“One swallow does not a summer make, nor one fine day,” the philosopher said. Similarly, one set of regional privacy regulations — even as stringent and sweeping as GDPR — didn’t signal a global rush to protect consumer data. But when it’s followed by CCPA, we have a trend.
Tiffany Morris, general counsel and VP of global privacy at leading DMP and data exchange (and Acxiom partner) Lotame has some negative things to say about the California legislation; not so much about its good intentions, as about its hasty drafting and unclear implications. “There’s a t-shirt going around the privacy community that references the statute, and on the back it says ‘What’s your favorite typo?'” Thrown together, said Morris, the statute shows inconsistencies in terms of policy motivations, and it’s also uncertain how some provisions will be enforced. In particular, it reflects a polarization of views on the issue.
“You have a contingent of privacy advocates who are really opposed to the use of consumer data for marketing purposes, and they’re opposed to it as a whole. That’s different from the industry saying ‘We hear your concerns on the privacy side, but let’s articulate what those concerns are. There’s likely a category of data use that’s okay, as long as we’re disclosing properly to consumers what data is being used, and for what purposes, and giving consumer control and flexibility. There’s a bit of an ocean between the two groups.”
Click on the Acxiom banner to find all our Data Privacy Week articles, and articles on the topic from earlier this year.
As Morris points out, the fundamentalist position against the collection and use of data for marketing purposes is somewhat unrealistic. “Everyone is in the business of data, even companies you view as traditional. Everyone is using data from consumers in some way. This is not going away, and we need to find a way to navigate these issues between the industry and the privacy advocates.”
In other words, this isn’t a situation like the Do Not Call Registry, where a consumer can sign up and forget about it. Data is central to the kind of digital experience consumers in many ways value, and also supports many services consumers take for granted as free. Morris agreed. “What would the consumer reaction be if Facebook, for example, started charging monetary fees for use of its service? You don’t know until it actually happens.”
This doesn’t mean Lotame supports the opposite extreme; a data free-for-all. “Our view is that both GDPR and the California privacy act are good for the industry in some ways. It forces companies to articulate clearly to consumers, in consumer-friendly terms, the types of data they’re using, how they’re collecting the data, and the purpose behind collecting it. We like the idea we might have some consistency between regions, because there are some business costs to operating differently in Europe than you do in the U.S.”
Beyond that Lotame, like many tech companies, does hope to see federal legislation on the issue. “How do you navigate this law for a specific category of data on Californian residents in a world where you may not in fact want to know if the data is connected to a Californian.” Here Morris hits on one of the deep ironies of data regulation. Data processors need to collect, and maintain, a lot of personally identifying information about individuals, simply in order to ensure that they are complying (and can demonstrate compliance).
“Consumers have broad rights to seek information about how companies use their data; and in doing so they provide personal data to a company like Lotame that Lotame would not otherwise have access to. We have a consumer who says ‘My name is John Doe, here’s my passport number, here’s a copy of my government issued ID, tell me all the data you have about me.'” Lotame’s dilemma is that it has no way of validating identity, precisely because it doesn’t collect that type of information.
Hard though it is to imagine Congress failing to act swiftly and decisively, in the absence of federal legislation, are more state-based regulations likely? “I think you have certain states that are always a little more active, and I think you will see more state legislation, although I am really hopeful for federal legislation.”
Morris declined to comment on the Privacy International complaints which she has yet to fully review.