Data privacy

California and Europe created “first drafts” of privacy legislation, report says

UC Berkeley published a collection of research regarding the impacts of GDPR and CCPA.
article cover

Santiago Urquijo/Getty Images

5 min read

Europe’s most consequential consumer privacy law is old enough to read.

Passed in 2016, the European Union’s General Data Protection Regulation (GDPR) was shortly followed by the California Consumer Privacy Act (CCPA), America’s first state-level consumer privacy law, which passed in 2018.

Though privacy legislation may feel like an inevitable rising tide of anxiety and even confusion, at least among advertisers, UC Berkeley’s Center for Long-Term Cybersecurity has released a collection and analysis of reports and studies that have probed into the two laws.

While the research doesn’t give a true nickels-and-cents account of the legislation’s economic impact on digital advertising, it does provide detailed anecdotes about the impacts of these laws, which the white paper calls “ultimately ‘first drafts’ in privacy protection,” on companies.

Some highlights

Through pulling together highlights from various findings, the white paper illustrates how companies have approached these laws and the sorts of challenges that have cropped up along the way.

  • One group of researchers analyzed how publicly traded tech firms “interpret and translate” privacy legislation “as different types of business risks” to shareholders through 10-Ks, annual SEC filings about a company’s financial performance. While Apple and Amazon’s filings only “generally mention privacy laws” between 2015 and 2020, filings from Google, Microsoft, and Meta have explicitly mentioned GDPR and CCPA at different points within that time frame, with Meta going as far as to say that both laws impacted its revenue.
  • A separate study examined how a group of Serbian startups have navigated these laws, finding that 10 out of 19 respondents had “someone in their firm responsible for GDPR compliance.” These startups took compliance seriously due to fears related to costs, not from fines but from potentially losing investor interest, the researchers found.
  • A survey of tech workers identified tension with lawyers when it came to matters of compliance. For instance, an engineer at a large tech company said that their team was hesitant to consult lawyers on an issue regarding compliance because “it usually ended up being more work.”. Several said lawyers were “unavailable, either by design or because of lack of capacity.”

This tension can also be illustrated by everyone’s favorite online hurdle: The cookie banner, which many sites now have in order to comply with GDPR and CCPA. In practice, consumers “see so many different variations on different websites, because you have different lawyers talking to different engineers with different interests,” Saba Chinian, a third-year law student at UC Berkeley School of Law, who wrote the white paper, explained. Chinian previously worked at the Department of Justice and Google.

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.

On a more human level, one researcher found that broad and vague language within privacy legislation can lead to unintended and potentially harmful consequences for “disfavored or marginalized groups.” For example, their research  described a Turkish restauranter and employee operating a snack stand in Vienna installed cameras to capture police harassment, only to be convicted of violating GDPR rules.

These anecdotes “make you wonder [if] this really in tandem with what the goal here is,” Chinian said.

“Legitimate interest”

Another pain point, according to the research? Confusing definitions. A survey of security, law, and privacy experts unanimously found that imprecise definitions complicated their internal compliance practices.

Take a term like “legitimate interest,” which companies can cite as a legal reason for data collection under GDPR even though it isn’t defined within the law, Chinian points out in the white paper. Under GDPR, legitimate interest is described as when the “interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.” Great.

Using a web crawler, researchers combed 10,000 websites looking for companies that used the term “legitimate interest” in their consent notices, finding that hundreds did. Some companies didn’t let users opt out of legitimate interest data collection, while those that did “often complicated” the process.

“Because of the vague and broad allowances of ‘legitimate interest’ under the GDPR, firms can continue to unintentionally or intentionally deceive users and misuse their data without consequence,” Chinian wrote in the white paper.

Though the report is mostly a collection and analysis of recently published work, it provides some next steps to practitioners, like suggestions of how to frame compliance. “Companies can more effectively motivate GDPR and CCPA compliance by reframing compliance as risk prevention, rather than just focusing on abstract user-centric privacy concerns,” Chinian wrote.

And for regulators, the report suggests that it might be easier to “encourage quick compliance” if future privacy laws are modeled on the laws that already exist, even if they are just the “first drafts.”

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.