Companies built empires on user data — information volunteered in exchange for services. But with heightened privacy scrutiny, could those companies survive today?
The California Consumer Privacy Act is challenging how companies use data and testing their viability.
Many expect the CCPA to be the backbone of a federal law, even if it may not be the most favored model.
The CCPA's "original sin was that innovation was set aside," said Bartlett Cleland, senior fellow for Technology and Innovation at Pacific Research Institute (PRI), while speaking on a virtual panel hosted by PRI in June. A possible side effect of strict, ongoing and costly compliance is hindered innovation, fueled by fear of lawsuits. Cleland is also counsel and chief strategy and innovation officer for the American Legislative Exchange Council.
Much like the CCPA's European counterpart, the General Data Protection Regulation, some privacy legal experts say the laws are mostly geared toward the biggest players or the most catastrophic infringements. With the exceptions of penalties issued by the United Kingdom's Information Commissioner's Office to British Airways and Marriott International, GDPR watchdogs in the European Union have issued $126 million in fines since May 2018.
The CCPA — and the timing of its enforcement — have been criticized because of its expense and potential for fines amid a recession.
"There are definitely challenges in terms of full compliance, but to say that this will stifle innovation is asinine."
Heather Federman
VP of Privacy & Policy at BigID
If businesses took the necessary precautions leading up to the CCPA's January enactment, with sufficient data mapping, and ability to respond to consumer requests, "then there's no need for innovation to suddenly halt," Heather Federman, VP of Privacy & Policy at data privacy firm BigID, told CIO Dive. "Perhaps that's simplifying things — and there are definitely challenges in terms of full compliance, but to say that this will stifle innovation is asinine."
Competition versus ethics
With low penalties, industry perceives that GDPR lacks teeth, but the byproduct of the law is discouraging behavior that the public disapproves of.
Like GDPR, the CCPA could "enable companies to have a better understanding of their data so that they could better innovate down the road," said Federman. Using data to compete requires:
-
Rich data free of extraneous, liable data
-
Algorithms to analyze the data
-
Scalable computing power to run the algorithms
Cloud providers take care of scale while companies maintain what data is crucial and what data is an unnecessary risk. Finding the safe ground between competitive use of data and ethical use of data will be a challenge for Silicon Valley's greatest data collectors.
The final CCPA rules proposal requires companies to calculate the value of the consumer data they collect. California Attorney General Xavier Becerra previously clarified in the updated rules that the correlation between data value and monetary value was indistinguishable. But the last rules proposal suggests companies consider the aggregate value and profit of data in a sale or collection.
The gray space in calculating data's value is a place companies step up and potentially defend their collection of consumer data.
Consumers come to Google for a curated experience and may not understand the technological mechanics of providing that service, according to Jim Halpert, partner at DLA Piper, while speaking on the panel.
The CCPA "has doubled down on being inflexible," Cleland told CIO Dive. Real estate developer Alastair Mactaggart crafted the CCPA's initial ballot initiative for 2018 and the current California Privacy Rights Act (CPRA) ballot initiative, or CCPA 2.0. The CPRA will go into effect in 2023, giving Congress time to act on a federal law if it can.
Without a federal law to temper the individual directions states take, "I'm very afraid that we're heading into a totally unpredictable, organized marketplace in regards to the regulation of privacy," Dan Jaffe, Group EVP, Government Relations, Association of National Advertisers, told CIO Dive.
Don't expect a federal law anytime soon
While a federal privacy law is unlikely to pass in 2020, the U.S. is moving toward a "more wholesome" discussion between both sides of the aisle, said Dan Caprio, co-founder and executive chairman of The Providence Group, during the panel. The coronavirus pandemic and initiatives, such as contact tracing, are moving the needle faster.
The scope and complexity of data privacy varies, and even as Becerra submitted his final proposal for rules, ambiguities remain. While state data security and breach notification laws have existed for years, in their "own peculiar way, you can kind of pull [them] off the shelf and make it work," said Caprio.
The same level of adaptation is not afforded to individual state privacy laws. Organizations' ability to perform or comply with risk management, data mapping, data governance and disclosure are the heart of the law.
"I think something like an FTC approach is valuable. Why? Because it's flexible."
Bartlett Cleland
Senior fellow for Technology and Innovation at Pacific Research Institute
A compromise between preemption and private right of action could bridge the gaps between political parties, according to Halpert. Disagreements surrounding the severity of a privacy law persist; as technology matures, so does its inherent risk.
With other states looking to the CCPA for mirroring a law, the fear is that the law "that is most restrictive prevails," said Jaffe.
States and the FTC have been tasked to adapt with technology's evolution, but "I think at the end of the day, the deal is the FTC does get the ability to adapt to the requirements of the law to future changes," said Halpert.
The FTC is hamstrung by its limited authority in pursuing data privacy and security cases. Last year the agency gave a historic penalization after fining Facebook $5 billion following the Cambridge Analytica issue — $5 billion is pennies to Facebook. (put it in context) Under the CCPA, if a company engages in deliberate data misconduct, victims could receive up to $7,500, compared to the 4% of annual turnover rule of GDPR.
"I think something like an FTC approach is valuable. Why? Because it's flexible," said Cleland. "It gives a group of folks the time, the energy and the resources to take a look at what's happening," instead of a drawn-out trial, as was the case with Facebook.