Sometimes they have the best intentions but don’t quite make the impact they intend to make. Other times, they can even cause the exact opposite of their intent. Unfortunately, for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), that is exactly what has happened.
Before jumping into the unintended consequences of these two California laws, it’s probably best to explain what they are. Both laws were made with the intent of protecting the privacy of California consumers by making a set of requirements for medium and large businesses on what they can, and cannot do with California consumers’ data. Here’s a simple breakdown.
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
CPRA expands upon CCPA and adds (among other things), the following new specifications:
- Right to Restriction - Granting consumers the right to limit the use and disclosure of their sensitive personal information.
- Right to Rectification - Consumers will have the right to add and update information, as well as correct inaccurate data.
- Right to Verifiable Requests - Consumer requests for the right to deletion and disclosure of their personal information must be verifiable and specific to the issue being addressed.
OK, so now that we have all of the definitions out of the way, let’s get into the meat of the issue. On the surface, all of these rules look like they are great for consumers. It would seem to allow a consumer to take control of the data that companies know about them as well as what they do with that data. I think all of that is true. The laws certainly accomplish this for the consumer.
Where the issue comes in has more to do with some assumptions that these laws make. Keep in mind that these laws were not just made for huge corporations like Google and Meta. They are made for every company with over $25 million in gross revenue or ones that buy, sell, share or receive the personal information of 50,000 or more California residents. (Reference)
While that may seem like a pretty high threshold for being required to follow these laws, you’d be surprised (or maybe you wouldn’t) to know that there are literally thousands of companies that fall within these guidelines. It’s not just big tech companies who are gathering your data and selling to the highest bidder. This law affects tons of medium size businesses that obviously run marketing departments and gather information about their customers.
So, what’s your point? You may be asking.
Well… I think that this law assumes that all companies out there are actually capable of keeping the data they collect about you organized into a nice, neat package. This law assumes that every company is Google. That they have one specific file for you and they would be able to produce that file for you to review, edit, delete or whatever else you want done to it.
In the real world, marketing is messy. Not all companies have their digital ducks in a row. In many cases, data is siloed into completely different systems and a company would be extremely fortunate if they could actually tie it all together to make a full 360-degree view of you. If they could do that, their marketing efforts would be much more effective!
So this is where the problem lies. I believe a vast majority of companies that fall under CCPA and CPRA didn’t see this law as a challenge due to its intent. They instead saw it as a challenge because they now have to be able to gather all of the data they know about you into that nice, neat package I mentioned above. Then, after they got over the hurdle of gathering all our data into one place, they realized that the state of California actually did them a HUGE favor.
These laws have single-handedly required every medium to large company that serves California consumers to create a singular view of each and every one of their customers. Sure, this is required to meet the letter of the law, but now they actually have all this data in one place. This is a marketing department’s wet dream! Every customer’s full set of attributes at their fingertips. Targeted marketing built upon a full picture.
So the next time you see that ad in your browser that seems to know you all-too-well, you can thank the California legislature for thinking about consumer privacy first and forcing every company to get their data in order.
Oh, and one last thing. For those of you who don’t live in California, this affects you too! Remember that these laws are not for California companies. These laws are for California consumers. If you do business with a company that sells things to Californians, they likely had to jump through these hoops and I highly doubt they did it just for their California customers. They probably just did it for everyone.
But hey, it’s not all bad, right? At least you won’t get served a bunch of ads for things you don’t like.