As Joe Zappa discussed in his column on Monday, new regulations around consumer privacy are poised to become a major preoccupation of some of the internet’s biggest and most profitable companies in the coming year.
Business practices in the United States were moderately affected by the passage in Europe of the General Data Protection Regulation (GDPR) this past May. Now the California Consumer Privacy Act (CCPA), which passed in the state legislature and was signed by Governor Brown in June, and which contains many provisions similar to GDPR, is scheduled to take effect for all companies of significant size doing business in California as of January 1, 2020. Just as it led the way with auto pollution regulations, California may be about to usher in a new era of protections for U.S. consumers.
Though their terms are not identical, in essence both GDPR and CCPA are designed to give consumers the power to stop companies from collecting personal data, to review all personal data a company may have collected, and to request deletion of any stored data. Both regulations strike a major blow in favor of the concept that ownership of personal data ultimately resides with the individual and not with companies who may profit from it.
At first blush, the potential impact might seem no more significant than that of the National Do Not Call Registry on the telemarketing industry. Despite millions of consumers opting to be listed in the registry, the volume of telemarketing calls has grown massively in the years since Do Not Call legislation was passed in 2003, with the FTC becoming increasingly powerless to stem the tide of companies operating in flagrant violation of the law.
But with regulations like CCPA, the target is not fly-by-night companies impersonating the IRS on the telephone, but rather companies with revenues in excess of $25 million who store the personal data of more than 50,000 consumers, households, or devices and derive at least 50% of their revenues from that data. Many of the dominant companies in the digital age—particularly Facebook and Google—fall into that definition, as do a slew of secondary players in the data collection and programmatic advertising spaces.
Indeed, given that these companies often gather data through mutually lucrative partnerships with gaming apps and the like, the true breadth of companies who fall under the provisions of CCPA may surprise us all.
Personal data includes, though it is certainly not limited to, information about one’s whereabouts, which can be used for a wide variety of marketing purposes. As this week’s much discussed New York Times story reports, there are at least 75 companies running location tracking apps on 200 million U.S. smartphones, with location signals captured as often as 14,000 times per user each day. Location data powers increasingly sophisticated ad targeting and is used by companies that analyze physical location and other behavioral insights to identify new markets and improve marketing strategies.
Such practices have grown up in the absence of any specific regulation and in an atmosphere where consumers have taken, on the whole, a lax attitude toward sharing personal data, even despite news of data breaches and malicious actors like Cambridge Analytica. True, a potential crackdown on data sharing with third parties may win vocal support from many consumers, but to the extent that the enforcement of such regulations depends on consumers taking action on their own behalf, it remains to be seen how many will actually go to the trouble.
Still, the enactment of CCPA may well represent a sea change in consumer privacy, not least because it may engender further changes, including federal legislation which has seen support from both parties and which may prove more stringent in its prevention of data gathering practices at the source.