The American Privacy Rights Act (APRA) is a bicameral federal privacy bill proposed by the US Congress. While the bill addresses many long-standing gaps in American privacy law, its rules on targeted advertising are notably unclear and sometimes contradictory.

Why APRA Matters

The US still lacks comprehensive federal privacy legislation, creating a regulatory gap that has left the digital economy without meaningful baseline protections. The FTC has attempted to fill this void, and individual states like California have passed their own laws, but the resulting patchwork creates compliance complexity without consistent protection for consumers.

Key Provisions

Scope: APRA applies broadly but exempts small businesses, government entities, and government contractors. Employee data is also excluded, which many critics consider a significant weakness given the rise of workplace surveillance tools. The law does not replace sector-specific legislation like HIPAA.

Consumer rights: The bill includes rights to access, correct, delete, and port personal data, plus the right to opt out of targeted advertising and data disclosures. It also includes a private right of action allowing individuals to sue for violations, though many important provisions are exempt from this mechanism.

Data minimization: Processing must be necessary, proportionate, and limited, with a detailed list of permitted purposes. In practice, this creates a complex framework of broad rules and lengthy exceptions.

Sensitive data: Categories include health data, precise geolocation, sexual behavior information, personal communications, government identifiers, data from minors under 17, cross-website user behavior, and behavioral data from major social media platforms. Disclosure of sensitive data generally requires opt-in consent.

The Targeted Advertising Problem

Targeted advertising is permitted on an opt-out basis under APRA, and the bill appears to prohibit collecting data solely for advertising purposes -- organizations may only use data already collected for other legitimate purposes.

However, the interaction between the general targeted advertising rules and the sensitive data provisions creates serious ambiguity. Sensitive data disclosures require opt-in consent, but targeted advertising is governed by opt-out rules. When these provisions overlap -- particularly regarding cross-site activity data and social media behavioral data that power most targeted advertising -- the result is unclear. Targeted advertising based on sensitive data may be either opt-in or effectively banned, depending on interpretation.

Assessment

Strengths: The data minimization principle moves beyond reliance on often-meaningless consent. The prohibition on dark patterns in consent collection is welcome. The sensitive data categories are commendably broad, and the law protects health data falling outside HIPAA's scope.

Weaknesses: Too many provisions are exempt from private legal action, potentially weakening enforcement. The rules on sensitive data and targeted advertising are poorly drafted and contradictory. The exclusion of employee data is a serious gap.

State preemption: APRA would override most state privacy laws, creating uniformity but potentially weakening protections in states with stronger existing legislation. This issue derailed APRA's predecessor bill, the ADPPA.