California’s New Data Law Will Show Us if We Really Care About Privacy
January 28, 2020
On New Year’s Day, a new law, the California Consumer Privacy Act (CCPA), quietly went into effect across the Golden State. The law gives 40 million California residents the right to know what’s happening with their personal online data (what data is being collected, and if and where it’s being sold), to access any and all information a company may have, and, finally, to opt-out of such collection and selling without punishment like slower services or higher prices. California is the first state to enact such a law, similar to The General Data Protection Regulation (GDPR) implemented in Europe, in 2018, a sweeping measure that offers general data protection for all EU residents and marketed as the “right to be forgotten.”
The CCPA has received backlash from a few angles. Consumer advocates say there remains too much onus on users to extract data and information from companies — who, one wonders, has time to keep tabs of one’s data and behavior across dozens of websites? Who has the energy to navigate different user interfaces and read pages of legalese? Who, once there, knows the right questions to ask? And companies aren’t thrilled either, but for different reasons; their guns are drawn to keep the World Wide Web the Wild West. The job hosting site Indeed tells users, “at this time, we are not able to provide our core products and services without these [data] transfers. However, you can still use Indeed to find and apply to jobs to the extent that you wish!” It’s unclear if this stance violates the CCPA. Facebook, with its 2.3 billion worldwide users, also takes issue with CCPA, claiming that its business isn’t in selling data, simply “sharing” it, so, it says, the new law doesn’t apply to 1 Hacker Way. It’s also unclear if this argument will hold. On top of everything, it’s yet to be seen how stringently the attorney general’s office in California enforces the law, if at all.
If looking for precedent, GDPR has already levied some big penalties: Last summer, Marriott and British Airways were hit with $123 and $230 million fines, respectively, for data breaches.
Still, almost a month since CCPA passed into law, most digital companies seem to be playing nice, at least publicly (are you getting all those emails too?). Privacy policies have been updated and appear to mostly abide by the new rules, and some sites, like the media company Vice, has gone so far as to reduce friction for users and offer data opt-outs for all users with one click or tap. Among big retailers, Target appears to be taking the new law seriously. While it isn’t quite holding the user’s hand, the call out is at least illuminated in its footer. So, in these instances, the new California law has already benefited everyone, since rolling out features in one fell swoop is typically easier and cheaper than targeting a fraction of users at a time. And, the real success of the CCPA is possibly still to come; its legacy, not unlike the ‘Fair Pay to Play’ law California passed last year (starting in 2023, college athletes can earn endorsements from their likeness), could be the law it inspires in other states or at a Federal level.
Indeed, in ten years, we may look back on the CCPA and label it a momentous turning-point. There’s a chance our email addresses and our social security numbers and our proclivity for low-top sneakers, size 10, in white, won’t follow us from site to site. Our every movement from home, work, and the gym (or, uh, bar), won’t be tracked, stored, and manipulated into ad campaigns. And if it is, it’ll be because we’ve chosen to actively participate. (The current CCPA allows companies to incentivize users to share data in exchange for discounts and perks.) We’ll be able to browse the web the way we once browsed the public library. The internet, like Andy Dufresne’s Pacific Ocean, will have no memory.
It’s a nice thought. But it’s not going to be that easy. There is too much at stake, too much money and power to lose, too much to exploit. If we’re not careful, what will happen in the next decade is we’ll continue to be tracked, our every swipe and click and trip to the store will be known, the methods of capturing such activity will just be more artful, more hidden. Sure, we may see some surface-level protections put in place, friendly pop-ups allowing us to opt-out of data collection* (*“but only on two pages of our site, and, protections time out after eight minutes”). We’ll have the right, technically, to demand companies send us reams of data to pour through, but it will be organized by nine-digit IP addresses with no coherency or further context. Unchecked, black-hat practices will proliferate undeterred across the industry, and our recourse will be minimal since we clicked the box that made it okay.
Many of us have personally and professionally benefited from a data-collecting internet, one that targets users with a trove of information; much of my UX and writing work does just that. That’s why it’s on organizations like mine (agencies) and others (start-ups, big tech companies) to help improve industry practices. This doesn’t mean outright killing targeted advertisements that, in the aggregate, help support otherwise free services. Rather, it means bettering that user experience — smarter placement, tailored messaging, reliable in-line links — while simultaneously strengthening data management. Studies show we care deeply about our privacy but, like many other abstract threats, they also show we don’t care to think about it often. That tracks. We do have a few seconds to give caring about a website not tracking our location. We don’t have the next fifteen minutes to sift through 2,000 words and six screens to confirm we don’t want our data sent to unvetted third parties. Eventually, people give up, and that’s just what bad actors are hoping for. They take advantage of our apathy and let us punch ourselves out. We have to hold steady and build better systems. Otherwise, all we’ll have is watered-down bills that become laws that become nothing.
This change happens from inside. Everyone within an organization — key stakeholders, designers, strategists, product managers — should be held responsible for eliminating barriers of entry and creating simple ways to turn on and off data collection. We have to build short access to information and concisely explain where data is being used and why. Not only does it have to be simple, but companies also need to feature these services the same way they would a new product line — highlighted, given equal or higher prominence on the page. Turning off the selling of one’s data should, like one-click ordering, be a priority and require low cognitive load for the user. That means the prompt shouldn’t be buried. The writing must be clear. The button has to work. And it has to work on desktop and mobile, on tablets and wearables. A good start is for companies to become platform-agnostic, which lends the same yet tailored experience across multiple screens and devices.
These are difficult conversations. People and companies will sell bad-faith narratives like the Nothing To Lose argument (nonsense; we have everything to lose) or claim services can’t work without squeezing every last bit of personal information from consumers. Profits before anything else. Ignore this and fight back. Because they can work and they can be run responsibly, but only if we make it happen, and soon. Because the alternative is depressing and increasingly dangerous.