Somewhere along the way in the Internet Age, personal information became a bankable commodity. Where you live, what you own — if you are pregnant, even — are now details that are shared or sold off as quickly as we can type them.
Unfortunately, many companies we entrust with this information cashed in on this new currency, including Facebook as the most notorious example. It has been a gold rush of sorts for thousands of businesses, trading personal data without much thought into the ethics.
The laws have yet to catch up in the U.S., creating a field day of sorts for companies with a stockpile of private information. Over the past decade, myriad businesses have sold the personal details of customers to teams that could use them for marketing purposes — contact information, buying histories, and other data that was organically collected over time. Simultaneously, a number of third-party “data brokers” buy and sell consumer data like they are flipping houses.
Worse yet are companies that went out of their way to pilfer data, such as a Massachusetts ad agency that tracked smartphone data of women visiting abortion clinics. The agency then sold the information to antiabortion groups which targeted the women with messaging campaigns.
Enough is enough, in the eyes of California legislators. After a year-long process, the state will enact new laws on January 1 “relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” The California Consumer Privacy Act, or CCPA, is perhaps the most significant event to date — stateside, at least — in the fight for data privacy.
The CCPA was signed into effect on June 2018, with a number of proposed changes to the way businesses handle sensitive customer data. It was modeled after the European Union’s General Data Protection Regulation (GDPR), which went into effect the month prior.
Among the provisions in the CCPA is a new requirement that retailers, social media platforms, and other service providers detail which personal information they are collecting, selling, and sharing from California customers. Companies must also give consumers the option to have their existing info deleted from databases. You can read the complete list of regulations on the California Attorney General website.
In the time between when the laws were signed and their effective date, state businesses have been scrambling to create loopholes and exceptions. For the businesses mining the well of customer data, transparency may come second to profit.
“We had a constant battle to stop efforts by industry to gut the bill,” said Justin Brookman, a privacy expert at Consumers Union in Washington, in an interview with the Los Angeles Times.
While CCPA does not fully prohibit data sales, it will undoubtedly put some control back in the customers’ hands. In all likelihood, this will effectively reduce the amount of data and disrupt the market. Naturally, many have not been shy about their feelings, and have raised a number of issues to undermine the push for privacy.
Chances are they will still be raising issues long after the laws take effect, particularly companies with their hands deep in the cookie jar of personal data. Facebook is already protesting in a number of ways, including a claim that these new changes don’t apply to them. Rather than wait to be fact-checked, the beleaguered social media company told its advertisers that it won’t be making changes to its web-tracking services. (Twitter, on the other hand, has announced changes for CCPA compliance.)
In town halls across four cities, lawmakers fielded questions and concerns from professionals in a number of industries and businesses of all sizes. There were a few issues that were prominently brought up, according to coverage by Venture Beat:
- Crucial CCPA terms are not clearly defined.
- It’s unclear how CCPA’s scope affects other industry-specific regulation.
- Smaller organizations will have trouble meeting the January 1 deadline.
- The system for data requests could be open to abuse.
This push-and-shove is common with any legal gray area. Where some see an obvious problem with data trading, others see an important new revenue source and marketing tool. Some businesses may be attempting to stall or skirt around responsibility related to their data selling practices, but others may be rightfully trying to ensure that the government doesn’t over-extend its reach on the matter.
On the consumer side, data hoarding and selling has become a safety issue, as well as a basic question of personal rights. The scope of personal details being freely exchanged can be unsettling, especially without an idea of who has access and how they plan to use it. Lawmakers behind the CCPA are working to ease these fears and add a sense of order to the Wild West that is the current system.
As these laws are enacted — and violations enforced, beginning summer 2020 — other states may follow California’s lead with their own version of the landmark bill. Some experts feel that a federal law will come about after the 2020 election, if not sooner. There is already bipartisan support for such a law, albeit with some debate as to the specifics.
“There’s been a shift as more members of Congress spend more time online and worry about the implications of data privacy for their children and grandchildren,” said Cameron Kerry, a privacy expert at the Brookings Institution, in an interview with Fortune.
The first year will be a bumpy road, as companies adjust to comply with the many specifications that are laid out. It’s safe to assume there will be some conflict and controversy during this time. Officials are hopeful about a smooth transition, but are prepared for pushback.
“We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that … demonstrate an effort to comply,” said California Attorney General Xavier Becerra, in an interview with Reuters.
“If they are not (operating properly) … I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”
Continue to follow our blog for more on data privacy, culture, and LocatorX. Follow us on LinkedIn, Twitter, Instagram, and Facebook for company updates and industry insights.