Columns

The DASHBOARD Act – What you need to know

July 2, 2019

On Monday, June 24, Senators Mark R. Warner (D, VA) and Josh Hawley (R, MO) introduced the “Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data” or the DASHBOARD Act. The new piece of proposed legislation would require large-scale digital service providers to give regular updates to their users on what personal data is being collected, its economic value, and how that data is being communicated and used by third parties.

We’ve already received several questions this week on the exact scope of this bill and who would be affected. Don’t you worry, we have you covered.

What do you need to know?

The bill has 4 main components to dive into:

  1. It would require commercial data operators with over 100 million monthly users to disclose to those users what data the operator is collecting, and provide periodic value assessment on their aggregate data profiles. For some context:
    • YouTube – 2.0 billion monthly users
    • Amazon – 197 million monthly users
    • Pinterest – 150 million monthly users
    • SnapChat – 190 million daily active users
  2. Commercial data operators would need to file an annual report disclosing an estimate on the total value of user data and all third parties involved in data collection.
  3. Similar to GDPR, the bill introduces the right for users to request all of their data, or individual fields, to be deleted or file a request to understand what personal data has been collected. It’s the Right to be Forgotten (lite).
  4. The bill would require the SEC to create and implement methodologies for calculating the value of personal data and make these tools available to private industry.

Who would be affected?

This bill, in its current form, is a shot across the bow particularly at big tech, adtech, and martech industries whose business models are focused on reselling user data to advertisers – not the entire digital identity economy. There is a specific carve-out in Section 3 of the bill defining commercial data operators excluding entities using data for purposes including:

If the data is necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or assist in the prosecution of those responsible for such activity

This language creates exceptions for digital identity service providers who are focused on use cases like risk assessment, fraud prevention, identity verification and authentication. The bill is not trying to prevent service providers from catching bad guys, but instead focuses on limiting the potentially exploitative nature of digital advertising business models. The goal is to shed light on how much individual data is worth and bring more transparency to what merchants are doing with personal data.

What do you need to look out for?

There are several key points to keep on your radar as this bill progresses:

  1. Time is running out for the federal government to establish a unified stance on consumer data privacy before the looming CCPA comes into effect in 2020, which is sure to spur a national overhaul of the personal data economy.
  2. Evaluation of personal data economics is not a new concept, but this is a sign that quantitative valuation of data attributes will have a larger role in the ongoing data privacy conversation. Having agreed-upon standards and methodologies to assess the value of consumer data is the first step in having a unified approach to cyber insurance, criminal liability, and broader accountability for digital service providers.
  3. Stay tuned for a shakeup of data gateways. As service providers are on the front lines of collecting and providing the marketplace with identity attributes, this bill has the opportunity to disrupt several of these major sources.

Remember that this bill is very young and has yet to face the firing squad of the legislative debate. We will continue to monitor its progress and keep you up to date on major developments and potential impacts.