In an era where personal data has become a valuable commodity, states across the U.S. are taking bold steps to protect their residents’ digital privacy. Leading this charge is California, with its groundbreaking California Privacy Rights Act (CPRA) California Privacy Rights Act (CPRA), which builds upon the foundation laid by the California Consumer Privacy Act (CCPA). As other states follow suit, these new regulations are set to dramatically alter the way companies handle user data, particularly impacting how we interact with web browsers and online services.
California’s Pioneering Role in Reshaping Data Privacy Laws
The CPRA which took effect on January 1, 2023, expands on the CCPA’s protections. It grants California residents more control over their personal information, including the right to know what data is being collected, the ability to request deletion of this data, and the option to opt out of the sale or sharing of their information.
For browser users, this means enhanced transparency. Websites must now clearly disclose their data collection practices and provide easily accessible methods for users to exercise their data privacy rights. This could manifest as more prominent data privacy notices, clearer cookie consent options, and simplified processes for requesting data deletion or opting out of data sharing.
The Current Privacy Landscape
For users, protecting online privacy is a complex task. Companies collect vast amounts of personal data, including browsing habits, purchase history, and more. This data can be used to estimate various personal attributes like income, political preferences, and health habits. The information is often used for targeted advertising, political messaging, or even setting insurance rates. My research over the years has shown that consumers don’t particularly care for the fairly rampant collection of personal data, yet they also feel there’s not much they can do about it.
Some states, notably California, have laws allowing people to opt out of data selling or sharing. These laws also sometimes include the right to request data deletion. However, exercising these rights often involves filling out complicated forms with numerous companies, which few people actually do. The proposed California law takes a significant step forward in a few important ways, the most important of which is the promise of one-click privacy. This would mandate major tech companies like Google and Apple to provide a one-click privacy option. This option would be available in dominant web browsers and smartphone systems and could potentially enable millions of users to easily exercise their privacy rights. I think that’s a big step forward on the consumer data privacy front, and, in reality, not all that difficult for tech companies to effectuate.
The Ripple Effect of Privacy Laws Across States
There has been a ripple effect of data privacy laws across states, with California’s initiative inspiring other states to enact similar legislation. Virginia’s Consumer Data Protection Act (CDPA) and Colorado’s Privacy Act (CPA) both came into effect in 2023. Utah’s Consumer Privacy Act (UCPA) became effective on December 31, 2023, and provides Utah consumers with the right to confirm whether a business is processing their personal data, as well as the right to access any data that has been processed and request that it be deleted. Utah consumers also have the right to obtain a copy of any data previously provided to the business, as well as to opt-out from companies selling their data and/or using it for targeted advertising. The Connecticut Data Privacy Act (CTDPA) took effect in July 2023 and provides Connecticut residents rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. The Colorado Privacy Act (CPA) is part of the Colorado Consumer Protection Act and went into effect in July of 2023. Similar to other privacy legislation, the CPA provides Colorado consumers with the right to access, delete, and correct their personal data as well as the right to opt out of the sale of that personal data and/or for its use in targeted advertising.
These data privacy laws share many similarities with the CPRA, although there are nuances in their approaches. For instance, Virginia’s CDPA introduces the concept of “sensitive data,” which includes personal information about racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status. This category of data requires explicit consent before collection, potentially leading to more granular privacy controls in browsers and websites for users in these states.
We are also beginning to see consumer data protection laws speak to artificial intelligence and preclude their personal data from being used for model training. U.S. Senators Peter Welch (D-Vt) and Ben Ray Luján (D-N.M) proposed legislation in March of this year, the AI Consent Act, proposing online platforms would need consumer consent before using their data to train AI models. The bill also seeks to create disclosure standards, including instructions for consumers on how to easily provide and/or revoke their consent, “at any time and through an accessible and easily navigable mechanism.” This is but one of a series of major AI legislation initiatives in the Senate, and without question, we can expect to see more action on this front.
Data Privacy Laws’ Impact on Organizations
The implementation of data privacy laws brings several notable changes that organizations will need to adapt to. These include:
Enhanced Transparency. Organizations will need to develop more detailed data privacy policies and data collection disclosures to serve up when users visit their websites. Browsers themselves may introduce features to help users understand and manage their privacy settings more effectively.
Greater Control. Organizations must provide users options to control their data, including the ability to opt out of data sales and targeted advertising. Browsers may integrate these controls directly into their interfaces for easier access.
Data Subject Access Requests (DSARs). Organizations must be prepared to respond to user inquiries on what personal data a company holds about them and comply immediately if they ask for its deletion. Browsers might facilitate this process by offering built-in tools to generate and manage these requests.
Stricter Consent Requirements. For sensitive data, organizations may need to build in and serve up more frequent and specific content permission requests. This could lead to the development of more sophisticated cookie consent mechanisms within browsers.
Do Not Sell My Personal Information. Corporate websites are required to have a clear link for users to opt out of data sales. Browsers may incorporate features to automate this process across multiple sites.
The Challenges and Considerations of These Laws for Organizations
While these data privacy laws aim to enhance privacy, they also present a wealth of challenges and considerations. The patchwork of state-level regulations creates a complex compliance landscape for businesses operating across multiple states. This could lead to inconsistent user experiences depending on a user’s location, which organizations will need to endeavor to avoid.
The technical implementation of these privacy controls may vary across browsers and websites, potentially leading to confusion for users. There’s also the risk of “consent fatigue,” where users become overwhelmed by frequent privacy notifications and may start ignoring them. In my view, consent fatigue is not a new thing; users are already accustomed to quickly clicking through notifications to get to wherever they want to be, it’s a norm.
I don’t see this as a challenge for organizations to address as these data privacy laws continue to roll out, but I do think these changes present a significant opportunity for organizations to laser in on the customer data privacy front in terms of how they communicate their commitment to data privacy to customers.
This could be a key differentiator for organizations that speak up about the importance of consumer data privacy and use this commitment as part of their overall brand promise and brand messaging.
Looking Ahead at the Evolution of Consumer-Focused Privacy Laws
As data privacy laws continue to evolve and more states join the privacy movement, I am certain we’ll see further changes in how browsers and websites handle user data. This is something that should be on the radar screens of marketers, IT leaders, and other business leaders. There’s growing pressure for federal-level privacy legislation in the U.S., which could provide a more unified approach to data protection, but it’s also an election year, so what’s ahead on that front will likely be in flux.
That aside, serving up best-in-class customer experiences is the name of the game today, and it’s a foundational premise on which businesses compete, attract and retain customers, spur loyalty and beyond. Keeping customers informed about these changes as the digital landscape shifts toward greater privacy protection and helping users understand the ability they will have to take control of their personal information — which up to this point has not been their reality at all — and, as mentioned earlier, leaning in to messaging about a commitment to consumer data privacy is something I view as an important part of brand strategy, CX strategy, and customer communications moving forward.
In conclusion, the new wave of data privacy laws, led by California’s CPRA with other states quickly getting on board the consumer data privacy protection train, marks a significant shift in the balance of power between consumers and data collectors. For browser users, this means more transparency, control, and responsibility in managing their digital footprint. For organizations, it presents an opportunity to better support customers and illustrate a commitment to helping protect their personal information in what is becoming an increasingly connected world. For innovative tech companies, it presents an opportunity to provide software and services that can help customers keep abreast of quickly changing data privacy laws that are reshaping the digital landscape.
See more of my work here:
Trustwise’s Optimize:ai Launches, All Eyes on Gen AI Safety and Efficiency
