Coming soon: US-style GDPR
EUROPE has its general data protection regulation, but American legislators have been dragging their heels when it comes to updating online consumer data privacy. This matters because so many of the companies that use and abuse consumer data are American. Facebook, Google, Amazon and more have built wildly successful business models that collect and monetise online habits and information.
To date they’ve existed in a regulatory wild west, and they haven’t covered themselves in glory when it comes to self-regulation.
But things are changing. California has passed a law that will give consumers the right to request their personal data from businesses that have collected it and find out what they’re doing with it, including selling it onto others. Georgia is working on its own privacy legislation. This has kick-started a discussion on personal data across the States, which will ultimately effect consumers and marketers further afield. This discussion hit Washington last Wednesday, when the US Senate commerce committee heard from Silicon Valley’s finest about their privacy practices.
It was a chance for the tech companies and their lobbyists to prove they support legislation — but on their terms. Most of the tech titans insisted that personal data is something they take very seriously. Twitter said privacy was part of its DNA. Apple said that privacy was a core issue not an add-on. And Amazon said it followed privacy-by-design principles since its founding. “We design our products and services so that it is easy for customers to understand when their data is being collected and control when their data is shared,” said Andrew DeVore, Amazon’s vice-president and associate general counsel, “and we are not in the business of selling our customers’ personal data.”
But some companies are less transparent about how they use personal data. Google showed up and admitted it made mistakes in the past, but said it had improved its privacy protections. The search giant is used to apologising to legislators. And paying fines too. It was hit with a $5bn fine for violating EU antitrust laws earlier this year. In 2011 it agreed to 20 years of privacy audits by the US Federal Trade Commission for violating user privacy with its new social network, Google Buzz. In 2012, it paid a $22.5m civil penalty for misrepresenting privacy practices to users of Apple’s Safari browser. To prove it has learned its lesson, Google pro-actively issued a detailed policy paper called a Framework for Responsible Data Protection Regulation ahead of the hearing. One of the key principles in this document relates to global interoperability. “Countries should adopt an integrated framework of privacy regulations, avoiding overlapping or inconsistent rules whenever possible,” Google said. “In particular, geographic restrictions on data storage undermine security, service reliability, and business efficiency. Privacy regulation should support cross-border data transfer mechanisms, industry standards, and other cross-organisation cooperation mechanisms that ensure protections follow the data, not national boundaries.”
The Interactive Advertising Bureau wasn’t invited to the hearings, but it has skin in this game — it’s the trade group that represents the online advertising industry. But the IAB did send a letter from afar. Dave Grimaldi, EVP, public policy, wrote: “The exponential growth and innovation in the digital advertising industry over the last decade has been revolutionary for consumers. Any approach to privacy must be flexible and nimble so that ‘rules of the road’ can evolve with innovation and consumer expectations.”
This is rubbish. Ask yourself, have you ever seen an online ad and thought it was “revolutionary”. What’s more, the IAB seems to have confused innovation with surveillance. And let’s not kid ourselves, most consumers have little or no expectation around how their data is used. And those that do expect greater transparency and fewer creepy ads that follow them around the web.
The IAB weren’t the only ones irked not to be invited. It was notable that this was a hearing on consumer privacy where no one represented consumers. The committee did reveal that other hearings were on the way, though. And the next, in a month or so, will include testimony from consumer groups, privacy advocates and the head of GDPR enforcement for the EU.
Testimony from Europe is interesting. Especially given the cries from Google and others for international privacy standards and interoperability. They should be careful what they wish for. US legislation probably won’t end up being identical to GDPR, but it could be crafted in its image.