Columns

How Privacy is Evolving

October 3, 2019

Happy fall, identity nerds! Kaelyn here, bringing you an update on the latest seasonal trends. Since it’s still far too hot here in DC to think about chunky sweaters or pumpkin spice anything, let’s talk about another topic suddenly en vogue this autumn: privacy.

You may have noticed that we’ve been dedicating a lot of column space to privacy over the course of the past few weeks. That’s reflective of a broader reckoning that’s taking place around what it means to keep personal data personal. As the 2020 election creeps closer and California’s watershed data protection act nears full enforcement, regulators and corporations alike are grappling with what it means to make the idea of privacy into actual enforceable policy.

The past week, in particular, brought us some notable developments on the privacy front that give us a sense of where this conversation is headed over the last quarter of 2019.

Google is pivoting towards data protection and privacy

On the metro platform yesterday, a Google ad caught my eye. “Next train in 5 minutes? Take 2 of them to update your privacy settings.” That’s optimistic for a few reasons: first, anyone who’s only waiting five minutes for the red line is in pretty solid shape. Second, it takes a pretty deft pirouette for Google, a company whose business model depends on personal data, to pivot toward a new stance as a worthy custodian of user privacy. But the ads blanketing DC metro stations are aimed at sending a clear message: Google’s investing heavily in data protection.

Over the past few days, Google has rolled out a series of new privacy-oriented tools, including incognito mode for Google Maps, auto-deletion controls for YouTube histories, a password checkup service, and the ability to delete voice recordings for Google Assistant. This is the latest wave in a growing strategic tide for Sundar Pichai and company, and it also comes just as regulatory attention around both antitrust and broader societal impacts of big tech reaches a fever pitch.

Presidential candidate Andrew Yang pitches personal data as property

Democratic presidential dark horse and lefty-techie-favorite Andrew Yang came out with a new proposal earlier this week to treat data ownership as a personal property right.

“Data generated by each individual needs to be owned by them, with certain rights conveyed that will allow them to know how it’s used and protect it,” the policy states.

Yang then outlines that series of “rights” in general terms, and the contours of his suggestions look pretty GDPR-y: the right to informed, the right to be forgotten, the right to be notified about data breaches, and the right to data portability, among others. He also includes a stipulation that “you should receive a share of the economic value generated from your data.”

This isn’t an entirely novel contribution to the privacy conversation, but the fact that a major (or at least top ten) presidential candidate is including data ownership as a plank in his platform is notable. The U.S. political establishment has reached a point where privacy is widely recognized as a critical issue, even if a consensus around how to legislate it is still forming.

New Nevada data protection law goes into effect

While you were distracted by the looming enforcement of CCPA, another state-level data privacy law quietly took effect this week. Nevada’s SB220 entered full force on October first, bringing more stringent standards for data sharing to the home of KNOW 2020.

Though often compared to CCPA, this law is much more tailored in scope, both in terms of the types of organizations it covers and the enforcement actions it allows. SB220 applies only to “internet websites or online services” rather than all corporation types. In addition, it does not give individual consumers the ability to take legal action against possible offenders – those actions must originate with state regulators. The law does, however, provide consumers with the option to opt-out of data sales to third-party brokers. Organizations that violate the law face up to $5,000 in penalties per infraction.

With these laws, we’re getting our first real taste of what state-by-state privacy in America might look like. The chances that a federal data protection law gets passed before CCPA takes effect in January are vanishingly small. That means the business nightmare of 50 individual, and potentially competing, regulatory regimes might actually become reality as the year comes to a close.

How does the privacy landscape evolve from here?

The American privacy landscape is almost certainly going to get more chaotic in the near-term. In the gap between the status quo and meaningful federal privacy legislation, expect to see the private sector continue to lead the charge. If Google is any indication (and Google is always an indication), it’s a worthwhile strategic play to position your company’s offerings as at the leading edge of the privacy debate, both in terms of competitive advantage and of staking a claim when regulatory structures are more firmly established. This is where your CCOs, CISOs, and CPOs should be focused through the end of the year.