How and why the data privacy mandate is expanding
The recently celebrated Data Privacy Day was an international effort to raise awareness and promote data- privacy and -protection best practices. It originated in Europe in 2007 and was adopted by the US several years later.
While recently searching for quotes on data privacy to honor the day, I came upon an eye-opener from 2009 by former Google CEO Eric Schmidt:
“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
To be fair, the quote was in response to a conversation about how tech companies share information with authorities, but the context was that the amount of information these companies really know about consumers would “shock” and “confuse” them. We really have come a long way on data privacy ... or maybe not.
The largest fine levied under the GDPR so far, $57 Million, came shortly before this year’s Data Privacy Day (January 28), and was given to Google for not properly disclosing to users how data is collected across its services — including Google Search, Google Maps and YouTube. The regulators claimed that Google did not meet the requirement of obtaining clear consent and that consumers are largely unaware of the data collected and shared by Google. Note that Google disputes the claims.
Unfortunately, I think I know what the regulators mean when they talk about the need for clear consent. Early last year, a screen popped up on my smart phone asking me to rate places and businesses including a law firm, a retail store and a national park. These were all places I had visited recently.
It turns out that every location I had physically been to in the last several months with my cell phone in tow – which is almost everywhere I went - had been tracked, stored and visible to me and who knows who else. I certainly never knowingly gave explicit permission for them to track my physical location. Even worse, rescinding this permission was an arduous and non-intuitive process that involved navigation across six different screens.
This is the antithesis of clear and unambiguous consent. I don’t mean to pick on any particular company or industry here –because in our data-driven world this type of tracking is the rule rather than the exception. We must change our thinking on this. Both consumers and Legislators are demanding it.
Consumer Expectations are Significant
While my informal poll of non-tech working consumers indicates that most are not aware of International Data Privacy Day, they do have definite expectations around data privacy.
A recent survey of US consumers illustrates how focused consumers are on the issue. Seventy-three percent of respondents said their concern over the privacy of personal data has increased in the past few years and 67 percent think the government should do more to protect privacy.
When it comes to the type of protections consumers are asking for – the responses mirrored protections currently afforded to European citizens under the General Data Protection Regulation:
- 83% would like the right to tell an organization not to share or sell their personal information.
- 80% want the right to know where and to whom their data is being sold.
- 73% would like the right to ask an organization how their data is being used.
- 64% would like the right to have their data deleted or erased.
Even more ominous is what has happened to consumer trust as awareness has risen. When asked to identify industries where consumers were very or extremely confident regarding the ability to keep data secure, the health and banking industries scored the highest coming in at an abysmal 47 and 46 percent respectively. Government or state agencies were next at 29 percent and social media companies ranked last with a dismal 14 percent.
What’s more – consumers are not just expressing concern. They are taking action. Sixty-six percent have taken steps to secure their data, like changing privacy settings, removing a social media account or declining terms of agreement.
Legislators are Paying Attention As Well
Consumers are not the only ones paying attention.
In another European privacy enforcement action, German antitrust regulators have ordered Facebook to seek users’ explicit consent to combine non-Facebook data from Instagram, WhatsApp and various 3rd party websites into a comprehensive social media profile. Facebook must submit compliance proposals or face significant fines of up to $5 Billion. Facebook plans to appeal, however, the top antitrust regulator for the EU has indicated that it is watching this case.
Facebook is also facing numerous lawsuits over data misuse and ad targeting including one brought by Washington, D.C. Attorney General Karl Racine, accusing the social media giant of wide-ranging privacy violations. They are also under investigation by the FTC to determine if they violated a 2011 FTC consent decree requiring them to give consumers clear and prominent notice of how information is collected and used and to obtain consumers' express consent before sharing information beyond established privacy settings.
Both Google and Facebook have been sued multiple times for violating the Children’s Online Privacy Protection Act which imposes requirements on companies on collecting data on children under 13 years of age. Moreover, the City of Los Angeles is suing the IBM subsidiary, The Weather Channel, for “covertly mining the private data of users and selling the information to third parties, including advertisers."
A battle is also brewing in the US over state and federal privacy laws. Several states have passed laws aimed at data privacy and ethical use. The most prominent and restrictive of these is the California Consumer Privacy Act of 2018 -set to take effect in 2020 and billed to be the toughest data privacy law in the country (incorporating many GDPR-like restrictions).
Many companies have lobbied against this and other state bills, pushing for less restrictive measures and asking that a uniform federal law supersede all state legislation. To this end, both the US Chamber of Commerce and the Internet Association, which represents companies like Amazon, Facebook, Google, and Twitter, have released their own recommendations for a federal bill. The Data Care Act introduced by a group of US senators, a competing congressional bill, The Information Transparency and Personal Data Control Act, and the White House recommendations round out the plethora of proposals.
Regardless of where we end up in terms of data privacy regulations – several things are clear. The privacy mandate is expanding. Consumers expectations are increasing. And there will be regulation here in the US as well as in Europe. If you don’t keep up, there will be consequences.