In 2020, many Americans will get a powerful tool to protect their online privacy. A sweeping new law will require millions of businesses to tell consumers what data they have collected about them and, if asked, to delete it.
The law, known as the California Consumer Privacy Act (CCPA), could play havoc with the online economy, since so many companies—from tech giants to ordinary retailers—rely on targeted ads. If people demand that companies delete their data, those ads would be less effective.
Walmart, for example, could miss out on sales because its online ads wouldn’t be as personalized as before. Google, meanwhile, risks losing a big chunk of its revenue because generic ads command far lower prices than ones targeted using personal data.
The effect of California’s law, which is being copied in nearly two dozen other states, could therefore be enormous. But that’s only if people assert their new rights after the law goes into effect on Jan. 1—which is a big “if” considering that relatively few have taken advantage of a similar privacy law in Europe, called GDPR, that was implemented in 2018.
“Is this a big deal for thousands or hundreds of thousands or millions of people? We don’t know yet,” says Chris May, who focuses on corporate risk for consulting firm Deloitte.