“Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Tiffany Morris, vice president of global privacy at Lotame.
The California Legislature passed privacy regulation AB 375 in June. Media coverage has rightly characterized AB 375 as the equivalent of the General Data Protection Regulation (GDPR) for the American market. While GDPR is anchored in the European idea that individual privacy is a fundamental human right, the policy motivations of the California law are unclear.
The California law rests on two false and contradictory assumptions. The first is that the use of personal data by companies for marketing and analytics is inherently harmful to consumers. And second, that the consumer has the ability to accurately determine, and harness, the economic value attributable to a company’s use of personal data.
On the first point, Section 1798.125(a)(1) of the California law states that a business cannot offer preferential pricing or rates for goods or services (including discounts) to a consumer that shares his or her data. This provision would seem to prohibit the paid advertising model that fuels nearly all digital content distribution. From the perspective of the California Legislature, the exchange of data is so risky that the consumer is prevented from sharing data – even when that exchange creates a monetary or financial benefit for the consumer.
Few American laws place such austere limits on free enterprise. California itself is a state that has always championed innovation and choice – even where there is risk of harm to consumers. For example, it’s one of only a handful of states to have passed an assisted suicide law that permits terminally ill patients to obtain life-ending medication. And earlier this year, the 9th US Circuit Court of Appeals reviewed the constitutionality of the state’s anti-prostitution statutes. During the San Francisco hearing on the regulation of prostitution by the state, one of the judges asked, “Why should it be illegal to sell something that it’s legal to give away?”
One could pose the same question to California lawmakers about consumer data, as there seems to be an illogical presumption that providing data to companies for marketing purposes creates a special kind of jeopardy for privacy. Yet consumers give away personal data every day – to banks, credit card companies, gyms, community centers, grocery stores and even automated toll takers.
There is less scrutiny for those categories, likely because the data is required for the related transactions to function properly. The use of data for marketing and media also serves a legitimate interest, but it seems to be viewed as inherently reckless by regulators, legislators and privacy vigilantes.
Despite what lawmakers say, however, consumers are increasingly willing to share their personal data with a brand in exchange for promotions, discounts and deals. Why? Because for many, if not most, consumers, the value they receive significantly outweighs the potential privacy and security risks – particularly in the context of ad-supported content.
Every day, consumers use this balancing test to weigh the risks of sharing data in exchange for perceived benefits. The California Legislature seems to acknowledge, with Section 1798.125(b), that a total ban on data sharing for profit is undesirable to both consumers and companies. The provision goes on to state that a business is in fact permitted to charge a consumer a different price or rate, but only if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
Consumer protection statutes typically mitigate harm by requiring companies to educate consumers about the risks of a particular action. Tobacco, alcohol and firearm regulations are consummate examples of this type of policymaking.
In contrast, the California statute protects the consumer’s ability to profit from a particular action. Returning to our prostitution analogy, imagine a law that legalizes prostitution – but only if the economic gain to the prostitute sufficiently outweighs the risks of sexually transmitted diseases, violence, etc. Who makes that determination? Few, if any, American laws mandate the terms under which companies or consumers transact business because it undercuts the very essence of American capitalism.
Further, this approach completely ignores the fact that consumer data is valuable precisely because it is big data. The individual data provided by a consumer to a company for marketing purposes is not particularly valuable on its own. It only becomes valuable when aggregated and combined with other data points – a process invented and revolutionized over the past 15 years by technology providers.
To be effective, a piece of legislation should reflect and promote underlying policy. In the case of AB 375, the policy motivations are not clear. Is the law trying to protect consumers from the privacy risks of big data and automated decision-making? Or are we trying to transfer the economic value of big data from companies to consumers?
The first is a European principle; the second, a uniquely American perspective.
More importantly, the two concepts are at odds – philosophically, and even within the actual text of AB 375. Until the policy goals are made clear and enabled by the law, it cannot serve the interests of either party.