America's GDPR

The watering down of consumer data privacy legislation

Ranjan here. Today I'll be talking about the California Consumer Privacy Act.

It's a consumer data privacy law that's being called "America's GDPR" and will go into effect on January 1st, 2020. The connection to GDPR feels right. People are freaking out about being compliant, while law firms and vendors are advertising their related services, yet no one seems to have a clear idea how this all plays out.

A major difference between the two is GDPR starts at opt-in, meaning it protects consumers from the point of signup on how their data is collected and processed. The CCPA focuses on helping consumers opt-out, easily deleting their data or preventing the sale after it’s already been collected.

The planks of the CCPA, from the perspective of a Californian consumer are:

  • I should know exactly what personal data a company has collected about me

  • I should know if and to whom that data was sold*

  • I should be able to say, "No, you can't sell my data" (we've heard talk of requiring a big button that says this!)

  • I should have full access to any data a company has on me

  • Even if I say you can't use my data, I should get the same prices and services (unless the service requires my data)

*A quick note. The legislation very explicitly provides a broad definition of "selling" data, so firms can't smirk their way to innocence by simply repeating "We don't sell your data":

The law also has a broad definition of what is meant by “sell.” It covers numerous other broad-strokes actions including “disclosing, disseminating, making available, transferring” personal data, and more. Many large companies, notably Facebook, insist that they do not sell user data, instead serving as a kind of all-knowing intermediary that tries to pair up advertisers and consumers with complicated targeting algorithms.”

It all sounds fairly well-meaning and a step in the right direction for consumer privacy. So will companies try to fight this or water it down?

A Sad Day

As I sat down to write this on Thursday evening, there was major breaking CCPA news:

Under California’s data privacy law, which is set to take effect next year, consumers may file complaints to the state attorney general over alleged violations of privacy rules, but can sue over a data breach.

The new bill, introduced in February and endorsed by the attorney general, would have strengthened that law to enable consumers to sue over any alleged violations.

Adam Schwartz, a senior staff attorney at the San Francisco-based privacy group the Electronic Frontier Foundation, said the bill’s failure marked “a sad day for consumer data privacy.”

This is a big deal. Violating GDPR can result in a state-imposed fine as high as 4% of your revenue. But it's still a fine. With CCPA, consumers will be able to sue over a data breach, but that’s something that already happens in every big hack. The big proposed change was the threat of civil litigation for a CCPA violation. If you asked a company to delete your data and they didn't, or if you told a company to not sell your data, and they still did, you could sue the violating company directly.

Frivolous lawsuits are certainly bad for any business climate. But an element of fear could provide the checks and balances that have been woefully missing from the system. We watched Facebook's stock jump 8% after disclosing they were expecting a $5 billion fine from the FTC, because that was getting off easy. Imagine if there was a justified threat of civil litigation for every one of their repeated data scandals. The “we made mistakes and know we need to do better” approach just wouldn’t cut it.

Federal vs. State

Another, seemingly reasonable argument against CCPA is that having one state pass a law will end in a patchwork of fifty laws, making conducting a digital business nearly impossible. Instead, this should be done at the federal level.

The logic here is sound, but so is the lobbyist money. The Intercept wrote on how much money has been flowing into think tanks fighting against strong federal data privacy laws. The publication effectively predicted the end of the Right to Sue that was defeated last night, one month ago:

Meanwhile, actual tech industry lobby groups are pushing federal legislation along the same lines as that proposed by the tech-funded think tanks. One of the largest lobbying groups for Silicon Valley, NetChoice, has rallied behind Sen. Marco Rubio’s, R-Fla., privacy bill. His bill would roll back state regulation and place enforcement authority largely under the Federal Trade Commission, a notoriously toothless federal agency with no rule-making power, instead of letting consumers directly sue tech companies under the law.

The idea of having to divide up an email list into 50 different segments by state location, subject to 50 different laws, is horrifying. But the state of California has been pushing the national legislative conversation in the right direction for decades when it comes to car emissions. If it takes the action of an individual state to get the discussion around consumer data privacy moving, that’s a good thing.

Side note: Contrary to conventional stereotype, in this debate Democrats are lining up as the states rights champions, while Republicans are pushing for increased federal power:

One of the major sticking points will be how to treat state laws. Republicans and industry representatives are pushing for anything Congress passes to override such measures. Democrats and privacy advocates say that’s acceptable only if the federal law is as strong as California’s.

But, what about the startups?

Another argument repeated throughout the GDPR debate, and often seen in response to any regulation, is big tech lobbyists expressing “concern” that legislation would hurt startups and entrench incumbent power. The reasoning goes, the big guys have the lawyers and resources to get compliant and small companies don’t. With the CCPA, this line of argument gets even more specific:

Google, Facebook, and even Amazon have a strong selection of data they can leverage that would be considered first-party data. They could easily shut down all third-party data sales on their platforms and potentially acquire a larger portion online ad dollars because they offer better targeting. The remaining 15%-20% of the ecosystem would settle on a few providers that could withstand the implications of such a California law.

It’s a bit precious to hear incumbents that have spent years crushing any semblance of burgeoning competition asking to water down regulation in the interest of those startups. This was an actual quote from a April 2018 WSJ piece in the run-up to GDPR:

At Facebook, Emily Sharpe, a privacy and public-policy manager, said the firm has created a website and is holding workshops to help small and medium-sized businesses comply. CEO Mark Zuckerberg recently told the U.S. Congress: “A lot of times regulation by definition puts in place rules that a company that is larger, that has resources like ours, can easily comply with but that might be more difficult for a smaller startup.”

Um…thanks, Mark?

Winners for the next 20 years

Finally, a recurring concern is that the CCPA will hamper technological innovation. The argument is that a laissez-faire lack of legal protections were critical in allowing California to birth the big tech companies. If we weigh down American companies with stringent data protection regulations, we will lose ground to countries that aren’t burdened by the same.

This is where I strongly believe we should be the right side of data privacy history.

The winners of the past twenty years were defined by companies that sucked up as much data as possible. Do you believe that is what will define the winners of the next twenty years?

My co-host Can has discussed a shift from the mentality of data-as-an-asset to data-as-a-liability. It’s highly relevant to legislation like the CCPA and GDPR, as these laws force companies to become more conscious of their data workflows. They force you to stop and evaluate how they collect, process, and potentially sell consumer data. It’s a mandated shift away from the mindset that you should just collect as much data as you can, as fast as you can. There are finally some consequences.

Better Data

I’ll finish by connecting this back to the US-China technological rivalry and trade war, because that’s what is constantly on my mind. That idea that more data is intrinsically better has been a regular argument for why China has an advantage in the next decade. 1.4 billion people generating data primarily on mobile phones, combined with a lax attitude towards data collection means unparalleled machine learning models, is how the argument goes.

I kind of agree. If it comes down to a simple competition of who has the most data, American tech giants will inevitably lose. But, perhaps a company’s ability to handle their data will slowly become a competitive advantage. Not just in siphoning consumers away from irresponsible competitors with the promise of trust, but even in building smarter models that use “better data” rather than more data. Maybe that’s how the winners of the next twenty years will define themselves.

A Song

In other legislative news, a proposal from my home state of Massachusetts:

Make “Roadrunner” the official rock song of Massachusetts (H 2739): The Committee on State Administration and Regulatory Oversight held a hearing on legislation making “Roadrunner” the official rock song of the commonwealth. Natick native Jonathan Richman led the group Modern Lovers who sang the tune as a 1970s ode to the joys of driving along Massachusetts’ Route 128 late at night. The bill is sponsored by Rep. David Linsky, D-Natick.

It’s hard to explain, but this song is as suburban Boston as it gets: