The sweeping California privacy law, AB 375, that was rushed onto Gov. Jerry Brown’s desk for his 11th-hour signature last week won’t go into effect until 2020.
The new law gives consumers a host of new rights, including the ability to compel companies to share what data has been collected about them, the right to completely opt out of having their data collected and sold and the right to have their personal data deleted by any business that has collected it.
That means two years for tech lobbyists, telcos, industry groups and media companies to advocate for tweaks and massaged language. Here are their concerns.
It doesn’t distinguish types of data collection
AB 375, also known as the California Consumer Privacy Act of 2018 and now the strictest privacy law in the nation, doesn’t acknowledge the difference between types of data collection, said Adam Heimlich, SVP of media at Gale Partners.
“If people knew there is a marketplace with 5 million auctions per second that uses open-source tech and anonymous user IDs, the pressure would be where it belongs: on the few companies that collect data attached to your name and run proprietary auctions with zero transparency or governance,” Heimlich said. “Advertisers do not need digital PI marketplaces at all – they only need the open, anonymous one.”
How will it be implemented?
Although it’s hard to argue with the spirit of the law – that consumers need greater protections for how their data is being collected and used – implementation is bound to be burdensome on SMBs and consumers, said John Lee, Merkle’s chief product and data officer and global president of M1.
Take third-party tags, for example. Any given commerce or content site probably has dozens of tags that collect data and use it for targeting and retargeting off-site. Who handles the opt-out?
“Is it the responsibility of the business to manage the opt-out process on behalf of that third party?” Lee said. “In many cases, those tags and the services provided there are business critical to a smaller commerce site – now we are putting the burden on them? Doesn’t seem like what the law intends, but this is the sort of reality of unintended consequences we will be dealing with.”
It doesn’t address the online value exchange
The realities of implementing a law like this are not fully understood, Lee said, and fail to address the fact that there is “generally a fair exchange of value that happens” when consumers make their information available for ethical marketing uses and in return for services.
The law “will turn into a costly logistical nightmare that will generate significant, unrecoverable costs to businesses and a disruptive and annoying customer experience,” Lee said. “We are not just talking about Google and Facebook here, but thousands of smaller online businesses that are part of a complex supply chain.”
And yet, the bill has vague, public support
For their part, the large tech companies need to tread lightly in pushing for changes to the law.
Opposing privacy regulations is bad optics when the Cambridge Analytica scandal still makes national headlines.
At a press event last week, Facebook COO Sheryl Sandberg said Facebook supports the bill (she was asked just hours before Brown signed it into law). In April, Facebook and Verizon both withdrew support from an organization called the Committee to Protect California Jobs, which was created to lobby against the original civilian-led ballot initiative.
Katherine Williams, a Google spokesperson, chose the words in her canned statement carefully, noting that although the law “marks some improvements to an overly vague and broad ballot measure, it came together under extreme pressure and imposes sweeping novel obligations on thousands of large and small businesses.” Google looks forward “to improvements to address the many unintended consequences of the law.”
But regardless of how the law morphs in the two years until general enforcement, businesses should take the passage of California’s privacy rules as a wake-up call (if they didn’t happen to hear the alarm clock that went off in Europe on May 25).
“If there’s a lesson to be learned from GDPR here, it’s that organizations should be preemptively working toward improving their data collection, storing and distribution methodologies in a way that is not only policy compliant, but also aligns their businesses with the best interests of consumers,” said Dan Elddine, head of data strategy for North America at Essence.
Regardless, it’s time for the industry to do some soul searching, especially when it comes to permissions, said Ashwin Navin, CEO and co-founder of Samba TV, and even go beyond the disclosure requirements mandated by law with ongoing consumer education about the data that’s being collected and how it’s used.
“As long as a blanket opt-in protects the wholesale transfer of raw data to any number of buyers who, in many cases, are doing nothing to benefit the consumer, we are going to have many more Cambridge Analyticas in the future,” Navin said.
Representatives from Acxiom, Experian Marketing Services and Epsilon either declined to comment or did not respond by publication time.