Data Privacy Day, occurring every January, is an international effort to raise awareness and promote data privacy and protection best practices. It originated in Europe in 2007 and was adopted by the US several years later. While searching for quotes on data privacy to honor the day, I came upon an eye-opener from 2009 by former Google CEO Eric Schmidt:
“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
To be fair, the quote was in response to a conversation about how tech companies share information with authorities, but the context was that the amount of information said companies really know about consumers would “shock” and “confuse” them. We really have come a long way on data privacy – or maybe not.
The largest fine levied under the GDPR so far, $57 million, came shortly before last year’s Data Privacy Day, and was given to Google for not properly disclosing to users how data is collected across its services — including Google Search, Google Maps and YouTube. The regulators claimed that Google did not meet the requirement of obtaining clear consent and that consumers are largely unaware of the data collected and shared by Google. Note that Google disputes the claims.
Unfortunately, I think I know what the regulators mean. Early last year, a Google screen popped up on my phone asking me to rate places and businesses including a law firm, a retail store and a national park. These were all places I had visited recently. It turns out that every location I had physically been to in the last several months with my cell phone in tow – which is almost everywhere I went – had been tracked, stored and visible to me and who knows who else. I certainly never knowingly gave explicit permission for them to track my physical location. Even worse, rescinding this permission was an arduous and non-intuitive process that involved navigation across six different screens.
This is the antithesis of clear and unambiguous consent. I don’t mean to pick on Google here – because in our data-driven world this type of tracking is the rule rather than the exception. We must change our thinking on this. Both consumers and legislators are demanding it.
Consumer Expectations are Significant
While my informal poll of non-tech working consumers indicates that most are not aware of International Data Privacy Day, they do have definite expectations around data privacy.
A recent survey of global consumers, CX2030, illustrates how focused consumers are on the issue. CX2030 did not focus on privacy specifically, but instead was designed to predict what customer experience would look like into the future. Privacy, specifically trust, came up as one of the pillars that companies will be increasingly compelled to deal with. Unfortunately, the overriding sentiment from consumers was one of concern:
- 76 percent of consumers are concerned with the amount of data brands gather when they search for or purchase a product.
- 71 percent feel companies should not be able to share their data.
- 78 percent want to see what data has been collected and want control over changing, updating or deleting this information.
- 73 percent are concerned with how brands are using their personal data to the point where they feel it is out of control.
- 61 percent feel they have no control over the level of privacy they need for themselves, their family, or their children.
- 50 percent believe brands are hiding “bad things” they’ve done with user data and privacy.
When consumers use phrases like “out of control” and “hiding bad things”, companies had better sit up and take notice.
Legislators are Paying Attention As Well
Consumers are not the only ones paying attention.
In another European privacy enforcement action last year, German antitrust regulators ordered Facebook to seek users’ explicit consent to combine non-Facebook data from Instagram, WhatsApp and various 3rd party websites into a comprehensive social media profile. Facebook must submit compliance proposals or face significant fines of up to $5 billion. Facebook plans to appeal, however, the top antitrust regulator for the EU has indicated that it is watching this case.
Facebook is also facing numerous lawsuits over data misuse and ad targeting including one brought by Washington, D.C., Attorney General Karl Racine, accusing the social media giant of wide-ranging privacy violations. They are also under investigation by the FTC to determine if they violated a 2011 FTC consent decree requiring them to give consumers clear and prominent notice of how information is collected and used and to obtain consumers’ express consent before sharing information beyond established privacy settings.
Both Google and Facebook have been sued multiple times for violating the Children’s Online Privacy Protection Act which imposes requirements on companies on collecting data on children under 13 years of age. Moreover, the City of Los Angeles has sued the IBM subsidiary, The Weather Channel, for “covertly mining the private data of users and selling the information to third parties, including advertisers.”
A battle is also brewing in the US over state and federal privacy laws. Several states have passed laws aimed at data privacy and ethical use. The most prominent and restrictive of these is the California Consumer Privacy Act of 2018 – taking effect now and billed to be the toughest data privacy law in the country (incorporating many GDPR-like restrictions). Silicon Valley has lobbied hard against this and other state bills, pushing for less restrictive measures and asking that a uniform federal law supersede all state legislation. To this end, both the US Chamber of Commerce and the Internet Association, which represents companies like Amazon, Facebook, Google, and Twitter, have released their own recommendations for a federal bill. The Data Care Act introduced by a group of US senators, a competing congressional bill, The Information Transparency and Personal Data Control Act, and the White House Administration’s recommendations round out the plethora of proposals.
Regardless of where we end up in terms of data privacy regulations – several things are clear. The privacy mandate is expanding. Consumers expectations are increasing. And there will be regulation here in the US as well as in Europe. If you don’t keep up, there will be consequences.