In our following four reports, we will outline how governments and corporations are focusing on consumer privacy data protection and how this relates to Sophic Capital client Reklaim (TSXV: MYID, OTC: MYIDF). This first report focuses on what is taking place in the United States, the largest consumer data market in the world.
Recap on Government Laws Sophic Previously Discussed
Sophic Capital research subscribers should be familiar with our positive outlook for the consumer data privacy sector. Any time we use our laptops, tablets, and smartphones, tech companies track what we view, communicate, and where we are. These companies assemble all these digital breadcrumbs into our digital profiles and sell them to companies who use them to inform their decision or to marketers who then deliver advertisements to our devices.
Governments are restoring power to the people. Europe’s General Data Protection Regulations (GDPR) was the first data privacy law passed (April 2016) and is known as the most stringent in the world. GDPR imposes obligations to all organizations, regardless of where they are domiciled, if they have consumers in the EU. Under GDPR, companies must:
- only process personal data unless one of 6 conditions are met
- ensure data is secure for consumers
- disclose data breaches to consumers within 72 hours
- demonstrate their personal data practices are compliant with regulations.
Many countries, states, and provinces have used GDPR as the modern blueprint for revisions to their data policies.
California was first in the United States to introduce significant data privacy laws with the introduction of the California Consumer Privacy Act (CCPA). Whereas GDPR focuses on making privacy a legal framework, CCPA focuses on personal data transparency. Under CCPA, consumers have the right to:
- know what personal data is collected
- have companies delete any personal data collected
- opt out of third-party selling of personal data
- non-discrimination (businesses cannot deny goods or services, charge a different price, or provide an extra level or quality of goods and services) for exercising their CCPA rights.
Additionally, under CCPA, you must register as a data broker to sell data on consumers in California. There are currently approximately 600 data brokers in California.
The EU updated GDPR regulations in 2021, prompting California to begin the process of amending and expanding CCPA through the California Privacy Rights Act (CPRA). The CPRA, which comes into effect January 2023, appends CCPA with two more consumer rights:
- The right to correct inaccurate personal data, and
- The right to limit the use and disclosure of personal information, including social security numbers, biometrics, geolocations, and contact information.
These two additional rights could significantly impact businesses operating in California. Essentially, any U.S. business that generates more than $25 million in revenue OR derives at least half of its revenue from the sale of consumer data OR buys/sells/shares over 100 thousand consumer profiles is subject to CPRA. These qualifications will inevitably make virtually every data company in the United States subject to CPRA. Important note is that the United States is the largest data market in the world today (approximately US$257 billion in 2021 and forecasted to grow to US$366 billion by 2029). CPRA will inevitably force all data companies to fundamentally change the way they ingest and sell data. The larger question, which we will debate in future reports, is how can they when they have no connection to the consumer?
In 2020, California had about 981,000 domestic businesses, and as the world’s fifth largest economy, it’s not a stretch to suggest that there are a lot of California businesses generating $25 million in revenue that will fall under CPRA. In fact, in August 2022, CPRA had its first victory when Sephora USA reached a $1.2 million settlement with California’s Attorney General concerning the company’s use of personal data tracking. Although Sephora USA is headquartered in San Francisco, California, it’s worth remembering that data does not respect state boundaries, and CPRA applies to any company doing business in California, including those domiciled outside of the state.
America Increasingly Moving Towards A Federal Privacy Law
A survey conducted in April 2021 by Pew Research Center found that 56% of Americans believe more regulations should be in place to curb the economic power and influence of major technology companies. That number is up from 47% in the prior year. The survey also found a strong sentiment towards limiting major tech companies’ ability to grow, with 55% of American adults in favour. And these increasing data privacy concerns amongst Americans have caused politicians to act.
Exhibit 1: More Americans Think Big Tech Needs More Regulation
Source: Pew Research Center
Although the U.S. does not yet have a single comprehensive data privacy and security law, individual states continue to lay the foundation (Exhibit 2), with some passing laws that go into effect next year, including:
- California Privacy Rights Act – Effective January 1, 2023
- Virginia Consumer Data Protection Act – Effective January 1, 2023
- Colorado Privacy Act – Effective July 1, 2023
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring – Effective July 1, 2023
- Utah Consumer Privacy Act – Effective December 31, 2023.
Exhibit 2: Current Status of U.S. State Data Privacy Laws
Beyond the above states setting precedence, the U.S. Government has created its own quasi-version of the GDPR. The newly proposed American Data Privacy and Protection Act (ADPPA) is making its mark as a federal online privacy bill with bipartisan and bicameral support. ADPPA will be broader than current states’ data privacy laws by considering any “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique persistent identifiers.” With a vote of 53-2 at the U.S. House of Representatives Committee on Energy and Commerce on July 20, 2022; the Bill still has to pass the House and Senate.
Focus on Protecting Children’s Privacy
In a Privacy Among Teenagers report by Tsaaro, 74% of teens feel there is a need for new privacy laws. Before this report was published, data privacy for children was an issue in Washington, D.C. During President Biden’s March 1, 2022, State of the Union address, the President vowed to improve children’s privacy and online safety by banning technology companies from collecting children’s data and advertising to kids. He stated, “We must hold social media platforms accountable for the national experiment they’re conducting on our children for profit.” And the President could be on to something – 56% of Americans believe big tech companies require more regulation, and 68% think these firms have too much power and influence in the economy.
Senators Richard Blumenthal and Marsha Blackburn then introduced the Kids Online Safety Act that would restrict the use of data that social media platforms collected from minors.
The Federal Trade Commission announced their priority to enforce the Children’s Online Privacy Protection Act under a 5-0 vote to adopt the policy. The FTC will host a virtual event on October 19, 2022, to further discuss how to protect children.
Overseas, on September 6, the Irish Data Protection Commission fined Instagram (parent company Meta) €405 million for the mishandling of children’s data. After a two-year investigation into Instagram’s ‘business accounts,’ it was determined the company made the accounts of teenagers public, openly sharing their contact information. Users could view advanced metrics by opting to change a personal account into a business account but were then subject to the default privacy settings.
Coming Up. . .
In our next Data Privacy Report, we’ll learn how other countries around the globe are acting against the collection and use of consumer data.
For More Research
Access more data privacy reports at:
https://sophiccapital.com/investment-research/?_sft_category=myid
Sign up for Sophic Capital’s reports at https://sophiccapital.com/subscribe/
Disclosures
Reklaim [TSXV: MYID, OTC: MYIDF] has contracted Sophic Capital for capital markets advisory and investor relations services.