The funny thing about data security and consumer privacy is that people don’t care about it… until they do. A 2018 consumer survey on the subject executed by marketing campaign management company Sailthru revealed that over 60% of consumers think that they should be responsible for protecting their own data[1]. The problem of course is that most consumers have no idea how their data is being used until something goes really, really wrong.

Here’s an example from my own life. Six weeks ago I received a dunning letter from a collection agency for an unpaid balance for TV cable service at my Laredo, Texas home. But here’s the problem: I don’t live in Laredo, Texas, and I’m not even sure whether it’s closest to Dallas, Houston, Austin, or somewhere else (the sum total of my knowledge of that place is summed up in the Marty Robbins song “Streets of Laredo”). Even a cursory credit check would have revealed that I live in California. Before I could even fire off a response to the collection agency and the cable company, I also got a notice from Experian to tell me that my credit rating had plummeted 150 points. Fast forward six weeks, and the issue is resolved, but the cable company (Charter Communications) still can’t tell me how it is that the fake account got past the simplest of credit checks.

In the news, the hits just keep on coming. For example, a massive data breach was recently discovered with an opensource server maintained by Elasticsearch. The database, which contains 4 terabytes of enhanced consumer data (from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter URLs, and other data commonly available from data brokers), was accessed by cyber-criminals and the profiles of more than 1.2 billion people were exposed.

The sheer accumulation of bad news from virtually every industry is overwhelming. Consumers really are at the mercy of companies like Facebook, a key player in the notorious Cambridge Analytica scandal. So (going back to the Sailthru study), when asked the question, “Do you believe that the U.S. government should regulate how companies can use personal data?”, about 60% of consumers said “yes!” While the U.S. Federal government hasn’t acted yet, California has, reinforcing the cliché that “what happens in America happens in California first”.

That brings us to the impending California Privacy Law, or “CCPA”. The law goes into effect in January 2020. Broadly, the law defines how consumers can discover the specific “who, what, & why” about how data about them has been collected, mandate how consumers can request that a company delete data collected about them, and how consumers can deny a company from selling their personal information to third parties (in June 2018 the National Retail Federation published a good summary of the key components of the regulation, footnoted[2] below).

On October 10, 2019, California state Attorney General Xavier Becerra announced the regulations of the CCPA. In short, they are as follows[3]:

• Notice to consumers: Businesses must gain consent from users at or before the time of data collection
• Business practices for handling consumer requests: Businesses must offer a means for users to access, request, or delete their personal data
• Verification of requests: Businesses must be able to verify user requests
• Special rules regarding minors: There are separate specific requirements for minors under 13 years old, and minors aged 13-16 years
• Non-discrimination: Businesses cannot discriminate against consumers based on if those consumers exercise their data protection rights. However, businesses may offer different services that pertain to the consumer. This requires calculating the value of consumer data.

To date, only California has passed such a comprehensive law, although nine other states (Hawaii, Massachusetts, Maryland, Mississippi, New Mexico, New York, North Dakota, Rhode Island, Washington) are debating similar law, and more are thinking about it. There is also a law before the U.S. Congress called the Consumer Information Privacy Act, which would supersede (and some say, water down) the California law, but the bill has been postponed.

It is also worth noting that the California law, while similar to the already active European Union GDPR (General Data Protection Regulation) law, contains some important differences that have to be taken into consideration.

The Bottom Line: Lead Or Follow, But You Can’t Get Out Of The Way

Many businesses, as well as the National Retail Federation, have expressed strong concerns[4] about the effect that the CCPA will have on retailers. Nonetheless, the legislation is marching toward enactment, and there is very little time left for retailers to get in line.

Clearly, the laws being implemented or considered are a direct response to growing consumer concerns about the privacy and security of their information. The California law was the result of a move by then-Governor Jerry Brown to prevent the proposed legislation from becoming a ballot measure in 2018. But even before the resulting legislation is enacted, a proposed new set of regulations that would strengthen protections to consumers is headed for a ballot initiative in the upcoming 2020 elections.

Whatever your opinion is of the idea of letting voters determine the law for as issue as complex as this, it is clear that government inaction is triggering a widespread response among consumers (voters). Continued data security lapses and wishy-washy commitments to protect people’s data rights by entities such as Facebook seem to be further inflaming the masses.

So consumer-facing businesses are really down to one choice: compliance. While they may choose to follow rather than lead, they can no longer get out of the way.

[2] http://d22f3d5c92fe72fd8ca1-d54e62f2f7fc3e2ff1881e7f0cef284e.r22.cf1.rackcdn.com/Memo%20Attachments/Summary%20of%20Cal%20AB%20375%20amnd%20June%2025%202018.pdf

[3] Quoted from https://www.skysync.com/ccpa-compliance-checklist-preparation/

[4] https://nrf.com/sites/default/files/imported_files/imported_files_other/DataPrivacy-2018-California-AB%20375%20Floor%20Letter%20Oppose.pdf