California’s Mini GDPR and It What It Means For Market Research

Editor’s Intro: For all those who said “it can’t happen here” when all the debate was taking place over the European GDPR, well, it is happening here. As Adam Dietrich very ably describes, California is once again setting the direction for the rest of the US, and other states may quickly follow. As Adam writes, this will force US researchers out of their lethargy, and spur even faster disruption, with developments like blockchain taking on greater impetus. “What, me, worry?” will not be enough of a response.

---

With Europe’s implementation of its General Data Protection Regulation (GDPR), the whistleblowing around Cambridge Analytica, and Facebook CEO Mark Zuckerberg’s testimony in front of Congress, we spent a lot of time this spring talking about data collection and privacy. Media pundits, market researchers, and tech insiders alike all opined about the future of online privacy in the United States and looked to Washington to see if national legislation was on the horizon. Unfortunately, most of us may have been looking at the wrong coast.

Two weeks ago, the California Assembly and Senate passed The California Consumer Privacy Act, which Governor Jerry Brown signed into law just hours before a deadline to keep an even more aggressive version of the policy off November’s statewide ballots. The measure, which some outlets have dubbed “California’s Mini GDPR,” received opposition from The Internet Association – a lobbying group that represents the state’s major tech companies like Facebook, Google, and Uber. So, what is this bill that privacy rights groups are cheering for, but has some of the largest California employers concerned? And if you’re a market researcher that doesn’t live in California, why should you care?

The legislation is similar to Europe’s GDPR in that it will require businesses to disclose the type of data they collect on users and include details on the advertisers or other third parties with which they share data. That alone will be eye-opening for consumers, but the bill also requires companies to provide an avenue for users to opt out of their data being sold – without any degradation in services. In a watered-down version of the GDPR, the bill also gives consumers the ability to request that their personal information be deleted. Europe’s version has built-in sunset clauses that require the deletion.

While California is home to nearly 40 million residents, why does this matter outside of the Golden State? Very simply, it’s because companies don’t want to deal with the logistical nightmare of having a California policy and a “the other 49 states” policy. In 2003, when California passed the state’s Online Privacy Protection Act, requiring websites to publish the privacy policy statements whenever they collected user data, they were one of the first in the nation to do so. Being home to such a massive population, California has been setting national online privacy standards ever since.

As the research and tech world has just moved through GDPR, is this really any different? Yes and no. A lot of companies collecting data are only doing so among America’s vast and relatively wealthy consumer base. They haven’t been forced to explore compliance yet and will have to explore that burden before enforcement begins in 2020. There are also a number of organizations that have taken a different approach due to the fact that they operate globally. These organizations have taken one of two approaches: implementing different policies for the different regions they operate, or applying GDPR rules across the board, even for their North American operations. Additionally, as the legislature and tech lobby found a compromise in the drafting of the bill, it doesn’t have the same teeth as its European counterpart. For example, California’s act places the impetus for opting out and data deletion on the consumer rather than the data collector, similar to Australia’s version. Also, while the potential enforcement of fines would hurt any company’s bottom line, they’re capped at lower numbers than what we’ve seen in Europe.

Overall, there are a lot of strong provisions for consumers in this legislation and it will force American research and sample providers to update their current data protocols to a higher standard, but it isn’t all sunshine and rainbows for the research community we know today. First, due to the opt-in aspects of this bill, sample procurement will become more difficult – especially among minors under age 16, regardless of methodology. Furthermore, every branch that touches respondent data will need to create the means to delete data at the user’s request. The days of a panelist simply unsubscribing are overcome. And finally, what do we do about the major fear plaguing the industry’s lobbying arms? More legislation. Vermont looks poised to create their own bill and leading Democrats have floated the idea of a national privacy law. These overlapping entities may make the aforementioned pains of data collection even more intrusive if we’re forced to develop policies state-by-state.

Data privacy legislation will be hitting our industry over the next few years, whether we are ready for it or not. It could create a better, safer user experience and force some of the research industry’s privacy laggards to adapt. Additionally, as users come to expect more control over their data, we could see an opening for the blockchain technology that has disrupted other industries and put users in a more powerful position. Research has seen its fair share of new trends and technology, but is generally regarded as slow-moving in terms of innovation. As these data privacy laws loom, expect to see moves made by select leaders in the industry to try to get ahead.