• This article is part of our Future of Addressability series. Contributors are industry leaders invited to share their perspectives on how marketers can successfully navigate changes brought on by the deprecation of third-party cookies.

    2020 kicked off with the California Consumer Privacy Act (CCPA) granting consumers in California rights over how companies treat their online and offline personal information (PI), e.g., the ability to access, delete, or opt out of the sale of their PI. This topic dominated conversations in the advertising and media industry throughout the U.S. and, while I’m not a California resident, I wondered whether it was widely talked about amongst consumers (I surely wasn’t talking about it beyond the context of my job). I decided to investigate what it would be like to navigate the rights granted by the CCPA—specifically the right to deletion of my PI in the form of what is commonly referred to by consumers as “data”—through my “consumer” eyes. 

    First, I learned of Mine, a tech startup attempting to centralize the process for exercising the rights mentioned above, from one of many daily e-newsletters I subscribe to. Intrigued, I signed up and granted them access to my Gmail account so they could provide a list of companies in possession of my online information. They quickly retrieved and provided an overview of my data. On their “level of data control” scale of 1 to 6, I was deemed a 1 (the average user is around 3.5). This meant I had the least amount of control over how my PI was being used and what for. Oh boy. 

    I clicked on ‘my footprint’ which identified 500 partners—mostly financial and purchase-related data—that had my personal information. I dug in more to see what data they had. I started scrolling and picking companies at random, asking them to delete my PI. It was a manual process that required me to click on every company and make independent requests. I then had Mine send emails on my behalf (with me cc’d) to about 10 companies, more out of curiosity about the experience than anything else. 

    My inbox quickly filled up with emails. All of the companies followed up with an additional action for me to take, ranging from replying with a response to filling out a form on their site. Even for these 10 or so companies, it was starting to feel overwhelming. I didn’t want to consider what the process would look like if I wanted to tackle all 500. 

    Replies varied by company. Some businesses wouldn’t fulfill the request since I was not an actual California resident—fair. One company asked for further details since they “couldn’t find my account” (I had asked them to delete my PI since I wasn’t sure which company it was). Unfortunately, I couldn’t provide what they needed; therefore, my request was not valid. Red tape – 1, Sarah – 0. 

    Moving on, I decided to check out Facebook’s Off-Facebook Activity tool. I first requested access to my Facebook data and then clicked through the various folders, finding pictures and removing friends and messages. It was a lot of data to go through, so I decided not to dig deeper and instead saved it on my computer. 

    Managing off-Facebook activity

    After navigating to Settings and Privacy Shortcuts, I found a link to manage my off-Facebook activity under “Your Facebook Information.” You’d think it would be easier to find… or maybe that’s the point? When I clicked on “View or Clear Your Off-Facebook Activity,” I was shown 360 apps and websites that collected data on me, but that wasn’t even the full list, as I discovered after clicking “Learn More” and reading the disclaimers. Great. I wonder what else is out there. 

    I clicked into random sites/apps to see the number of interactions. Similar to when I tried making deletion requests, I had to go into each site/app collecting off-Facebook activity and then select “Turn off future activity from {site/app name}” and confirm my request. 

    Wow. I couldn’t believe how much I had to do, just to make a request for more control over my own personal information and not to actually have the request granted or complete. CCPA and pending privacy regulations are well-intentioned, but this is the reality: getting a handle on my personal information was (and is) not streamlined or simple to do. It’s all on me—and every other person—to go site-by-site to make individual requests for PI to be deleted. 

    The same is true on Facebook. It takes four clicks per site/app to have future activity not linked to my Facebook account, while they keep the history of all my past off-Facebook activity. Weighing the amount of personal time required to request that my PI be deleted from sites/apps in comparison to the perceived benefit of exercising control over my information, e.g., not giving marketers information to target me specifically, I chose not to pursue the issue further. Red tape – 2, Sarah – 0. Game over. 

    Putting on the Mar Tech hat

    Switching gears, I put on my Mar Tech hat and asked myself, “Will we see a large impact on data availability, as some have been bracing for?” Ultimately, I think the impact will vary by business. Through industry conversations, I’ve heard the impact to ID graphs so far is a low single-digit percentage. 

    Knowing what it takes for a consumer to request their PI to be deleted, I’m not quite sure I see the majority of consumers taking the hours and proper attention to follow through. And I’ve only mentioned one state-level privacy regulation—there are over 20 more being considered, and CCPA 2.0 is moving ahead. It will be unmanageable for both consumers and marketers if each state begins to pass their own versions. 

    How can we make exercising privacy rights less daunting?

    So, how can we begin to truly give consumers privacy rights without making it such a daunting process? First and foremost, make it simple and streamlined. Consumers should not have to go site-by-site and app-by-app to get control of their personal information, though some may feel they already have “ownership” with the cookie banners that originated from the EU’s ePrivacy Directive. 

    While it is a step in the right direction for education and transparency, notification fatigue is real. When I’m trying to read content, whether at home or abroad, I just want to get straight to it. I’m not thinking of my cookie preferences—yes, I’m blindly accepting, but that’s okay. As an industry, we should respect the choices of consumers who want to exercise their rights, not make it more challenging. 

    This brings me to: education, education, education! This is for everyone, including companies of all sizes, nonindustry businesses, and most importantly, all levels of the government. No one wants 50 privacy regulations that would end up doing the opposite of what they are intended to do—not to mention potential conflicts in state-by-state legislation posing significant challenges for businesses’ interoperability between them.  Trying to comply with one law may put a company in breach of another, making it impossible to do business. Federal regulation is needed to truly grant consumers the right to control the use of their PI. 

    As members of the industry, we have the unique perspective of being both consumers and marketers. We have the opportunity to shape regulation so it provides consumers with control over their online and offline data in a simple, accessible way, while also providing them with personalized, effective, and engaging advertising. 

    Subscribe to RampUp