Much virtual ink has been spilled describing the differences between the new state privacy laws in the U.S., including the California Consumer Privacy Act (CCPA) and new statutes in Nevada and Maine.
But those laws also share several important commonalities, which together are beginning to create a foundation of accepted privacy practices in the U.S.
To show how far the mindset about privacy has come in recent years, recall that Sun Microsystems CEO Scott McNealy famously asserted just 20 years ago that consumers had “zero privacy.”
And, he advised, they should “get over it.”
The Debate Over Who Owns the Data
In years past, more than a few marketers have similarly told this reporter that data generated by consumers belonged to the platform where it was generated, or to the domain, or to no one.
It’s difficult to find many marketers or CEOs who would today so dismiss consumer privacy for personal data. And the similarities in the new state laws show how far the Overton Window – or frame of reference for public discussion – has moved from the McNealy perspective.
To get a better sense of this emerging set of assumptions, RampUp spoke with privacy expert and lawyer Kristina Podnar.
The latent assumption in the current and emerging laws, she said, goes a step beyond asserting that consumers should be able to keep their personal info private. That is, the assumption is now that “data belongs to the user, [and because it does,] they have access.” This represents a “sea change” in American perspectives on personal data, she pointed out, and means that consumers own the data they generate.
The Widening Sphere
Second, the sphere of what constitutes “personal info” has been widening. Originally, it was centered around Personally Identifiable Information (PII), the kind of data that indisputably identifies an individual, such as Social Security number, street address, email address or phone number.
But now there is another circle of personal information outside of PII, which is increasingly considered part of an individual’s personal data if it can point toward one person by creating a configuration of probabilities. This includes location data, biometric data and behavioral data.
The latter category – behavioral data – is still a work in progress. While CCPA and the European Union’s General Data Protection Regulation (GDPR) includes many kinds of behavioral data in its protections, there doesn’t yet appear to be a consensus in the U.S. about such questions as whether behavioral data like an individual’s web browsing behavior is covered.
The third area of commonality represents the most consequential one for marketers. It is the growing requirement that user consent is needed to employ the protected areas of personal information.
Opt-In or -Out
Ownership of personal info doesn’t necessarily imply the need for consent. For instance, a homeowner owns the front yard to her house, but there is no general agreement that her consent is needed for someone else to walk across it.
The particulars of consumer consent for data use are still all over the place in the U.S. CCPA presents a user’s right to require deletion of protected info in many locations, for instance, while Maine requires consent only from Internet and wireless service providers, and only if they want to share or sell a customer’s info. Nevada’s law extends Maine’s prohibition on unconsented sale/sharing to web sites.
There is also a mix of whether the consent is opt-out or opt-in. And none of the U.S. laws yet approach the granular level of user consent for specific uses that is required by GDPR, such as user consent for the use of personal data to target ads, as compared to delivering customized content.
And there is emerging a general agreement, Podnar noted, that consent is not needed to conduct a transaction, since consent is implied. If the retailer has your info, or you provide it during the process of buying a product, no separate consent is required for the purpose of the transaction.
Beyond the Web
Additionally, as more and more devices become connected, there is also a growing acceptance of personal data beyond the Web. Podnar noted that Nevada and Maine’s laws, for example, imply that data collection from the Internet of Things could be included because they include location data.
Another emerging assumption: marketers and others must provide an easy-to-understand privacy notice that notifies users how the collected data can be used to track them. Of course, privacy notices have existed before, usually in impossible-to-read legalese, but now the implication is that they need to provide clear info about the consumer’s privacy rights, not just about the site or app’s rights to do what they wish. But, as Podnar points out, there is not yet a consensus about how and where that privacy notice is presented.
Finally, the state laws are beginning to better define just who needs to comply with data privacy.
In general, Podnar said, data privacy rules in the U.S. are less targeted at small firms than they are at big ones, such as Maine’s privacy law that targets ISPs and wireless providers.
In the Meantime
Additionally, most of the U.S. regulations are oriented around transactions – when you become an ISP’s customer, when you buy from a retailer or when you visit a web site.
This is in direct contrast with the European Union’s GDPR, which builds on data privacy as a human right, not just a transactional one. The U.S., a pioneer of human rights, is not there yet.
But the growing consensus of privacy assumptions is still evolving. Podnar said she felt that the CCPA – and the emerging, follow-up legislation – shows that California is “inching” toward the human rights position.
As it does, it will move the ball forward. If and when an overarching federal privacy law ever arrives, it will likely build on the assumptions that that state laws, in their conflicting and overlapping fashion, have erected in the meantime.