After two decades without regulation, a recent run of data breaches, privacy scandals, and a jarring wake-up call from the Special Counsel's office involving Facebook and Cambridge Analytica has brought us the recently-passed California Consumer Privacy Act, also known as CCPA. The act has been positioned as a template for common sense privacy regulation. But for all its good intent, the CCPA needs additional scrutiny.
The CCPA came into law riding a tide of activism. With petition in hand, the privacy folks did their thing and attorneys from Google and Facebook did theirs, but the rest of us stakeholders, who also build and sell solutions online, had little, if any, input into how this sausage was being made or the impact it may have. How could we? While GDPR was the result of a four-year legislative process, the California legislature spent only seven days to rush into law what one law professor called a "privacy bomb." But while legal experts have sounded the alarm that the CCPA is unworkable, burdensome, and possibly unconstitutional, our real concern should be for consumers and the choices they are about to lose.
Full disclosure: My company, Semcasting, is one of many programmatic marketing providers that may face a financial hit from CCPA. Semcasting is a compiler of public data on households and businesses that provides advertising and attribution solutions to agencies and brands. Like the vast majority of marketers, Semcasting acts in good faith for clients that also have ethically sound business reasons for engaging with select consumers based on their profiles. But I'm not just talking about the impact on us. Legislation that forces the systemic removal of digital profiles and identities effectively cedes control of the innovation economy to walled gardens like Amazon, Google and Facebook.
Consider the impact of the law's overly broad definition of personally identifiable information combined with opt-out rules amounting to an effective ban on predictive audiences, location and segmentation models. Under CCPA, a small business violates the law if in one year it buys, receives, sells, or shares the personal information of 50,000 California residents who have opted out of such uses for their data. But even the smallest retailers must cast a wider marketing net than 50,000 leads, and where do you think those leads come from?
Before CCPA, a retailer fueled their lead generation by buying data and audience models from third-parties; with CCPA, the only source of leads at scale would be brokered from within the black boxes of Amazon, Facebook and Google's walled gardens.
Consider the plight of a startup building a consumer-facing service. Today's ride-sharing apps, meal delivery services, and games wouldn't exist without third-party data because they're "seeded" applications that require an initial user base from which developers can draw insights and make refinements. To enter the wider marketplace, startups need access to new users to maintain the company's viability on the road to profitability. Again, where does the California legislature think innovation and the users that benefit come from?
Privacy is important, but privacy that cripples marketing deals a substantial blow to consumer choice because it limits the use of personal information to only those who already have the leverage to demand consent. I don't think Californians (or anyone else) want the walled gardens to pick winners and losers, but that's what the CCPA does.
Privacy activists rail against the intrusions of the commercial internet but fail miserably when it comes to defining what actual harm has been done. Is a targeted ad from your local grocer worse than the daily nonsense email updates from your Facebook feed? Is an ad on your browser more harmful than seeing a billboard on the road? Are personalized ads worse than being monitored by camera at a crosswalk, in a 7-11, or being tracked by the Quiet Skies program in an airport?
To be sure, there will be trade-offs. But that's the point. Consumers need to understand both the benefits as well as the risks. We need a legal framework for privacy that actually defines misdeeds or criminal intent. Our privacy rights cannot be a reactive move that extinguishes consumer choice.
We need an institutional response that reconciles the consumer concern embodied by the CCPA with the goals of commerce. Rather than adopt the overreach of CCPA's framework on privacy, let's make the case that consumer choice must be our North Star for sensible privacy legislation. Because a marketplace shaped by privacy zealots isn't the marketplace consumers want.