Will California’s new privacy law set the standard for data protection?
Photo: Getty Images

Will California’s new privacy law set the standard for data protection?

California last week passed what’s believed to be the nation’s toughest data privacy law, a measure the National Retail Federation (NRF) has described as “deeply flawed.”

Under the new law, California consumers will have the right to:

  • Know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it or selling it to. Those opting out can’t be charged more or treated differently than those who don’t;
  • Tell companies to delete, stop collecting and stop selling or sharing their data;
  • Be informed of what categories of data will be collected before it’s collected and to be informed of any changes to that;
  • Require businesses get permission before selling any information about children under the age of 16;
  • More easily sue companies for a data breach.

The legislation also gives the state’s attorney general more authority to fine companies that don’t adhere to the new regulations.

The act takes effect Jan. 1, 2020.

The bill was rushed through California’s State Legislature last Thursday without opposition, just hours before a deadline arrived for withdrawing a stricter ballot measure that was set to arrive for November elections. Tech companies and legislators preferred the bill to the ballot measure because it provides more flexibility and time to make revisions.

A string of data breaches and scandals led by Cambridge Analytica have resulted in calls for greater protections. The legislation is not as strict as Europe’s GDPR, which calls for tighter deadlines around data breaches and potentially heavier fines.

But tech company lobbyists have argued that there wasn’t enough public debate on the California’s law and are expected to seek to relax the guidelines before they become law.

In a statement, NRF SVP for government relations David French asserted the legislation “will expose businesses to unwarranted lawsuits” and potentially take away the access to data that supports loyalty programs, personalized offerings and other special services that consumers have come to expect.

Mr. French said, “Retailers strive to protect their customers’ data, but data is the backbone of any good retail business.”

BrainTrust

"Winning in retail is about making adjustments to our models, no matter how wedded we are to them. "

Tom Dougherty

President and CEO, Stealing Share


"Retailers who are concerned about this should channel that concern into writing nice, clear value propositions to their customers..."

William Hogben

CEO, FutureProof Retail


"I think it’s a great initiative. We’ll see if it stays intact by the time it’s implemented or if lobbyists successfully get it gutted."

Ken Lonyai

Consultant, Strategist, Tech Innovator, UX Evangelist


Discussion Questions

DISCUSSION QUESTIONS: What do you expect will be the practical effects of California’s new data privacy law on consumers and retailers? Do you expect other states to enact similar legislation? Will business interests lobby federal legislators to pass a national data privacy law that would be less restrictive than California’s new law?

Poll

18 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Lyle Bunn (Ph.D. Hon)
Lyle Bunn (Ph.D. Hon)
5 years ago

We could see during the Zuckerberg hearings how the pendulum would swing hard in the other direction away from the power of platforms. The question is how fully consumers will engage in exercising their privacy rights and what will be the strength of consumer representation against the commercial interests of a range of business types? The massive opt out by consumers that would upset the digital advertising business models is an unlikely scenario.

Mohamed Amer
Mohamed Amer
Active Member
5 years ago

California’s new data privacy law begins to address consumers’ concerns for their own data and shines a spotlight on ownership and legal, if not appropriate, uses of such data. This is a process and not a final play as we come to terms with how to deliver on customer expectations and protecting data. Strong and transparent identity management will be key to future commerce growth.

Max Goldberg
5 years ago

Should California’s data privacy law stand, meaning that the GOP doesn’t pass a federal law that disallows states from setting their own standards, it will set the bar for other states to follow, much as the state sets vehicle emission and mileage standards that are copied by other states. Of course businesses will cry that the sky is falling. But CA’s standards are less stringent than Europe’s, and companies continue to successfully do business there.

Tom Dougherty
Tom Dougherty
Member
5 years ago

Consumers have developed a desire for greater control. They are demanding control over the data we collect.

If we have learned anything in the past five years it is this — the dog is now wagging the tail (another way of saying the customer is always right).

Winning in retail is about making adjustments to our models. No matter how wedded we are to them.

The California law is just the beginning. It may have been rushed. It may have been poorly vetted. But it is the future.

So my message to retailers is this: OWN it. Let the customer know you embrace their privacy. Give them choices. One of the choices they might just make will be loyalty to YOUR brand.

Neil Saunders
Famed Member
5 years ago

Managing and gathering data will inevitably become more expensive and complex in California. That said, consumers will now have much greater control over how their information is used and, on balance, that’s a good thing.

Given the law doesn’t take effect until 2020, there is plenty of time for retailers and others to adjust. That includes putting in place new technologies, perhaps blockchain type solutions, to manage permissions and data contracts. We may also see a range of third-party data management firms spring up.

I expect other states are watching California and would expect a number to adopt similar measures.

Ed Rosenbaum
Ed Rosenbaum
Member
5 years ago

Consumers have advocated for more control over their information and how it is saved and/or used. I doubt the retail associations will be pleased with it; but it is what it is, at least for the foreseeable future. We can only wait and see what the Federal government, as unpredictable and dysfunctional as it is, decides to do. Hang on to your hats, the battle has yet to begin.

Cathy Hotka
Trusted Member
5 years ago

We wouldn’t be having this conversation if retail companies had been more adept at leveraging customer information for personal offers. As it stands, though, customers know they’re being tracked, but they can’t be sure why.

Phil Rubin
Member
5 years ago

It’s not a surprise nor is it disappointing that we have a line in the sand drawn by California. There is an absolute certainty that this type of regulation, not necessarily in this exact form, is not only needed but one that will be welcome by a majority of consumers. California has always had higher standards for data collection and use so their lead is appropriate, as are the provisions in the bill for modifications prior to its effective date.

The onus is on brands and marketers — along with lawyers and lobbyists — to offer alternatives to the current data mismanagement that has been taking place for too long. Consumers will share data if they are treated appropriately. This is the essence of loyalty marketing and this kind of regulation is good for brands that prioritize customers, an obvious strategy but one that is hardly prevalent.

Ken Lonyai
Member
5 years ago

I think it’s a great initiative. We’ll see if it stays intact by the time it’s implemented or if lobbyists successfully get it gutted.

David French and the NRF offer a somewhat silly yet expected response. Shoppers will quickly learn that opting out of or restricting data usage will impact personalization and loyalty and they will make individual choices as to what matters most to them. The implied NRF assumption that the data belongs to retailers and not the consumer smacks of the familiar arrogance that opened retail up to upstarts like Amazon. And if complying with data privacy requirements is so challenging, retailers can pack up and move to Europe and deal with GDPR instead.

One note: if more states enact similar measures, expect a federal challenge/appeal to state laws and ultimately a national data privacy policy.

David Weinand
Active Member
5 years ago

Trust and transparency — If a consumer is aware of how their data is being used by a retailer, our research shows that they are perfectly fine with it in order to receive things like a more personalized experience, quicker checkout or product recommendations. As long as there is transparency, there can be trust. Things like the Facebook scandal raise the awareness temporarily but the fervor doesn’t last and busy people get on with their busy lives. So is it up to government to ensure consumers’ data is protected? From what I read about the law, I think most consumers stand to benefit from the protections. Retailers are still not that effective at using data so this will effect them less. “The Four” as Scott Galloway calls them, are the companies that will be affected most and that’s OK with me.

Jasmine Glasheen
Member
5 years ago

It’s about time U.S. legislation at least nodded towards consumer data protection. After the Cambridge Analytica breaches, we’ve seen firsthand the catastrophic results of corporate negligence.

Most consumers are still willing to trade their data for a personalized shopping experience, and those that aren’t are the ones who are creeped out by marketing personalization anyway.

Camille P. Schuster, PhD.
Member
5 years ago

Consumers are rightly concerned about data breaches and they continue to happen. With all the continued data breaches and discussion of the new European regulations, it is not surprising for consumers to demand that something change. With the flurry of notices about companies’ new privacy policies that do not appear to be significantly different, consumers are not satisfied that their data is being protected. When consumers give their data to a company they expect it to be protected. With the continued data breaches, they are not convinced that their data is being protected. Companies should not be shocked or surprised at the California law. They should see it as the beginning of change.

Mark Price
Member
5 years ago

California frequently is in the vanguard when it comes to progressive legislation. The danger of this “early adopter” role is that the state might not get it right in the first go-around, meaning the legislation would require enhancements over time. This situation is the case when it comes to the new privacy law.

Giving consumers insight into how their data is used makes complete sense. Permitting consumers to request that their data be deleted from the company itself places an undue burden on the company and restricts the ability of the company to provide valuable services to consumers in general. And the lawsuit provision needs to be tightened extensively before it can be considered reasonable and effective.

It is understandable that consumers wish for more insight into how their data is being used (both inside the company and as regards selling the data to third parties). This new law needs to be adjusted to make sure it is fair to the company as well as the consumer — adding value to both.

William Hogben
5 years ago

There’s no harm in these laws — they simply require you to get customer opt-in, which is an ethical requirement whether it’s legal or not. The retailers who complain the most about this make me uneasy joining their loyalty programs — sounds like they’re selling my data to lists, etc. These privacy protections don’t even go as far as GDPR, which are excellent protections, and many tech companies today that need to support GDPR in EU are supporting it wholesale in the US as well.

Retailers who are concerned about this should channel that concern into writing nice, clear value propositions to their customers: this is what you will get if you grant access to your data.

Ultimately, this will improve consumer trust and relationships — at least among those companies that decide the customer’s right to control their data is part of putting their customers first.

Craig Sundstrom
Craig Sundstrom
Noble Member
5 years ago

The “practical effect” I suspect, will be small: who, but the most vigilant (if even them) is going to keep tabs on those who keep tabs on them? The “make lawsuits easier” provision, which is probably most alarming to retailers, likely won’t go anywhere either since it conflicts with Federal Law (or soon will, if it has any teeth).

A bill which is “rushed through … without opposition” isn’t going to be some turning point.

James Tenser
Active Member
5 years ago

Data privacy mandates like GDPR and the California law discussed here are tricky because the rules of engagement seem to require that retailers collect more data (specific permissions, opt-outs, history, etc.) in order to manage their customer data bases compliantly.

For retailers, what seems like a high-value asset can also be an enormous liability as more data is accrued and the costs of maintenance and security climb. For consumers, the prospect of duplicate profiles co-existing on dozens of retailer websites should be disconcerting. For data pirates, every one of those retailer databases is a tempting target that will eventually yield to hack attack.

While most of retailers have swallowed the Kool-Aid about personalization, they have tended to ignore the consequences of the inevitable breech. I think it’s time to consider an alternative model in which each shopper or household controls their own secure profile and exposes it selectively at each moment of interaction. These profiles may be protected in the blockchain.

Retailers would still maintain customer lists, but with minimal personal data attached, making them easier to maintain and of minimal value to hackers. This is a radical idea, I concede, but there are a few startups working on this concept already.

California’s privacy law and Europe’s GDPR assume the database marketing status quo will endure, but in fact they may tend to accelerate change.

Ricardo Belmar
Active Member
5 years ago

Time can’t be turned backward. Once the data is collected — and boy has consumer data been collected — it either needs to be well-protected, or there will be nasty breaches that erode trust. Legislation like California’s, and GDPR, serve consumer interests by protecting that data and building trust via transparency in the process. That’s a good thing!

CA’s law is less stringent than GDPR and given where most retailers stand in their ability to leverage the data they have for personalization, etc., I don’t see many being hampered at all by this. These laws are really meant to go after “big tech,” aka “The Four” as Scott Galloway calls them as they tend to be the ones who eschew transparency in the interest of providing free services. For the retailer, the need to demonstrate value from collecting shopper data will not change. Most consumers say they are willing to trade personal data for value as most studies tell us today. By putting more attention on this issue as a whole, it will only cause retailers to be more transparent and conscientious about how they use the data to deliver a better customer experience. Again, that’s a good thing!

Joanna Rutter
Member
5 years ago

To me, as an action step for retail businesses, this legislation just calls out the importance of using anonymous/personally unidentifiable information to drive strategy alongside personally identifiable data. Don’t put your eggs in one basket sort of thing. A healthy blend of different data gathering and usage strategies will mean that your business can adapt to announcements like these without getting whiplash. Not to mention that the insights you can gain from anonymous data (such as: Stores in the Midwest receive more foot traffic in the afternoons than in the Southeast, or, Staff generally respond to anonymous employee surveys as “Sad” after poor weather in their region) can often have bigger positive effect on your bottom line than a hyperpersonalized remarketing ad campaign.