Imagine your private online searches and activities appearing in a stranger’s account just because you shared a Wi-Fi connection.
Imagine a hacker being able to see all your personal online activities simply by gaining access to your e-mail or spoofing your computer’s Internet address.
Imagine a law that forces supermarkets, gas stations, and other stores to shut down their loyalty discount programs because they can no longer keep information about customers.
Sound like a privacy nightmare?
These are just three of the potential unintended and negative consequences of a new California law designed to protect your privacy, the California Consumer Privacy Act.
Happily, there is still time to fix those problems and ensure the law achieves its intended goals of improving access, control, transparency, and security around the personal information of consumers, as Attorney General Xavier Becerra begins considering those issues in a series of public hearings across the state.
For background, the Association of National Advertisers represents the brands behind nearly every advertisement you see in print, online, or on TV. The association’s membership includes nearly 2,000 companies and marketing solutions providers, encompassing 25,000 brands and more than $400 billion in annual marketing and advertising spending.
Our members use data to reach the right consumers with their advertisements, so we want to be sure data is used in the right way, protecting privacy while continuing to encourage economic growth and innovation.
My association strongly supports the goals of the California Consumer Privacy Act, and we want to help the attorney general ensure it achieves those goals. Unfortunately, the law as written creates confusion and risk for consumers. Among the areas needing clarification or adjustment:
The law does not distinguish between more and less privacy-sensitive types of data. So it applies the same standards to personal information that specifically identifies a person–like name and e-mail–as to broad categories of interest or demographic data–like avid travelers or sports enthusiasts that are not easily connected to individual consumers. To give users access required by the law, companies may be forced to connect previously unconnected pseudonymous data to individual accounts, meaning your private late-night searches could be linked to your actual name or e-mail address.
The law gives consumers broad rights to access the data companies have collected about them. But there is no easy way to ensure that an unregistered user is the person he or she claims to be. As a result, companies may have to use weak identification methods like IP address or e-mail address, putting data at risk to unauthorized or accidental access.
The law prohibits companies from discriminating against users who delete their data or opt-out of having it shared. That provision could force popular loyalty programs offering discounts for things like gas, groceries, and shopping to end discounts or shut down, as they need that information to operate the programs.
Clearly, the legislators who passed the California Consumer Privacy Act never intended it to force companies to engage in less privacy-protective practices in the name of increasing user privacy.
Unfortunately, that’s what the law as written has done.
The Association of National Advertisers and our colleagues in the digital advertising industry stand ready to work to ensure that the promise of the California Consumer Privacy Act is realized, not undermined by language that would move consumer privacy in the wrong direction.