Californians have spoken: Proposition 24 will soon expand data privacy protections in the largest state in America.
Absent national privacy regulations, Prop 24 will become America’s de facto privacy law when it comes into effect in 2023. It’s simply more economical for companies to comply nationwide rather than segment users based on their local privacy laws.
What does the passage of Prop 24 mean for those of us working in tech? Here are a few major themes that will influence how we manage data privacy for ourselves and our customers moving forward. We must start now to prepare...time flies and 2023 will be here soon enough!
We have never had a fully-empowered government watchdog of privacy and data protection in America. There’s been no blueprint or path to follow. Until now. Prop 24 creates a statewide agency to enforce the new law, with funding of at least $10 million annually. This finally puts some teeth into California’s newly-enacted CCPA, which relied on voluntary compliance and offered few resources to the State Attorney General for enforcement.
With an actual privacy enforcer, the country will align itself with other mobile data privacy regulations, such as the GDPR in Europe. Without a doubt, these enforcement efforts are never perfect. Even so, we must start learning what works and what doesn't when it comes to enforcement. As companies look for ways to circumvent regulations and exploit loopholes, this will be our first true effort to understand and align consumer privacy rights with the profit motives that drive our economy.
Action item: Prepare for stronger privacy enforcement that will require compliance and documentation for any future privacy audits.
Transparency and control are the bedrocks of trust. In our recent National Privacy Survey, we asked 1,001 Americans about their perspectives on the state of privacy in the country. We found that, while 74% of Americans want a national privacy law, only 27% trust the government to deliver on data privacy.
This dismal result shows how the lack of transparency and control has dramatically reduced consumer trust in the institutions and corporations that decide many of our privacy rights for us. The distrust breeds suspicion and disempowers consumers.
In a nod to increased control, Prop 24 adds a new right to limit data sharing, which isn’t currently a protection offered by California’s existing CCPA law. This is a step in the right direction. However, consumers want more than just the right to limit how companies collect, use and share their data.
In fact, 83% of Americans surveyed said they want the right to set an expiration date for their personal data. This functionality may be complex to deliver at scale but it is the true benchmark for control.
Data expiration controls empower consumers to determine the ideal privacy parameters for their unique needs, all on a case-by-case basis. That’s true transparency and control.
Action item: Innovate now to head off potential regulation later. Consider ways to enhance transparency and control to win consumer trust - and loyalty.
Prop 24 raises the threshold for privacy compliance, laddering from 50,000 customers or households a year to 100,000 customers or households per year. The new threshold protects more small businesses and ensures that privacy compliance doesn't become a drain on profitability that further threatens our vibrant small business community in the middle of a pandemic. The threshold also puts the onus on those companies that have the most outsized impact on individuals’ right to privacy.
The other major development relates to protecting the privacy of our children. Prop 24 triples the fines for violating the privacy of kids, which is something that has been top-of-mind as more kids spend time at home on devices during the pandemic. Even prior to the pandemic, YouTube was fined $170 million and TikTok paid $5.7 million for violating children’s privacy protections. We need to modernize the existing COPPA law, which dates back to 1998 and is woefully inadequate for today’s world.
Action item: Know the compliance thresholds and make a plan if you exceed them. Also, rethink data collection processes for minors.
There's been a lot of coverage around bias in artificial intelligence and machine learning. With many of these technologies operating in a black box environment, in which it's impossible to see why decisions are made, suspicion and distrust are inevitable. However, when it comes to data privacy, these technologies can rapidly sort and segment user data to conform to privacy regulations while still offering the benefits of personalization to both consumers and companies.
The sheer volume of data that will soon be governed by Proposition 24 will accelerate investment and innovation. Companies will need to maintain data privacy while still preserving the reach, quality and precision that their advertising-based business models depend on.
Rather than predicting the end of these advertising-driven commercial models, I see the new privacy framework as an accelerant to a more responsible and user-centric approach to monetizing attention across the digital ecosystem.
Action item: Deploy AI to help you find rogue data, organize it and proactively protect user privacy.
Cookies -- the small files used to track users across the internet -- are on their way out. Good riddance! Cookies were intended to improve the user experience by remembering details about users between sessions. Instead, they became invasive trackers that enabled a massive industry to invade privacy, often without permission.
It’s long past time to rebalance the dynamic. Consumers have a right to privacy and the industry must catch up. We need to prepare for our cookieless future and create solutions that offer insights and anonymity simultaneously. We can no longer expect to know everything about consumers in a permissionless environment; rather, the marketing industry must evolve with innovations that aggregate data in useful ways while preserving privacy.
Most people are ok with this type of anonymized aggregation, also called “differential privacy.” It’s a data collection framework that collects data in aggregate without ever revealing the identity of individuals. It can even be used to automatically ensure that data sharing across borders conforms to local privacy laws.
With Prop 24’s adoption in California, data sharing now respects personal privacy by preserving anonymity and never gathering or storing personal information. Rather, it aggregates activity and uses pattern matching to deliver insights comparable to other methods but without compromising an individual’s right to privacy.
Action item: Focus on first-party data. Build data collection protocols to anonymize and segment in privacy-compliant ways, which will also future-proof your marketing operations.
Most Americans don’t feel like their privacy matters enough to the corporations that monetize it and governments that regulate it. That’s a major issue that remains unresolved without a national privacy law.
Will our elected officials in Washington address the overwhelming support for a national privacy law -- something that 74% of Americans want, per our national survey? Or will the federal government allow California voters to define the data privacy framework for everyone else?
Only time will tell. But one thing is for certain: It's a new dawn for data privacy in America. And it's about time! Everyone deserves privacy -- and our digitally-connected ecosystem must evolve to accommodate both privacy and profit. This is not an idealistic pipe dream; rather, it's the most exciting business challenge of the coming decade.