CCPA and Beyond: Where Privacy Will Take Us in 5 Years
The Jan. 1 compliance deadline for the California Consumer Privacy Act (CCPA) is now in our industry’s rearview mirror, but I doubt you’re hearing any sighs of relief within today’s marketing and data privacy departments. That’s because all of the hard work required to truly understand the implications of this important new legislation is still on the immediate horizon. The coming year will teach us a lot about the new data reality in which today’s organizations must operate.
Although the language of CCPA leaves a lot open for interpretation, one thing is clear: The consumer data and privacy landscape has fundamentally shifted beneath the feet of today’s enterprises, and privacy compliance will forever be an important requirement for sustainable business going forward. But where exactly do we go from here? In a regulatory environment where there are currently more questions than answers, what do consumer privacy requirements look like in five years? Here are a few likely outcomes of current initiatives and momentum.
Risk Will Come from All Sides
Companies that are focusing internally on handling the wave of regulatory scrutiny will also need to take a step back for a wider view. Far too often, companies have products or services that are tightly coupled to third parties. You may be capable of taking a legal stance that will prevent one state’s regulations from applying to you–or they may only apply to a specific product offered to a specific area.
But even then, a serious question remains: Are your vendors, who may be operating in a global space, capable of continuing to do business within this new climate? And how does that put your own business at risk?
Federal Regulations Will Have to Intervene
Of course, CCPA is just the beginning. At present, more than 20 other states have some type of comprehensive privacy legislation under evaluation, and you can bet that there are notable differences—including direct contradictions—from state to state. As more and more state-level privacy laws are enacted, it will become virtually impossible for enterprises to ensure complete compliance.
Ultimately, the federal government is going to have to step in with blanket legislation that will take precedence over the fractured state-level initiatives. Most likely, this legislation will manifest in the next couple of years, after federal legislators have a moment to take a step back and see which international and state regulations seem to be working out best. In the meantime, privacy teams are going to have their hands full trying to keep up with the splintering requirements across the U.S.
A New Category of Management Solution Will Rise
Although no one really wants to see the LUMAscape get any more complicated than it already is, a new category of vendor relationship management solution is sure to arise as a result of the complexities of managing first-party data permissions today. After all, every company’s data infrastructure and relationship to privacy requirements is a little bit different. Whether it happens at the CRM or CDP or some other level, there’s a desperate need to be filled in terms of software that can address and manage questions related to data providence and which parties are ultimately responsible for compliance with various regulatory requirements.
Cookies Won’t Die, They’ll Evolve
Finally, here’s a prediction for you that probably flies in the face of a lot of the other headlines you’re reading right now, especially Google’s Chrome announcement: The cookie isn’t going to die in the two or even five years. It’s just going to evolve.
As a piece of technology that helps manage persistent data and store login sessions, the cookie still provides utility. We simply haven’t seen a piece of widely adopted technology emerge to take its place. However, we will see a change in terms of how cookies are restricted and therefore how they are consented. As we’ve already seen through policy changes on Chrome, cookies will need to become more specific, secure and follow certain classification rules. In other words, the cookie won’t crumble. Rather, a new batch of them will be baked—and stored in a locked jar.
Matt Hrushka is CTO of Signal.