There are only a few $100 billion dollar industries out there — yet Facebook and Google sell personal data to advertisers for more than this amount on an annual basis. When the tech giants exploit consumers’ personal data for revenue gain, this data often gets sold and used without any regard to the individual.
Europe and California have introduced regulations to protect individual consumer data, attempting to fundamentally change the universal perspective on consumer privacy rights, yet there is no federal law to protect the rights of the individual. Data privacy will only continue to get more convoluted as we get further into the era of tech innovation, but with the right rules and regulations in place, we have the power to stay in the driver’s seat and maintain full control.
Today, as consumers in the US, we do not have any right to own or manage our data. Companies whose products or services we use on a daily basis use our data and sell it to advertisers. This data can include anything from your full name and address to who you are friends with as well as your full Google search history. There’s even evidence that DMVs in the US sell information such as addresses and age to advertisers. All of this without our explicit permission.
Over the past two decades, our data has become a gold mine for corporations. When corporations have to choose between protecting user data and maximizing profits, they’ll choose profits every time (they have to — it’s their duty to shareholders!). It is only through external pressures that a change can be enacted. There are few citizens in the community that are taking a proactive approach towards data privacy, while others continue to try and exploit consumer data.
The current legal framework does not sufficiently protect consumer rights at an institutional level, instead relying on individual behavior to ‘opt-in’ or not. Even when signing up for a service and given the chance to read the terms and conditions, there is no plausible way to limit the exposure of personal data. In reality, the only way to keep your data to yourself is to avoid operating in mainstream society, something that is nearly impossible today.
The first large-scale experiment in this realm was when Europe began enforcing a new legislation called General Data Protection Regulation (GDPR) in 2019 that gave consumers control over their data instead of the corporations. Tech companies went into an uproar, which stemmed from a fear that they would lose revenue previously gained from selling consumer data to advertisers. An unexpected side effect of GDPR is the creation of a competitive advantage for companies that already have access to consumer data.
Companies that aren’t meeting GDPR regulations, like Google and Facebook, have historically faced huge fines up to $5 billion, whereas other companies have blocked consumers in Europe from accessing their website completely. What the US needs to do is introduce similar legislation that will hand back control of personal data to each individual consumer. While there is a lot of opposition from the tech industry, California recently published the California Consumer Privacy Act (CCPA) bill, that does exactly this. On January 1, 2020, California began enforcing the first set of consumer data privacy protection laws in the US.
While GDPR has increased visibility into what information can be shared and allowed for better control of consumer data at large, we’re still being required to agree to blanket terms of service that ask us to consent to data sharing, and people still aren’t reading these terms. Is there any hope that CCPA will play out any differently?
The data privacy debate doesn’t stop here. Everyone’s data is being packaged and sold across multiple industries, such as healthcare, for example — and what we’re in dire need of is a larger retroactive set of rules to be put into place. HIPAA (Health Insurance Portability and Accountability Act), a law that’s been around since 1996, was ahead of its time in considering patient data protection. Yet in today’s connected era, the extent of interpretability has left it short as HIPAA does not apply to the entire healthcare industry, such as medical devices, for example.
Consumer rights should not only include the ability for a consumer to know what data the company is using, but also enable the consumer to control that data. Going one step further, companies need to ensure consumer data is protected and secured. This applies to nearly every day-to-day facet of life — including websites, apps, and IoT devices (including your connected toothbrush!). As more devices become connected, the risk of hacks at the scale of the Experian data leak rises and becomes more critical across various industries.
Privacy used to be an afterthought in the wake of a breach, yet today, consumers, regulators, and society mandate and require proactive security. To fully protect consumer data as we enter 2020, security must be the number one priority for organizations everywhere.