About Writing Projects Resume Contact

Feb 18, 2020 –  New York, NY

Digital privacy and ad tracking have finally entered the mainstream conversation in the United States. Two years after GDPR went into effect in Europe – something we discussed back in 2018 – the US is beginning to take a sober look at what identity on the internet means, how we as a society want to approach its safeguarding, and what impact that will have on the advertising and publishing industries.

As of January this year, the US took its first stride since the 90s as the California Consumer Privacy Act (CCPA) went into effect. Constituting 14% of the entire US’s GDP, California’s new law is bound to alter how the rest of the country approaches digital privacy and data protection, so media buyers and publishers are closely monitoring what impact this will have across the rest of the nation.


The US has traditionally been much laxer than the EU when it comes to the privacy of its citizens. However, the effects of GDPR’s implementation in the EU were felt even an ocean away with US-based international companies scrambling to implement separate EU privacy policies or, in some cases, merely shutting off access to EU visitors so as not to run afoul of the new law. It also sparked a conversation in some sectors about what a US version of the law would look like when it was inevitably implemented.

The current rules here in the US are either comically out of date, often predating mass adoption of the internet. Others only regulate very specific areas, such as medical or financial records, in stark contrast to the kind of all-encompassing data protection GDPR was intended to be.

While some states have implemented laws related specifically to how companies must handle reporting data breaches to their users, these also tend to be conflicting and out of touch with the reality of the internet in the 21st century.



This all is what makes the CCPA all the more compelling, and potentially problematic for advertisers in the US. As the largest state and economy, California has an outsized influence on the national conversation – they have similarly used this weight to put pressure on auto industry emissions when the Trump administration started to roll back these standards on a federal level. So California planting a flag for digital privacy and rights will undoubtedly move the conversation forward here and likely inspire other states to adopt their own laws or push the federal government to pass a nationwide law à la GDPR.

As a quick primer on the key tenets of CCPA, here’s what you would need to know. The law states that California internet users have a right to:


In contrast to GDPR, CCPA focuses more on what happens to the data AFTER it is collected, rather than on the collection itself. Data protection advocates point out that CCPA places the burden of opting out on the individual user, as compared to a universal opt-inas GDPR created. This is bad news for consumers but good news for advertisers as many people likely won’t realise that they are able to restrict the amount of data that is collected about them or how that data is used. So targeting capabilities of some major platforms may be less impacted by this than initially feared. Another point of distinction is that, while GDPR requires all companies and organisations to comply, which places a disproportionate burden on smaller companies, CCPA only impacts business over a certain size or revenue amount. This is good news for smaller brands who would be less equipped to create the kind of infrastructure needed to handle data requests and deletion. And as CCPA’s guidelines only stipulate that you have to inform users if you are selling their data, this has opened up a loophole, most notably for Facebook. Their current position is that, although they allow advertisers to use the data they collect to target their ads they don’t sell the data directly and therefore are not bound by this law. Clearly, this is a tenuous position but currently, no significant changes have happened on Facebook’s side.