We all love the convenience of having access to information on just about anything at our fingertips, thanks to the internet. But some information flows in both directions, as our online behavior is tracked and delivered to various parties willing to pay for such data. The popularization of smartphone use further exacerbated the outbound flow of data because of its location-awareness and the proliferation of apps that dig into user data.
Social media platforms like Facebook were designed to appeal to users as an easy way to connect with each other online. However, from the company’s point of view, it has become a mechanism for gathering personal data. It then commodifies that data, as it is of value to businesses that seek to target particular segments of consumers and to pick up on buying signals.
The Slow Rise of Privacy Regulation
Though we’ve been aware that apps can lead users to unwittingly share personal information for decades, we’ve only started to really do something about it in the past few years. Legislation to meet the demand of privacy advocates that consumers be given clear information about what personal data they are unwittingly sharing and be offered a way to opt-out. This gained ground in Europe first.
Back in 2000, the EU established the US- EU Safe Harbor Framework. Within a few years, it was considered inadequate and was supplanted by the General Data Protection Regulation (GDPR) that came into effect in 2018.
Over on the other side of the Atlantic, only California passed a privacy law similar to GDPR. The California Consumer Privacy Act (CCPA) was signed back in the middle of 2018 but only took effect on the first day of this year. Even businesses that are based outside California are impacted if they have met the minimum annual revenue and sell to consumers in the state.
That includes the well-known retailers like Target. Consequently, scrolling to the bottom of the page on Target.com will bring up links with information on CCPA for California residents and another link to a form entitled Do Not Sell My Personal Information – California.
And We Now Have Privacy Chiefs
One of the challenges companies now face under new privacy legislation is letting consumers in California know exactly what personal data is collected and allow them to demand that their data not be sold. As recounted in “Ready or Not CCPA is Here (And You’re Probably Not),” while some companies are scrambling to get their data collection notice in order, others say they don’t need to worry about it.
For example, a representative for Amazon was quoted by Reuters, saying, “We do not plan to put a ‘Do not sell’ button on our website because Amazon is not in the business of selling customers’ personal data, and it has never been.” Likely that’s because Amazon keeps the data it collects to itself and manages marketing across websites accordingly.
Facebook made a similar argument at this year’s CES. The Wall Street Journal covered the focus on privacy in the event in “Tech Giants Defend Privacy Efforts, Promise Improvements.” Facebook was represented by Erin Egan, its Privacy Chief. She maintained that her company was already in compliance of CCPA because it does not in fact sell data.
Egan’s explanation was: “We are acting as a service provider on behalf of our clients to serve ads on their behalf. There’s the loophole of a company making use of the data it gathers itself. It can sell the ad placement without selling the data and so be compliant with the law.”
More Legislation on The American Horizon
It is possible, though, that a new proposed nationwide law may take an even stricter view on private data. The Consumer Online Privacy Rights Act (COPRA) was introduced this past November. Like CCPA, its application is limited to businesses whose average annual revenue is at least $25 million. However, it does extend consumer protections measures beyond the California law.
One of the ways it does that is by demanding that people be given the choice to opt in to data sharing rather than just being offered the option of opting out. Another thing it does is grant individuals the right to sue companies that violate their privacy as defined by the law even if they were not effectively harmed as a result of that violation.
The definitions of personal data are clarified in the full version of the proposed law. It includes specific categories of biometrics. It also defines what counts as “sensitive information.” It breaks it down to 14 labels, which include addresses, email addresses, and phone numbers. That means that just about any business is likely to have at least some sensitive information among its records, and it would be its responsibility to safeguard that data.
COPRA was proposed by Democrats, which means it will likely be supported by other members of the party. To pass into law, it would also need some Republican support. Likely, it will not be able to do so in its present form, as compromises and negotiation are standard practice in politics. No matter what version it takes, it is inevitable that we will see some expanded privacy legislation passed in the United States in the near future.
The Future of Privacy
The certainty of more extensive privacy legislation is likely one of the factors behind Google’s decision to phase out third party cookies on its Chrome browser. Other businesses should also gear up for a future in which regulations limit personal data collection and tracking even in the United States.
In the wake of GDPR and CCPA, citizens of the United States will question why they are not granted the same control over their personal data given to members of the EU or even their fellow Americans in California. That would increase pressure for legislation in other states. As that builds, we are bound to see a nationwide standard emerge. Smart businesses will be proactive about this inevitability and start planning for privacy legislation now rather than have to scramble to achieve compliance.
The bottom line is that businesses don’t just run on data but on customer trust. Respecting customer privacy is one of the ways businesses earn that trust, which is the foundation of an ongoing relationship and good business practices.