The Fair Information Practice Principles turned 50 this year.
If you work in data privacy, you already know FIPPs—they’re the foundation everything else is built on. What you might not know is that they came out of the Health, Education and Welfare Department in 1974, back when “computer systems” meant something very different than they do now.
Which brings us to the American Privacy Records Act.
The APRA is Congress’s latest attempt to create a single federal privacy standard that would replace the current mess of state-by-state laws. It’s bipartisan, which in 2024 is notable on its own. But whether it actually passes—and whether it’s good for privacy—depends on details that are still being fought over.
Here’s what’s in it:
- Preemption that goes further than before – The APRA would override most state privacy laws, which is a bigger swing than the earlier ADPPA proposal. California’s Privacy Protection Agency isn’t happy about this. Their argument: states need the flexibility to respond quickly when new tech creates new privacy problems. Hard to say they’re wrong.
- HR data gets a pass –The bill wouldn’t cover employee data, which means California’s CCPA and similar state laws would still apply there. It also targets large data holders and high-impact social media companies with stricter requirements—more transparency, tighter data handling rules.
- You can sue – This is the big one. The APRA includes a private right of action, meaning individuals could take companies to court over violations. Most state privacy laws don’t allow this. If it passes, expect a wave of litigation and a scramble to bulletproof compliance programs.
What this means for digital advertising
The ad tech industry should be paying attention. Under the APRA, consumers could opt out of targeted advertising—which is table stakes at this point—but the bill also requires affirmative, express consent before transferring personal data to third parties.
That second part could reshape how ad networks operate. A lot of digital advertising depends on data moving between companies with minimal friction. Requiring explicit consent for every transfer isn’t minimal friction.
The through-line from 1974 to now
The FIPPs were about protecting personal data from misuse in an era when “databases” were new and scary. Fifty years later, we’re still solving the same problem, just with different technology.
The APRA continues that legacy: transparency, accountability, consumer control. Whether it’s the right solution is debatable. Whether we need some solution is not.
For privacy professionals, the APRA isn’t just another compliance framework to learn. It’s a test of whether federal privacy law can actually keep up with the pace of technological change—or whether we’ll still be arguing about this in another 50 years.