By Adam Foldenauer, Senior Director – Client Solutions
Wednesday marked the beginning of a new decade, and perhaps the beginning of a new era in digital, as the California Consumer Privacy Act (CCPA) went into effect as law. While the CCPA’s statutes are overly burdensome for today’s data-powered Internet economy, the law is a necessary step in restoring balance of power and trust across Internet behemoths, consumers and legislators.
Passed in 2018 as the first data-privacy regulation in the U.S., CCPA has been an early voice in a growing chorus of calls for Internet companies to give consumers visibility and options as to how their data is gathered and distributed. (The more-restrictive General Data Protection Regulation (GDPR) was established in the EU in 2016.)
Any for-profit entity that does business in California with revenue greater than $25 million, or meets two other criteria, must comply with CCPA. Despite being enacted in only one state, the broad reach of the law means that most U.S. firms with online capabilities will sit up and take notice of CCPA – either for direct compliance, or to be ready for other states to follow suit.
Shared Responsibility for the Data-Powered Internet
Throughout the drafting and enacting of CCPA, the attitudinal undercurrent – sometimes stated, sometimes unstated – that Internet companies involved in consumer data retention and dissemination are bad actors is bothersome and misguided.
This data-powered Internet system was built under our noses.
Legislators, business leaders and consumers alike should have been aware of this data-powered Internet we have all played a role in creating.
It began in the dot-com era, when the markets pushed fledgling startups like Twitter and Facebook to prove a path to monetization of their free services. And monetize they did, building highly targeted, lucrative advertising markets with consumer data as the product.
Since then, all actors within this digital ecosystem have benefited, and there has never been an outcry from consumer advocates for such Internet firms to charge for their free services. We enjoy the data-driven, precise search results from Google, and YouTube knowing just what videos to recommend. (Google gets 85% of revenue from ads.) We’ve been happy investors – at minimum through our 401ks if not more directly. (Technology stocks were up 42% in 2019.)
Our data in return for increased digital utility – this has been the unwritten value exchange of the data-powered Internet. We should not be surprised that the data we provide to the Internet is trafficked across the Internet.
Have there been abuses, such as the Cambridge Analytica incident? Definitely. Does there need to be governance as Internet firms have grown to be the most powerful entities in the world? Absolutely.
The Cost and Difficulty of CCPA Compliance
The law has three straightforward tenets:
- Data Transparency
- Consumer Data Control
- Company Accountability
But CCPA doesn’t appear to consider the fact that our current-day Internet is driven by labyrinthine data-sharing middlemen, networks, brokers, and algorithms. It was not built with clean lineage of consumer data as a priority.
Underneath snazzy search engines and mobile apps lies a tangle of Internet data commerce where consumer data is constantly gathered and shared – often multiple steps removed from the source digital property. Setting ethical concerns aside for a moment, what this means for firms involved in any aspect of leveraging Internet consumer data is that mapping the path a consumer’s data takes and erasing it on request – the cornerstone provision of CCPA – will take significant effort.
How much effort? $55 billion industry-wide, according to a California-commissioned study. Giants such as Facebook and Google can stomach the expense, but what about smaller firms above the $25 million threshold? This law hurts many adtech businesses without spare human and financial capital. And, more importantly, if consumers begin opting out of data-capture at scale, it will threaten their business model altogether.
Although less punitive than GDPR, the fines for non-compliance can get costly as well. On a per-user basis, a firm with 1,000 customer data records found out of compliance would, by the letter of the law, have fines over $1 million.
For a country that has benefited so greatly from the Internet sector’s innovation and economic growth, it would have been prudent for the initial regulation to have been crafted with all sides at the table. Ideally, parties would have begun work on data privacy years ago as our data-powered Internet was in gestation, which would’ve shaped different value chains, business models and clean data-sharing processes that advertising and targeting technologies could build around. It’s too late for that, just as it would be too harmful to our economy to now fully unwind the complicated underbelly of Internet commerce in the name of privacy.
A Privacy Wakeup Call for Silicon Valley
Assuming the industry wasn’t paying full attention to consumer privacy before, they are now – Google and the California Chamber of Commerce were scurrying to revise CCPA in late 2019, and their lobbying efforts are ongoing and intensifying. Facebook is bucking the law altogether, saying its method of data sharing is exempt.
The CCPA can be thanked for scaring Silicon Valley into attention. Consumers should have knowledge of how our data is being used across the web. Consumers should also trust the web properties we interact with, and this law can be the catalyst to rebuilding that trust.
As our Federal Government plans for a federal data privacy law, perhaps more conversations will lead to a more balanced regulation that considers both consumer privacy and business growth and innovation.
Learn More: The Impact Makers Solution
Impact Makers’ consultants have knowledge of CCPA, data privacy and compliance, as well as the insights to help your organization. We work with our customers to deliver and enable strategic business advantage with Information Security & Risk Management services.
To learn more, contact us.