Last year marked the start of the California Consumer Privacy Act (CCPA) which gives residents of California unprecedented rights to control what information companies collect on them and how it’s used. This legislation provides a handful of new rights to protect people’s data and personal information online by allowing the ability to have the data that companies collect to be deleted and opt out of those companies selling it to third parties.
CCPA also puts a lot more responsibility on businesses who have to keep track of this data. It’s important to remember that we’re not just talking about the Googles and Facebooks of the world, but any company that does a lot of business online— which in today’s digital world, is most companies.
In short, CCPA applies to any company that operates in California and either makes at least $25 million in annual revenue, gathers data on more than 50,000 users, or makes more than half its money from the sale of user data. While the law has been in effect since the beginning of the 2020, the enforcement of the law started on July 1, 2020, and the Attorney General has already sent out Cease & Desist letters to several companies alleging violations of the CCPA. Not surprisingly, class action attorneys began filing cases even sooner alleging unreasonable security measures. Walmart was recently sued by a California resident on behalf of a class of California consumers, claiming the company had a data breach that violated CCPA. These developments are only the beginning of the potential influx of lawsuits and penalties we could see in the years to come.
If enforcement of the law hasn’t been a wakeup call for businesses, now it seems like the original architects of CCPA think the law is not strong enough on its own and want to take it a step further. Last November, California residents voted to approve the California Privacy Rights Act (CPRA) which is the next evolution of privacy law and, according to its supporters, strengthens the perceived weaknesses of CCPA.
In a nutshell, CPRA wants to limit the use and sale of personal information for addressable advertising and will also create a new state government agency in California with specific direction to enforce CCPA.
This could cause several challenges, as there’s a whole chain of players such as publishers, supply side platforms, demand side platforms and advertisers in the digital ecosystem when it comes to the use and sale of data. Across that chain, they’re sharing data that’s considered personal information with each other. The proposed law wants to stop this sharing of data because supporters think if someone has opted out of the “sale” of data that data sharing in the digital ecosystem should not be allowed. And this is where the debate starts because the digital ecosystem is saying it’s not a sale because no exchange of anything of tangible value is taking place. This new law will change the definition of “sell” to include “sharing of data.”
There’s also a provision in the proposed law that says a covered business can use a service provider to help with their data strategy as long as there’s a written contract that prohibits certain things, such as the service provider not combining the data from the business with third party data.
This really restricts what data providers like Acxiom and others can do for their clients. Coalitions like the US and California Chambers of Commerce, the Business Roundtable, Privacy for America, and the ANA are against this law and have provided several points of view on these issues helping educate California residents and voters of the potential harms, not just to the marketing and advertising industry, but to the Californian, national and global economies.
Responsible data collection and the ethical use of that data should not be under attack. In fact, data collection and analysis are becoming key weapons in the fight against COVID-19. Many companies and government agencies have used data for things like contact tracing and getting important health information to communities and to those at highest risk. The key to fighting the misconception that data collection is bad is to highlight the many ways data is being used for good.
In addition to using data for good in a global health crisis, there are other uses of data, like for marketing, that bring real value to people. Advertising helps people get relevant information to assist them in making choices on an endless array of goods and services. And it helps brands — in sectors like financial services and banking, consumer goods, transportation and hospitality — to understand customers and deliver them marketing messages that are more relevant, consistent and effective. Data-driven marketing helps businesses reduce wasteful ad spending and helps fund free or low-cost products and services on the internet, including free search, email and social media platforms, as well as customized content.
Privacy regulations should seek to balance peoples’ rights to transparency and control with the many benefits of a data-driven economy and with the need for companies to be able to run their businesses efficiently and effectively. Laws like the CCPA and the EU General Data Protection Regulation require companies to invest millions of dollars to ensure they can comply, yet, according to our benchmarking, most companies have seen very few verifiable access requests or opt-outs taking place. For example, Acxiom has offered the right to opt out of our marketing products for more than 25 years – long before CCPA existed – and the number of opt out requests we receive has remained steady, with no noticeable spike in requests after CCPA went into effect. Similarly, we have had around 500 verifiable requests for access or deletion since the start of CCPA. These suggest a real disconnect between what people say about their privacy and what they do.
According to a recent study commissioned by Acxiom on the willingness to share data, three out of four people agreed that when data is managed properly, it greatly benefits people. Despite all the good that comes from data and people’s positive attitude towards the ethical use of data, there are still those who are pushing for stricter regulations.
Let it be very clear, we want to be good stewards of data! Acxiom would never advocate that we get rid of regulations or not emphasize the vital nature of ethical data governance. We will always go above and beyond what the law requires because we believe in data ethics. These laws have good intentions and companies such as Acxiom, which has been a champion of digital responsibility and ethical data use for more than 50 years, wants to support them. But these current laws and regulations can cause many challenges for our industry for years to come.
In reality, these laws give the largest platforms more power by adversely impacting independent data providers and small businesses in terms of productivity and the expense to comply with these laws. The largest platforms feel they have sufficient consent to collect and use the data and believe they have provided adequate notice to people, so they’re well-positioned and so big that they can throw millions of dollars at these regulation changes and not feel it.
People understand that the largest platforms collect their data in an effort to improve consumers’ experiences and to generate revenue by selling advertising. But there is less awareness of other data providers that collect, source and otherwise license information about people who are not their customers. The growing commercial use of data is outpacing the public’s understanding.
CPRA won’t be the last legislation we will see as other states look to pass similar laws and Congress has accelerated the debate for a national privacy law. Over the years, Congress has put forth various legislative proposals regarding data privacy. None of the past legislation received the support necessary to enable passage of a comprehensive national data privacy law. Due to CCPA and CPRA, that is likely to change.
Still, people deserve to know who is collecting data about them, why it’s being collected and the types of companies with which the data is being shared. They should also have assurances that companies collecting data have adequate measures in place to ensure security and confidentiality. That’s why, until we have a national privacy law, we should pursue a national data provider registry to help people understand which companies provide these services — and learn the difference between good data actors and bad ones.
Unfortunately, the irresponsible actions of some individuals and organizations have cast a shadow over data collection and use. They violate people’s privacy, profit from stolen data and commit fraud. Increasing transparency — initially through a data provider registry and ultimately through a robust and balanced national privacy law — would help reduce the conflation of legitimate, regulated entities with unethical companies and criminals.
We believe it’s time for a national data privacy law, one that gives people meaningful rights — to know who has their data, how it is used and how to opt out while preserving current responsible uses of data for marketing and advertising. It’s in our country’s best interest to have a national standard that, done thoughtfully, benefits both people and businesses by providing uniformity and certainty without deterring innovation and competition. But unfortunately, intervening events in 2020 have taken the focus off of this important legislation.
In the end, a national privacy law should be about accountability – people shouldn’t have to think about it or worry about how their data is being used. People should know their data is under control and won’t be used to harm them. If someone wants to take steps to protect their data further, that option should be available to them.
This article originally appeared in Viewpoints Exclusive by Kinesso.