In California, the ballot includes a “yes/no” on the California Privacy Rights Act (CPRA), which represents the evolution of the California Consumer Privacy Act (CCPA). The CCPA has become the de facto U.S. privacy rights mandate because California is the largest economy, the site of Silicon Valley, and the most progressive state on consumer privacy. The rest of the U.S. looks to California on the topic of data privacy, and this next piece of legislation takes it one step further.
The CPRA provides more info on enforcement of the CCPA, but it also enables consumers to maintain access to their data for the purposes of managing or updating that information. Consumers can also restrict access to their data and label some PII as “sensitive,” making it even more protected. Companies that expose this sensitive PII would be affected even more harshly, thereby raising their burden. Effectively this legislation makes it harder for companies to utilize data. If this happens, plus the recent announcements by Google and Apple create a world where walled gardens will thrive, and data is no longer the “oil” of internet business, data effectively becomes a virus -- and most companies are going to avoid it like the virus that creates the plague.
That being said, there’s a difference between first- and third-party data. First-party data that stays within these walled gardens can be used, while third-party data goes the way of the dodo bird and become extinct. Google, Facebook, Amazon, Apple and the cable companies/telcos are all examples of large corporations that can still use first-party data across multiple platforms and be successful. They will have high bars on data security placed on them, but that is nothing new. They already have to abide by that level of scrutiny.
All of these companies are already, for the most part, trusted by the consumers. There is a mutually beneficial relationship at play here and their success stems from providing consumers a service they enjoy. The tradeoff is fair. The CPRA will only serve to create a platform through the consumer can update and restrict access more closely.
I voted for CPRA. I spent a good portion of my career in data used for marketing and I know its value, but I am also a consumer and I know that my data privacy is important. I have had people pretend to be me, and I know the pain associated with data fraud. I have also seen GDPR and the impact it has had on marketing and advertising outside of the U.S. I know that while it restricts some tools and tactics, it has not stopped marketers from being targeted. It just means you have to increase the level of consumer consideration in your go-to market efforts. I find that to be a fair tradeoff.
The digital media business is filled with literally hundreds of thousands of companies that want to use your data. Check out a LUMAscape or a martech slide. You can see it for yourself. Can you possibly trust all of these companies to maintain that same level of data security? It’s simply not possible.
I like the CPRA because it holds companies more accountable and is more in line with the GDPR plus the consumer access step, which I think is valuable. I know enough people who have tried to create a virtual marketplace for data access and the ability for consumers to monetize themselves properly. This might make that feasible, or at the least it will provide a way for consumers to be in more control of what people do and say to them in digital media.
The times are a changing. The dodo bird is but a memory, and a cliché we can all tap into. I wonder if third-party data will become that same memory and cliché?