The GDPR arrived in May, California passed and amended it’s consumer privacy regulation, and Colorado put their privacy law online back in September. Yet, consumers and businesses alike want their governments to pass even more data privacy legislation. And why wouldn’t they? Almost weekly there is a story about how many users have been affected by the latest huge data breach, and the Cambridge Analytica story showed that even without a breach, organizations have the ability to use our personal information any way they’d like.
There are high expectations that privacy laws will make a difference in the way personal data is shared and controlled, and the overall impact of these laws will be positive for consumers. As consumer demands grow and regulators respond, businesses will be pushed to increase privacy standards and incorporate new practices to establish trust with their users.
What Consumers Want
By an overwhelming majority, consumers want control over their data, but they have little faith there will be much change, according to a recent study by ExpressVPN. While 90 percent think Big Tech should self-regulate how they use and share data, only 48 percent think they will actually do so.
Consumers want more regulation, too, with more than 80 percent stating that Congress should be passing privacy laws. Not surprising, less than half think Congress will get around to addressing data privacy in 2019. However, data privacy isn’t a high priority for the respondents of this survey, as other issues such as healthcare and immigration take higher precedence.
“Online privacy is rapidly becoming a key ‘kitchen table’ issue in America. Privacy is a fundamental right, and internet users should be in control of their personal data and how it should be used,” Harold Li, vice president of ExpressVPN, said in a formal statement.
Well, online privacy concerns may not be quite a “kitchen table issue” just yet, but it is clear that they are more aware than ever and want something done. It is that they don’t trust those in charge to take action.
Giving Consumers a Voice
Consumers never had a voice regarding data privacy. For years, we turned over our information to all types of organizations, from ecommerce to government agencies to social media sites, and expected those organizations to protect the information. High-profile data breaches highlighted how we had no control over what others did with the information we shared or how it was secured. GDPR gave hope that it was possible to regain some control over that personal information. Still, it tends to be Big Tech or industry that has the most say over how regulations are developed and how data is used.
California is changing that dynamic. The state’s attorney general announced that there will be six public forums surrounding CCPA. These forums are designed to “provide an initial opportunity for the public to participate in the CCPA rulemaking process. As part of this process, the Department of Justice invites all members of the public to speak at these events,” according to a release from California Attorney General Xavier Becerra’s office.
Several of the forums have already been held. Some of the questions that have been raised so far surround employee data (because the focus of CCPA is consumer data, many want to know if employee and HR data will be protected), how to define the value of the data as the current phrasing in the bill is ambiguous, addressing how to process opt-out requests to ensure that organizations don’t end up collecting data that they otherwise wouldn’t collect, the low threshold for compliance, and linking data sets that could actually end up creating more risk in the event of a cyber incident.
The GDPR Impact
One positive aspect of GDPR is that we now know just how much personal data is held by businesses. After the first 100 days, WeLiveSecurity reported, “it is now clear that most companies hold personally identifiable information (PII) on both customers and employees. Moreover, slightly more than one fifth of the participants disclosed that they hold additional PII such as biometric and health data.”
An unexpected result of GDPR so far is the decrease of new business investments and the increase of Big Tech’s market share. And while there is a greater awareness of data privacy and the need for data protection in the EU, GDPR has actually resulted in a lot more confusion about what is being protected and what isn’t.
“I would argue that the multiplicity of ways it has been implemented across websites makes it hard for users to understand what they are confirming or consenting to for their data usage. As GDPR wants specific consent for specific purposes, I would question whether a user of a website, for example, would understand the difference between functional cookies versus strictly necessary cookies,” Gary Neal, COO with Smartology, told Verdict.
GDPR is slowly finding its footing in the EU, as are similar privacy laws in the U.S. Businesses are still figuring out how to best meet compliance with the laws. Consumers know they want to keep their data safe, they are unsure who should be held responsible for data protection and, as California’s forums show, there are still a lot of unanswered questions out there on how to mesh both consumer and business interests.