Better Never Than Late? A CCPA Meditation
An oft-repeated cliché holds that law lags society.
There may be frustrating reasons for this, as legislatures, regulators and judges slowly process changes in the ways we live and eventually determine which parts of these shifts demand legal attention. Important commercial inequities, consumer deceptions or intrusive technologies may linger for decades before someone decides to officially address them.
There are also sensible reasons for this, as social problems are not always immediately apparent and many people may question whether a concern is worth proscribing or regulating by law. Hasty, emotionally driven changes in the law can cause more problems than slow walking an important process.
And of course, in every society, the power and number of affected parties whose oxen have been gored by the change can accelerate or retard a legal response. Money and votes speak loudly.
Over my three decades of legal practice I have also noticed that the more complicated the societal change, the greater time lag before legal redress reaches the public. No consensus forms over how to write laws about a topic when the legislators do not understand the topic, its inner workings or the full extent of its effects. Even worse when the effects are ambiguous, helping many parties and potentially harming many others. This is why the Uniform Law Commission proposes detailed, non-partisan solutions for state legislatures to consider.
I raise this subject in the specific context of privacy regulation, in particular implementation of the first omnibus grant of consumer privacy rights in the U.S., the CCPA. California’s newest legal innovation is the culmination of more than forty years of societal changes chipping away at personal privacy. This law is also likely a first step into broader adoption of U.S. privacy protections.
One of the problems with waiting thirty years to recognize and protect legal rights is that, in the absence of such protections, entire industries can grow to take advantage of new income streams. After thirty years, the streams have grown into mighty rivers, and the new laws cut off the water at its source. The advantage to electing prescient legislators (a big ask, I know) would be that recognizing personal rights and restricting business practices early redirects business energy and resources into more sustainable behaviors.
If we have thought to protect privacy in the same manner the EU protected it in the 1990s, Google, Facebook and other world-dominant U.S. data-driven businesses would not exist in their current form. In fact, the EU felt it necessary to tighten its privacy regulations in part to reign in American data monsters. So now our legislative/regulatory decision to grant people broad rights concerning the use of the data generated about their behavior will hamstring some of America’s most innovative and successful business.
Companies are pulling information from every action taken online and many actions out in the wet world. Artificial intelligence and other deep, decades-tested analytics can blend this data into something coherent and commercially useful. The simplest aspects of consumer information collection – a single transaction at a single ecommerce site – is easy to regulate. Deep analytics and AI logical leaps may be much more difficult to find, categorize and address as government enforcers.
So, are we willing to kill entire profitable industries, like online advertising and behavioral analytics, because we have finally found religion on consumer privacy? Apparently, legislators couldn’t be bothered with passing privacy protections in the early days, late-early days, or early middle days of the internet. Now that they are considering legally protecting personal data on a massive scale (see 50 state survey for updated information about state data use laws, Affirmative Data Obligations), without a clear understanding of what needs to be protected, from whom, and how it will be accomplished, an entire set of information based industries is at risk.
It’s not like we didn’t know right away what was happening to consumer information. The discussions about how a single targeted advertisement followed you around in your web surfing adventures has been raging for nearly 20 years. I worked with companies using advanced analytics to categorize consumers and affect treatment of them back in the 1990s. This is not new. So why the sudden concern for privacy rights?
I understand that sometimes an idea’s time visits later than you would expect. But I am interested in how our new-found interest in keeping consumer information from business – government and law enforcement still seem to be immune from this concern in legislative action – will affect the creative and successful companies that have arisen in absence of such protections. Will we be killing geese that been laying golden eggs for our country over the past three decades? The EU seems eager to kill our geese, but do we want to help them?
We don’t know how this legal trend will play out, but it seems like our legislators are changing the game once the rules have been well established. Data privacy is a complex, multi-faceted issue and there is no right answer to how our laws should address it. I just wish the political will existed to carve out the rules of this game in the early stages. Now, there is too much at risk on all sides to make economically harmful choices that would have been reasonable and benificial thirty years ago.