We have all been exposed, if not inundated, with the fact that so much of our personal information has been systematically harvested for years. Both with and without our knowledge or consent. Combine this with a never-ending stream of data breaches that have left vast amounts of our personal lives scattered about the dark web for sale. This should leave everyone feeling freaked out and very exposed.
I guess it depends on your level of apathy towards the whole situation. I wrote about this in a previous blog. Regardless of where you sit on the apathy spectrum, I suppose everyone feels data privacy, or better said, the right to data privacy, is something worth pursuing. Therein lies the trap. While we can all agree that something needs to be done, how to do it effectively remains the question. The EU enacted General Data Protection Regulation (GDPR) earlier this year was the first major attempt by a political body to legislate rules to lay out how corporations handle data for EU citizens. At least, that is the premise. California followed suit not too long after with their own version, the Consumer Privacy Act. As it turns out, the law of unintended consequences manifested itself once again. The spirit of the legislation is undermined by the realities of implementing the remedy. There are huge costs for corporations to comply and the inevitable bloated bureaucracy for oversight. The result will probably leave the consumer under-served, with the penalties (fines) benefiting only the political bodies. Shocker.
I was reading a great short article by Andrew Burt in the Harvard Business Review which succinctly highlighted some of the unintended challenges and costs around actually implementing comprehensive data privacy legislation. It’s a lot like golf – a simple game, but very hard to play well. Data privacy is simple. Protect the right to (data) privacy for all sovereign individuals. Meaning, I should know exactly what you are collecting and for what purpose. Better yet, if I want my data back from you, I can easily request that with reasonable assurance that you have not kept a copy and will not immediately start collecting it again. Easier said than done. Alas, how do you put the genie back in the bottle when it has been free for so long? Not an easy answer. Not at all.
No one cared until they cared.
For years, we, the individual consumer, have willingly and gleefully clicked-to-accept away large swaths of personal information in exchange for some benefit, often trivial (think about all those kitten wallpapers you downloaded for your PC years ago). Anyone who has downloaded, subscribed, purchased anything online, used loyalty cards, etc. has “accepted” some lengthy legal document that basically said the company to whom you are transacting with can use your data for whatever purpose it chooses, blah, blah, blah. C’mon, besides a few legal wonks, who has ever read, from tip to tail, the entire legal disclaimer on a click-through acceptance?
Anyone? No? Thought so.
However, consumer awareness has now risen to a level where we know (albeit vaguely for most) companies sell and generate revenue from the massive amounts of our personal we have given them for years. It’s not hard to see the value of this big data to marketers, for instance. Better information about target consumers means more effective marketing campaigns. More effective marketing spend yields more revenue and profits. Pretty simple. But then the companies who had all our data failed to protect it. Cue the wave of data breaches. The consumer starts to become cynical and skeptical about whether or not companies can be trusted with all the power over our lives we have given them.
At first, the breached companies tried to PR their way out of it with formal expressions of concern and dismay about how their most recent breach affected their customers. Rest assured, they would take care of it. When the breaches continued, some executives lost their jobs and stock prices took a hit. Investors got a little antsy. Then a funny thing happened. Consumers kept doing business with these companies. Apparently, the pain felt by big companies was temporary. Which leads us to where we are today. Sure, enterprises spend billions of dollars annually on cybersecurity, but it is mostly under the guidance of their legal teams to principally mitigate the litigation risk and protect shareholder value. Not to primarily protect an individual’s right to privacy. Any benefit to the individual consumer would be a byproduct of the legal risk mitigation. Which brings us right to the heart of the issue: profit vs. protection.
Let’s put ethics and morality aside for a moment, so we can focus on the reality of the situation. We live in a capitalistic society whereby enterprises compete fiercely to grow revenues and profits. Companies, public and private alike, have been profiting off our personal information collected for years. Asking these organizations to police themselves, while idealistic, is a bit of a stretch. Not to oversimply things, but there are only two main levers in business to generate profit: Increase revenue and/or decrease costs. So, how does protecting your personal information generate profit, exactly? It doesn’t directly grow revenue and it only adds costs. The result, predictably, is a minimum viable solution to the problem. Companies will generally only spend the minimum amount to satisfy the legal risk mitigation strategy as prescribed by their corporate lawyers. Since we consumers don’t seem willing (or able) to hold these corporations accountable by voting with our wallet, we must turn to another agency for help. The government. Well, we know how this will end.
Regardless of your political stance, one thing we should all agree on is politicians will almost always choose expediency over excellence. While politicians may start off with good intentions, sadly they are more concerned about re-election than actual reform. As a result, they typically seek to score quick wins with one-size-fits-all legislation that may produce nice sound bites, but all too frequently fail to live up to expectations. Add the fact that the large multinational corporations who would stand to be heavily impacted by such regulations, often employ powerful lobbyists to help water down any real meaningful attempt at precise reform. We wind up with a Band-Aid when surgery is required. Given the complexity of the data privacy dilemma and the players involved (big money), the individual consumer will undoubtedly get the short end of the stick. Imagine if corporations had to cut us a check each time they sold or profited from our carefully curated personal information. After all, since we bear most of the risk (cost) if our personal identified data is stolen, shouldn’t we be entitled to financial compensation? Boy, wouldn’t that be cool?
Regrettably, it is but an illusion. GDPR, California’s Consumer Privacy Act and others that are sure to follow are all well intended. However, they will most likely fail to deliver to the degree we, the individual consumers, had hoped. While the current legislation does pack some stiff penalties, companies will simply pass that cost along right back to the consumer. That’s just how it works in the real world.
Not sure this genie ever is going back in the bottle.