Online privacy is a complicated subject. Consumers can benefit from sharing data with organizations (such as their mailing address or credit card numbers) to facilitate online access and transactions. However, keeping that user data safe and not misusing it is a major priority for businesses since their reputation and revenue depend on it.
It can take an industry insider to fully hash out what the current state of privacy regulation is today. I spoke with privacy guru Jeremy Tillman, director of product at Ghostery, a web browser security organization, to find out more.
SEE: Research: As overseas business operations grow so do concerns over cyberwarfare and cybersecurity (Tech Pro Research)
Scott Matteson: What is the current status of privacy regulation?
Jeremy Tillman: After decades of complacency, the regulatory tide is finally turning against the unchecked personal data collection that powers the ad-revenue machines at Google, Facebook, and other big tech firms. In Europe, the General Data Protection Regulation (GDPR) is an unprecedented leap forward in privacy regulation, with strict rules and harsh penalties designed to limit personal data collection.
Though the US has been slower to act, there is a growing demand for an Internet Dodd-Frank, a sweeping federal legislation designed to protect the privacy of US citizens. The recently passed California Protection Act (AB 375) is one potential, though imperfect, template for a federal consumer privacy law. This new law affords California residents new privacy rights that entitle them more insight into, and more control over, the personal data companies collect on them. Though much better than the status quo, this bill was rushed through the legislative process in just over a week after a much stricter initiative was organized by real-estate mogul Alastair Mactaggart.
Google already commented that they "...look forward to improvements to address the many unintended consequences of the law," which could easily translate to prioritizing the protection of the practices that have allowed these companies to make billions at the expense of consumer privacy. That said, regulations alone can't and won't solve the privacy problem. That's why consumers need to be empowered to take matters into their own hands and implement measures to personally protect, and be smart about, their online footprint.
SEE: GDPR resource kit: Tools to become compliant (Tech Pro Research)
Scott Matteson: What are the strengths and weaknesses of privacy regulation?
Jeremy Tillman: It's difficult to make a blanket statement about the strengths and weaknesses of the overall state of privacy regulation today. As such, let's look at one in particular—the California Protection Act.
This summer, California Governor Jerry Brown rushed to approve a law that gives consumers more control and transparency into how their data is tracked and shared by businesses that operate in the state. The strength of the CA Act is that it will likely cross California borders, as any company that does business online in the United States almost certainly delivers their product or service to individuals in California, forcing them to comply with the law. We can—and should—expect additional state and/or federal legislatures to follow in California's footsteps and become more aggressive when it comes to consumer privacy.
The main weakness is that it's not scheduled to go into effect until 2020. From the time it was brought to light until the time it's supposed to be implemented, basically gives Big Tech approximately 18 months to lobby the Congress of California to water down the law. It also opens the door for Congress to pass its own federal law and effectively supersede California's law. In theory, this could work for or against consumer protection.
Scott Matteson: Where do you see things headed in 2019?
Jeremy Tillman: In 2019, we'll see grassroots support around privacy legislation continue to grow. As this progresses, we'll see state legislators incorporate consumer privacy as part of their platforms.
Additionally, in 2019 we'll also start to see privacy-as-a-paid-service emerge as a new business model. Online advertising is the backbone of today's digital economy, generating billions of dollars of revenue for ad-supported businesses. This concept of surveillance capitalism elicits a massive unseen cost that consumers have no idea they're paying. The currency they're being charged is attention and data, rather than dollars and cents. With all the major data missteps made by Facebook and Google in 2018, consumers are paying attention and are demanding greater control and security over their personal data.
Consequently, there is a new market demand, not only for privacy-friendly alternatives to traditional ad-supported business models but also for dedicated privacy services. Given the parallel rise in consumer subscriptions, it bears to reason that we'll see the emergence of paid subscriptions that feature consumer privacy as a core part of their value proposition.
Scott Matteson: How are businesses balancing revenue vs. consumer protection?
Jeremy Tillman: Right now, they're favoring revenue from unsolicited data collection via advertising. However, tech companies that go with this privacy-as-a-paid-service business model will no longer be incentivized to monopolize user attention to maximize ad impressions or to harvest data to maximize conversion rates. Instead, they'll focus on delivering utility and value to users as justification for the subscription cost. In short, they could generate the same amount of revenue from paid subscriptions as they currently do from advertising.
Scott Matteson: What leverage do consumers have over businesses?
Jeremy Tillman: Consumers can proactively implement a safe internet footprint for themselves by taking precautions like downloading digital privacy tools and ad blockers and considering paid subscriptions wherever possible. They can also seek out privacy-friendly browsers and websites. Additionally, consumers can decrease their engagement with platforms like Facebook and Google that are notorious for data collection; by doing this, consumers will directly impact these companies' bottom lines and reduce their financial incentive to maintain the status quo, forcing them to reconsider their business models.
Scott Matteson: Is there anything IT departments can do here (controls, policies, mandates, etc.)?
Jeremy Tillman: From an organizational perspective, IT departments can demand their employees take these types of previously mentioned proactive safe browsing precautions. To encourage this safer behavior, IT departments can pre-install privacy tools on their employees' computers and customize default settings that maximize organizational privacy. Going a step further, organizations can also educate employees on privacy threats and the proactive steps individuals can take to protect themselves. Not only will this protect employees privacy when they're in the workplace, but it also protects companies against fraud, corporate espionage, and security risks that are made possible by malvertising that pervades the ad tech ecosystem.
SEE: Information security policy template download (Tech Pro Research)
Scott Matteson: Anything else to share?
Jeremy Tillman: If done right, thoughtful privacy regulation would not only protect consumers but also support businesses. For example, research shows that the creation of Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 made the financial sector much safer today than before the 2008 crisis. While not infallible, Dodd-Frank established the Consumer Financial Protection Bureau (CFPB), higher prudential standards, augmented oversight of financial institutions, and new resolution procedures for failed institutions.
These implementations increased both economic growth and financial stability or enhanced one of them at a minimal cost to the other. While these regulatory breakthroughs are encouraging, regulation alone cannot fully protect consumer privacy, and, to a large degree, the invisible hand of capitalism is critical in finding viable alternatives to the data-dependent business models that drive today's internet.
Overall, in 2019 we'll see companies that rely on traditional advertising methods, like Facebook and Google, struggle. User fatigue will cause consumers to find more meaningful experiences elsewhere, and they're prioritizing proactively protecting the monetization of their personal data.
- Facebook data privacy scandal: A cheat sheet (TechRepublic
- IoT security market will hit $9.88B by 2025, as privacy issues abound (TechRepublic)
- How IoT medical devices save your life and threaten your privacy (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.