The last decade saw a remarkable proliferation of digital technology. Smartphones and other new devices allow users to shop and communicate with unprecedented convenience. The accessibility of these technologies was followed by digital privacy scandals including Cambridge Analytica, Edward Snowden, and various hacks, malware attacks, and retail data breaches. More commentators are expressing concern about the trade-offs inherent in a lifestyle increasingly spent online. The European Union enacted the GDPR partially in response to these concerns. Closer to home, California passed the California Consumer Privacy Act (“CCPA”). Lawmakers around the world are coming to recognize that as e-commerce platforms continue to grow, so too does their potential for exacerbating consumer digital privacy issues.
The E-Commerce Explosion
The explosion of e-commerce created a silent revolution in how consumers purchase goods and services. The Commerce Department estimates e-commerce consumers spent $513.61 billion in 2018, a 15% increase over the previous year. Amazon alone represents 40% of online retail sales in the United States. Some estimates suggest up to 40% of e-commerce purchases are now made using a mobile phone. Not surprisingly, the digital transformation is commonly cited as a driving force behind a recent wave of bankruptcies rocking the retail sector.
The growth of social media and other apps is also not without controversy, and digital privacy seems to be one of the top concerns. Up to 25% of U.S. users may have deleted their Facebook accounts, underscoring increased awareness of online privacy issues. When every click is tracked and entered into an algorithm, the potential for exploitation and manipulation becomes inevitable. The Orwellian social credit system in China is an extreme example of the potential for privacy abuse. The Chinese regime is noted for insignificant digital privacy protections and a legal system devoid of meaningful protections for individual rights.
The business model of social media giants is predicated on free user access to the platform and monetized third party use of the data. The value of these businesses stems from the same source as their bad publicity: developing sophisticated analysis programs to aggregate vast amounts of user information. These tools enable third parties to efficiently target specific audiences. Regardless of whether the backlash against social media is warranted or overblown, what’s perhaps more remarkable is the extent to which e-commerce has escaped the same level of scrutiny.
Unlike social media advertising, e-commerce platforms like Amazon seek to prevent users from leaving their websites. If a seller even mentions their external website it can result in a terms of service violation. Repercussions can include a temporary suspension or even account deletion. On the other hand, sellers and shoppers alike have expressed concern Amazon may be working towards a digital monopoly. Because platforms like Amazon retain so much customer and seller data, it can afford to let sellers invest in developing products, listings, and keywords. Amazon can then use this data to divert shoppers to their own products.
Amazon sellers don’t have access to their customer’s email addresses and remain limited in their ability to make direct contact on the platform. Instead, Amazon sellers can upload their customer lists into social media platforms and retarget customers directly or create lookalike audiences.
California Takes the Lead, Amazon Pushes Back
In June 2018, California passed a tough new privacy bill aimed to protect Golden State consumers. Although the CCPA does not go into effect until 2020, attorneys are already busy bringing older privacy policies into compliance. There has also been significant pushback from industry lobbyists. Amazon has been particularly outspoken in its opposition to the sweeping language and expansive definitions contained within the CCPA. Terms like “consumer” and “Personal Information” are defined broadly. Other terms such as “household” do not appear to have a definition at all. On the other hand, the CCPA offers minimal obligations regarding “Aggregate Consumer Information” or “Deidentified Data.” The CCPA does not apply to deidentified data because this information cannot be linked to a specific consumer.
The CCPA implements different compliance requirements depending on the nature and the activity of the business. A California “Business” collects Personal Information from Consumers and determines the purpose and reason for processing Consumer Personal Information. Alternatively, an entity may be considered a “Business” under the CCPA if it reaches certain quantitative thresholds of gross revenue, or buying or selling certain amounts of personal information. A “Service Provider” processes information on behalf of a business. A “Third Party” cannot sell Personal Information and must allow consumers the right to opt out.
Among other requirements, Businesses must support consumer rights regarding disclosure, privacy policies, data portability, deletion, opt-outs, and non-discrimination. Business websites must offer consumers a “Do Not Sell My Personal Information” link on their website. After a 30 day notice and cure period, the California Attorney General can enforce the CCPA with $2,500 fines for each violation. The law is set to go into effect January 1, 2020.
Amazon VP and associate general counsel Andrew DeVore has been open in his criticism of the CCPA. DeVore contends the act defines “Personal Information” too broadly because it includes information which “could be linked” to a consumer.
According to DeVore, “The result is a law that is not only confusing and difficult to comply with, but that may actually undermine important privacy-protective devices like encouraging companies to handle data in a way that is not directly linked to a consumer’s identity.”
California is the fifth largest economy in the world and the digital stakes are high. Recently a series of bills were introduced to amend the reach of the CCPA. Other industry giants including Facebook, Google, Microsoft, Uber, and Lyft, are joining Amazon in pushing for changes. They contend the CCPA was rushed into law and would be unfair to businesses.
Litigation has not yet produced bright line rules and federal courts have been hesitant to apply the Electronic Communications Privacy Act to cookies. Consumers concerned about digital privacy should take proactive steps to protect their data. Reviewing privacy settings is only the first stage in an ongoing process of due diligence. Most sites have a privacy statement buried in their footer, which few people take the time to examine. Nor do most users actually read the clickwrap agreements required to access digital platforms. Other tips include turning off geo-tracking on phones and apps, clearing cookies, avoiding shared storage portals, and avoiding public Wi-Fi networks.
Many e-commerce companies are voluntarily enacting greater informed consent protections as a best practice. Lawmakers are increasingly bold in their calls for increased regulation and even discuss anti-trust legislation targeted at tech giants. It remains unclear what these proposals will accomplish or whether the CCPA will be amended. What seems certain is consumers need to take greater responsibility for their own digital data trail. Each click creates another data point. Each year brings greater computing power to efficiently aggregate larger databases. As a result, the incentive for advertisers and governments to take advantage of these powerful tools only increases with time. Fortunately, consumers don’t have to wait for legislation to take meaningful action.