By Eve Maler, Interim CTO, ForgeRock
28th January was Data Privacy Day and each year I use this moment in time to reflect on the privacy trends that shaped the last 12 months and look ahead to the issues that are likely to dominate the new year.
There is no doubt that 2019 was a watershed year for data privacy. We saw record fines levied by the UK’s Information Commissioner’s Office (ICO), only a month after a harsh rebuke of the adtech industry. In the US, the Federal Trade Commission imposed an unprecedented $5bn penalty, and tech giant after tech giant reaffirmed their commitment to privacy again, and again, and again…
These events helped shape a new consensus view among politicians, companies, and the public: as individual citizens and consumers, we all deserve better protection from exploitative, opaque, and expansive data collection and sharing.
Looking ahead, 2020 seems set to be another major one for privacy with the new European Commission President, Ursula von der Leyen, putting it at the centre of her five year strategy – “For us the protection of a person’s digital identity is the overriding priority… [w]ith the GDPR we set the pattern for the world.”
So, as we enter both a new year and a new decade, what should we expect to see in the world of data privacy this year? Here are three areas I will be watching closely.
Like GDPR, the effects of CCPA will be felt globally
In the face of federal indecision, US states like Washington and Colorado are continuing to forge new ground on data privacy, led by the ‘gold-standard’ California Consumer Privacy Act (CCPA) which went into effect on January 1.
Looking solely at US companies, up to 500,000 could be affected. This covers businesses of all sizes and across all sectors, from retail to professional services. Given the number of major tech companies – arguably the intended targets – that operate from California, this state-level regulation is far more than just a local issue. It will have global ramifications, beyond even the $55bn compliance costs.
Any UK business will be impacted if it meets any one of the following criteria: processing the data of California residents, has an annual gross revenue of more than £25 million, deriving more than 50% of its revenue from the sale of such data, or processing the data of more than 50,000 residents.
One of the main points of friction that has emerged is around the so-called ‘Do Not Sell’ provision. UK companies subject to the CCPA, which sell customer data for money are required to add a ‘Do Not Sell My Personal Information’ button to allow them to opt-out.
While the EU’s General Data Protection Regulation (GDPR) made opt-out consent illegal, the CCPA enshrines opt-out consent in a ‘Do Not Sell My Personal Information’ provision. While interpretation of ‘selling’ data is currently uncertain, businesses should be careful not to interpret away its applicability to them too quickly.
By way of example, in a recent blog post, Facebook announced that it does not believe that this provision applies to its business (much of the public will likely disagree) while Uber has decided the opposite – adding a button to its homepage.
And which consent formulation is more powerful for end-user empowerment? GDPR banked on opting in to give people more choice, but when people are hungry to be offered online services, opting in is just a click away. Marketers must confront the reality of the opt-out experience now – which will ultimately be good for the consumer convenience and value equation.
Recognising the risks of facial recognition
2019 was the year in which the spotlight shone brightest on facial recognition. Consumer awareness of its harms was fuelled by scandals worldwide, from the US and UK to China.
Equally shocking for the ordinary citizen was that private and public operators operated in a legal vacuum – with no recourse against what many saw as ‘consumer surveillance’.
Laws like Illinois’ Biometric Information Privacy Act, one of the few examples of standalone legislation in this area, have been subject to relentless legal challenges by companies like Facebook, which tried to bring a class action lawsuit against it that was rejected by the US Supreme Court.
While companies have curtailed efforts to bring further US legislation (see New Hampshire for the latest example), the EU has once again flexed its muscles, looking to address the regulatory void around biometric technology and data by introducing a temporary ban on facial recognition in public areas.
This is only adequate as a stop-gap, which is its intention, but now we must have a real conversation about how this emerging technology can be applied by business and governments, including both the regulations and ethics of facial recognition and the data it produces.
Data Privacy 2.0: Moving beyond the paradigm of privacy as data protection
Proponents of User-Managed Access (UMA), the leading standard that enables selective sharing of a user’s digital resources no matter where they live online, are known as ‘UMAnitarians’. We like to say that data privacy is not just about secrecy or encryption. It’s about context, control, choice, and respect. Increasingly, data control and transparency are also about business models – making it a fundamental issue for every senior leader, not just the compliance team.
The direction of travel is clear – see the consensus view mentioned above – and this means that data transparency and control for end-users should now be a priority for every business. And, as organisations incorporate data protection, they should not settle for the minimum now expected by consumers, but reflect on how they can do more to build trust and stronger customer relationships.
Complacency is the enemy of progress
In many ways, 2019 was a great year for data privacy and the signs are promising for 2020. However, there have also been moments to give us pause. The ICO has extended BA’s ‘notice of intent’ to fine by six months, which has led to speculation that they are negotiating a ‘sweetheart deal’ far below the record number that was originally imposed.
This is the wrong message to be sending to companies and customers. If they haven’t already, businesses should see Data Privacy Day as an opportunity to start leaning in to privacy and consent, not just for compliance, but for real business benefits.
Or as, Wojtek Wiewiorowski, Europe’s new Data Protection Supervisor (EDPS), puts it:
“I would like to live in a world where this standard that we have in data protection in Europe is recognized as something that might be the advantage on the market and maybe used in an innovative way in the market.”
See more information about Irish Tech News and the Business Showcase here.
FYI the ROI for you is => Irish Tech News now gets over 1.5 million monthly views, and up to 900k monthly unique visitors, from over 160 countries. We have over 860,000 relevant followers on Twitter on our various accounts & were recently described as Ireland’s leading online tech news site and Ireland’s answer to TechCrunch, so we can offer you a good audience!
Since introducing desktop notifications a short time ago, which notify readers directly in their browser of new articles being published, over 16000 people have now signed up to receive them ensuring they are instantly kept up to date on all our latest content. Desktop notifications offer a unique method of serving content directly to verified readers and bypass the issue of content getting lost in people’s crowded news feeds.
Drop us a line if you want to be featured, guest post, suggest a possible interview, or just let us know what you would like to see more of in our future articles. We’re always open to new and interesting suggestions for informative and different articles. Contact us, by email, twitter or whatever social media works for you and hopefully we can share your story too and reach our global audience.
Irish Tech News
If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at [email protected] or on Twitter: @SimonCocking