of interests. Apart from the privacy of individuals and the profits of the advertising industry, there may well be collateral impacts: on publishers that earn revenue from advertising, access to free services enabled by ad sales, or marketing for startups and small businesses that need to identify niche markets. In addition, the legislation may well strengthen large platforms’ hold in the advertising marketplace.

“To ensure that the ADPPA’s boundaries on advertising adequately consider the possibility of such potential effects, we recommend lawmakers incorporate a provision authorizing the FTC to finetune the bill’s limitations through rulemaking.”

To ensure that the ADPPA’s boundaries on advertising adequately consider the possibility of such potential effects, we recommend lawmakers incorporate a provision authorizing the FTC to finetune the bill’s limitations through rulemaking. Below, we explore the reasons for this recommendation: first by describing the networks that support digital advertising and how they spread personal information, then by detailing how the ADPPA addresses these and what effects it may have, and finally by describing why providing rulemaking authority to the FTC is especially appropriate.

The landscape of digital advertising

The players: Advertisers and publishers. Digital advertising has become the dominant way of reaching consumers’ eyes and ears. Online advertising (excluding U.S. political advertising) accounted for 64.4% of all total advertising in 2021 and continues to grow each year. Digital marketing enables the agencies that place ads (“advertisers”) to reach potential customers in new ways, bolstered by digital information. Advertisers can also measure outcomes that cannot be observed in print or broadcast advertising, such as how long an ad spends in front of a potential customer or how frequently it is clicked on. On the other side of advertising markets are the websites, platforms, and content providers (“publishers”) that monetize the eyeballs they draw and the data they generate. Publishers sell this inventory based on their content category (e.g., baking, sports, makeup) or the demographics of users (e.g., location, age). Advertisers provide information about their targeting strategies or ideal customer demographics. Sales of ad spaces are made by looking for overlaps between publishers’ and advertisers’ markets, placing ads in front of relevant audiences as precisely as possible.

The players: Data management platforms. Between the advertisers and publishers lie intermediary networks of software that manage advertisers’ placement of ads and publishers’ offering of inventory and ad performance metrics. These are data management platforms, which match up data from both advertisers and publishers with information from third-party sources such as data brokers. Such data can include information about an individual’s browser (e.g., device type, IP address, fonts installed on the device, websites visited), information users themselves provide (e.g., account information, survey responses, purchases), or information about a user’s behavior (e.g., time spent on a page or websites visited).

The systems: Data brokers. Behind these players and systems, data brokers provide a market for the data collected across advertising networks by purchasing and selling data to supplement databases within them. These brokers compile data both from private transactions and public-facing information sources such as social media and government records. In turn, they analyze this aggregated data to segment individuals by characteristics such as “families with kids in space camp” or “married moms.”

While individual profiles initially may be “anonymized” (i.e., stripped of unique identifiers like names or identification numbers), the aggregation of data makes it increasingly possible to link this data to individuals. For example, a 2019 Nature study found that 99.98% of Americans could be accurately re-identified by using 15 anonymized demographic data points, even if that dataset was “heavily incomplete.” This data can be reidentified so precisely that it has been used to determine the cost of health insurance or make loan evaluations. Even generalized information may enable identification of unique individuals, based on patterns of characteristics.

Connecting information to unique individuals becomes especially significant when sensitive information is involved. For instance, while much of the data collected by the LGBTQ+ dating app Grindr is innocuous, Grindr has formerly sold users’ location data to advertising companies and shared information on users’ self-reported HIV status and STD screening with external companies. A recent FTC complaint against Kochava charged that the data broker provided precise geolocation information from an array of mobile devices, including sensitive locations such as addiction recovery clinics, homeless shelters, abortion centers, religious institutions, and likely home addresses. The targeting of advertising relies heavily on predictive analytics and, as artificial intelligence is increasingly deployed, so will the granularity and power of these analytics to identify individuals and draw detailed inferences about them.

“Connecting information to unique individuals becomes especially significant when sensitive information is involved.”

The systems: Real-time bidding. Real-time bidding drives digital advertising. In the milliseconds during which a device loads an online site, an auction takes place among a myriad of advertisers and publishers, all swapping audience data through data management platforms. The sheer amount of information in play and the speed and frequency with which it is shared makes this landscape extremely leaky, with personal data passed through several hands and widely available for additional uses and sharing. The figure below illustrates the structure of the digital advertising market and its complexity.

Source: Programmatic Buying Ecosystem from Interactive Advertising Bureau Spain, 2014

Challenges to the systems. As the technology landscape has evolved, challenges to the typical digital advertising ecosystem have arisen. Various advertising industry groups have developed frameworks and codes for trustworthy, privacy-sensitive, and ethical use of data over the past 20 years. Browsers have added features or extensions to limit cookies and tracking across sites or devices. Ad-blocking software has become available. Still, despite these efforts and tools, advertisers have enduring financial incentives for advertisers to know as much as possible about their prospective targets. For example, in response to steps by browsers to reduce tracking, some third-party companies began to track users across sites using the unique metadata about their devices, such as device type, browser setting, and fonts installed, a process known as “browser fingerprinting.” This information is device-specific, so users cannot protect themselves by clearing their browsing history.

The most serious curb on digital advertising has come from Google and Apple. Although each has a different business model, both have used their management of operating systems, search engines, and app ecosystems to affect how online products and services collect data. Google introduced Topics API for Android apps, which limits data tracking, data retention periods, and the availability of what Google identifies as “sensitive categories” of data. Google also announced to phase out third-party cookies from its Chrome browser by 2023 (now postponed to 2024 as the marketplace struggles to adapt). Apple has taken similar steps through its iOS software and app store APIs to increase transparency and constrain collection, such as detailing the types of data apps collect in their App Store, requiring developers to ask for permission before tracking users’ activity through third-party apps, and informing users of exactly how apps use their data through App Privacy Reports. While these updates significantly reduce data collection and leakage in advertising information ecosystems, they are platform-specific, leaving an uneven patchwork in the absence of clear federal policy, and they have raised concerns about the effects on competition.

The digital advertising industry association Interactive Advertising Bureau (IAB) has been warning members for several years that they need to adapt targeting methods in response to both regulatory changes and consumer unease. Its most recent report on the subject described “a disconnect among senior-level, data decisionmakers between their self-stated sense of preparedness for the loss of third-party cookies and identifiers and their recent knowledge of the factors beyond the deprecation of cookies that are driving the evolution of the privacy landscape.”

In steps the ADPPA

The American Data Privacy and Protection Act (ADPPA) does not ban targeted advertising altogether. Instead, it distinguishes between “targeted advertising” (a defined term in the bill) and “contextual advertising,” i.e., advertising based on the context in which an ad appears, not based on specific information about each individual viewer. The ADPPA would only affect contextual advertising at the margins, to the extent that limits on the collection of personal data would constrict contextual information. Despite these limits, contextual advertising would likely experience a net gain due to the greater constraints on targeted advertising.

The constraints on targeted advertising are substantial. The ADPPA would allow “first parties”—entities that collect data directly from an individual—to target advertising to those individuals provided they are over the age of 17. This would allow first parties to promote new products or to sell advertising on their websites. Individuals would have the right to opt out of receiving any targeted ads, which advertisers, including first parties, would be obligated to offer prominently and to respect if exercised. The FTC would be charged with establishing mechanisms (like its Do Not Call list or otherwise) to make exercising this right convenient.

The bill distinguishes between the “first parties” permitted to cross-promote products and third parties that do not collect information directly from an individual. It is possible to read the provisions that permit first parties to target ads as permitting such advertising by third parties. As a practical matter, though, the overarching constraints on collection and processing make that extremely difficult.

Indeed, the ADPPA would place other significant limits on the information ecosystems that support online advertising in general and targeted advertising in particular:

• While the ADPPA allows collection of personal information for various purposes, these do not include advertising. Instead, advertising and marketing (whether targeted or not) are allowed only when utilizing “covered data previously collected.” In other words, data collected to provide a service otherwise permitted under the bill could be used (sometimes described as “secondary use,”) but a business could not collect simply for the purpose of targeting ads. The bill does carve out one exception related to advertising: It permits collecting data to measure the performance of advertisements. Such data powers the tools that enable advertisers to track views, clicks, leads, and success rates and calculate cost-effectiveness and return on investment. This provision could be exploited as a loophole, however, so it should be made clear that data collected under this exclusion must be “strictly necessary” for calculating metrics and not used for other purposes.
• Collection of “sensitive information”—a range of categories that include information about health, precise geolocation, communications, and race, color, ethnicity, or union membership, among several others—would be permitted, but only to the extent “strictly necessary” to provide a requested product or service or other purposes enumerated in the bill, but not for marketing. This would prohibit most advertising targeted based on sensitive information.
• The ADPPA would prohibit sharing “sensitive information” with any third party without carefully defined affirmative express consent. This would further limit the use of sensitive information as a basis for targeting advertising. It could allow such targeting where an individual has consented, for example, to sharing medical information in connection with a health app or sexual preference with a dating app, but within the bounds of what is strictly required for the products or services an individual requests.
• The bill’s definition of “personal data” specifically encompasses any “unique persistent identifiers,” which encompasses the various mechanisms used to identify individuals, devices, and browsers primarily for the purposes of delivering advertisements, like the iOS Advertising Identifier, Facebook’s Pixel, and a host of third-party cookies inserted via websites.
• The bill creates a category of “third party collecting entities,” companies that derive revenue from personal information they have not collected directly from individuals, and establishes a registry of such entities. This addresses the data brokers that aggregate data from other sources and develop individual profiles and databases that inform targeted advertising and marketing. Other than maintaining a registry, the ADPPA would not directly regulate data brokers, but the proposed limits on the collection and sharing of information would reduce the supply of information for their databases, as will the opt-out right and individual rights to seek access and deletion of information.

The IAB has criticized these limitations, asserting they harm “not only advertising companies, but anyone depending on data to succeed in today’s economy, including the average internet user enjoying speed and convenience.” The net effect of the ADPPA’s changes will be to curtail opportunities to collect and monetize personal information and to limit the current flows and leakage of personal information through the ecosystems of apps, ad tech, and data brokers.

As discussed above, fair and reasonable limits are needed on the unbounded data that advertisers collect. Nevertheless, it must be recognized that the medium serves legitimate and even beneficial purposes. The sale of advertising has been—for better and for worse—what has supported a free media in America. It also enables free services; while “free” comes with a hidden cost in personal information that needs to be more transparent and checked, the absence of cost still provides material value to many people. The First Amendment assigns value to advertising because, “however tasteless and excessive it may sometimes seem,” it disseminates “information as to who is producing and selling what product, and at what price” and informs consumer decisions in a free enterprise economy.

No one can predict reliably all the consequences to these and other interests from the ADPPA’s changes to advertising ecosystems. The changes also could affect smaller entities without large ad budgets, such as new entrants and small businesses seeking to find a market at the most efficient cost where narrowly targeted digital advertising can be cost-effective. The constraints on targeting might affect content providers that rely on advertising for revenue.

The third-party/first-party distinction and preferencing of contextual advertising over targeted advertising is likely to affect ad markets in ways that could be significant but are not fully understood. Given the increase in Google’s and Facebook’s shares of digital advertising within the European Union after the EU’s General Data Protection Regulation took effect, the ADPPA could strengthen their positions even though their combined 50.5% share of U.S. digital advertising is already the target of antitrust litigation and legislation. The impact on the effectiveness of advertising is less known; there is credible research showing that advertising targeted with cookies and other tracking is not as cost-effective as generally regarded, and some evidence that well-done contextual advertising may be more effective. Indeed, the New York Times successfully switched to offering only contextual advertising. But just because the strongest brand in the news business has succeeded with this model does not necessarily mean lesser brands without as much diverse content to offer or many subscribers to survey, much less the resources to develop their own first-party ad management platform, can do the same easily.

A provision for FTC rulemaking to fill in the precise boundaries for digital advertising would enable thoughtful and evidence-based decisions to get these boundaries right.

Why FTC rulemaking is the right approach to digital advertising

Rather than leave these issues to the FTC’s existing Magnuson-Moss Act rulemaking authority, Congress should provide authority under the Administrative Procedure Act (APA,) as it has in other ADPPA rulemaking provisions. This would clarify agency authority on the subject, allow Congress to define the contours for regulations, and enable speedier implementation of the law in this area. There are several reasons rulemaking is an especially appropriate way to deal with the uncertainties within these contours:

1. The issues that surround online advertising are highly complex, technical, and dynamic. Among advertisers, real-time bidding exchanges bring together multiple parties for microtransactions executed in milliseconds encompassing information, delivery of content, and payments. The technology and data that power these exchanges are constantly evolving. These are the kinds of issues where an expert agency can dive more deeply into the weeds than Congress usually can and adapt to changes in technology and the marketplace.
2. The FTC has relevant expertise. The FTC has decades of experience in regulating advertising. Advertising has been woven through its regulation of unfair and deceptive practices since the establishment of the Consumer Protection Bureau in 1970. The agency’s docket of privacy and security issues in recent decades has exposed it to data flows across a wide variety of online platforms and players. Its role in competition policy and its Competition Bureau brings this knowledge to the competitive effects of advertising and changes to advertising ecosystems. The FTC staff includes technologists, economists, and competition experts who can deconstruct these systems and markets. Fortunately, the ADPPA proposes to expand these capabilities with additional appropriations and the establishment of a new Bureau of Privacy.
3. FTC rulemaking would require thorough input. The broad stakeholder input needed to understand these issues is built into rulemaking under the APA and the FTC Act. Notice and comment would be required, ensuring a public process that provides the agency an avenue for broad input, gives stakeholders the opportunity to weigh in, and builds a record of the issues.
4. The FTC’s role would be defined by Congress. The ADPAA currently provides sparingly for FTC rulemaking. Rather than any broad grant of regulatory authority, it confines rulemaking to discrete issues within specific provisions (adding to the definition of “sensitive covered data,” minimum “short form” disclosures, processes for covered entities to respond to individual requests for data, and algorithmic impact assessments by “large data holders”). It also calls for agency guidance on data minimization and privacy by design, both novel and complex aspects of the ADPPA. A provision giving the FTC authority to delineate specific aspects of the provisions on advertising and spelling out factors for the agency to consider would be in the same mold, targeting its authority specifically and bounding it accordingly.

At this stage of the legislative process, the bar for making changes is high. But adding a provision to allow FTC rulemaking on advertising would fit within the bipartisan compromises of the ADPPA and could preemptively address issues before the law is on the books.

Google, Apple, and Meta are unrestricted donors to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the authors and are not influenced by any donation.