In Sophic Capital’s Data Privacy Transcends International Borders report, we highlighted new privacy laws across the world to safeguard the collection and use of consumer data. In this report, our focus shifts to what technology companies are doing to protect personal data. We will then conclude with a report on Sophic Capital client Reklaim (TSXV:MYID, OTC:MYIDF), discussing how the Company is positioned to capitalize on the changes in the data market.
Consumers Are Being More Cautious
After benefiting from unlimited access to the collection and selling of unconsented consumer data, the data market is now beginning to see disruption and regulation. Businesses highly value the data they collect about their customers, using this information to sell and improve products, send targeted advertisements, and predict sales trends. However, consumers have gained awareness that data collection is lucrative for brands and agencies as well as an invasion of privacy that can easily be abused, leading to mistrust and suspicion of many businesses.
As the online world became a bigger part of our everyday lives, Big Tech accelerated their collection of our personal data. A Cisco study highlighted that consumer awareness about their data privacy is high. Included in the study’s findings were:
- 86% of consumers care about data privacy and want more control
- 79% of consumers are willing to invest time or money to better protect their privacy
- 46% of consumers believe they are not able to effectively protect their own data
- 47% of consumers have switched platforms/companies over their data policies.
Most of the data-driven economy underpinning ordinary products and services is invisible to consumers. Although data originates from the customer and their ‘private’ behaviour, that information has historically been considered company property and a proprietary secret. Operating behind a ‘digital curtain’, the data economy was designed to blur the view of industry practices from policymakers and the broader public.
Data becomes more valuable as it is combined. A consumers personally identifiable information (PII) is anything that could individually, or in combination with other information, identify a consumer. This includes a name, address, phone number, SIN/SSN number, or online ID. This is the most expensive and frequently compromised data in a breach. If someone steals a PII, they then have the potential to apply for credit cards, loans, or even passports in the victim’s name. But data breaches affect more than consumers:
A report from IBM found that the average cost of a data breach in 2022 was US$4.35 million, up 2.6% from US$4.24 million in 2021. As consumer data is housed in thousands of independent companies, the cumulative return for each hack increases, especially for heists where a hacker obtains millions of profiles. As the value of data increases, so does the number of data breaches. Not only is the loss of data a security nightmare for any company due to the lawsuits and compensation that results from these hacks, but also the reputational harm. It is nearly impossible to put a dollar value on customer trust, and once trust is broken, it is difficult to rebuild.
Consumer concern about how their personal data is used, frequent breaches, and regulators passing data privacy laws and debating data privacy bills have caused some technology companies to implement their own data privacy policies and supporting technology.
Big Tech Acts – Willingly
In prior Sophic Capital reports, we detailed how 96% of Apple users opted out of tracking when the company introduced the feature in April 2021 in its iOS 14 operating system. Meta (Facebook) saw the biggest one-day drop of any stock following its Q4 2021 results as the company cited Apple’s ad tracking policy as a significant headwind. The iPhone privacy changes cost Snap, Facebook, Twitter, and YouTube almost US$10 billion in lost revenue during the second half of 2021 and Meta expects it will cost another $US10 billion to the company alone in 2022. Apple is increasingly using privacy as a market differentiator in its marketing and product development. In addition to App Tracking Transparency, Apple has also introduced Private Relay in Apple Mail, which obfuscates a user’s email on all emails being sent from the Apple Mail application. ‘Sign In with Apple’, introduced in 2019, is a single-sign-in solution (SSO) that obfuscates your email when logging into a site, preventing that site from receiving your actual email. Facebook Connect and Google Connect are also SSO solutions but are used to collect data on users on sites that are not their own. Finally, Mail Privacy Protection, which was introduced to make email marketing to Apple users redundant, artificially inflates ‘open rates’ of newsletters sent to consumers
Google is taking a different approach. While not as focused on privacy as Apple, Google is using privacy to reduce the amount of data leaking from its systems. This is important because many firms use data from Google to compete with it or to develop new data products. Google’s announcement to remove third-party cookies from Chrome which commands 65% of the browser market is by far the biggest move in the privacy space as 1.8 billion websites rely on this cookie for the majority of their revenue. A loss of the cookie will force more brands into the Google ecosystem and asphyxiate the websites of the open web that rely on this for their existence. Meta’s stock fell over 4% the following day.
In addition Google announced that it would phase out its proprietary ID system in place of a new privacy-focused advertising that limits user data sharing in its Android operating system. Google has also reduced the amount of location data third parties are able to extract from Android applications while further restricting the scanning a developer can do of an Android application. This is a tactic used by many data firms to quietly acquire keystroke and application name and use data from unsuspecting customers.
Firefox is making a push to become the world’s most private and secure browser. This past June, the company rolled out Total Cookie Protection by default to all users worldwide. Total Cookie Protection prevents companies from tracking users as they browse from site to site by confining the cookies to the site they were created. This means website can track you on their site until you leave. After leaving website A for website B, only website B can track you and only on their website until you leave. This restricts companies to only seeing a user’s behaviour on individual sites as compared to previously when trackers could link up your behaviour on multiple sites. This is an upgrade from September 2019, when the browser announced third-party cookie blocking by default.
Several privacy browsers are entering the market or upgrading their products to put privacy at the forefront. Brave, DuckDuckGo are independent browsers that are privacy first. Safari, owned by Apple, is also increasingly adding more privacy features to remove tracking.
Big Tech Acts – Unwillingly
In September 2021, Ireland’s Data Protection Commissioner fined WhatsApp €225 million for not conforming with Europe’s GDPR data regulations about transparency. WhatsApp’s initial fine was €50 million but was increased to €225 million following a meeting between the Commissioner and the European Data Protection Board. The Irish regulator also ordered WhatsApp (owned by Meta) to bring its processing into compliance. WhatsApp has since made “edits and clarifications” to its European data privacy policies.
Similarly, in July 2021, Luxembourg’s National Commission for Data Protection fined Amazon €746 million for GDPR violations. Amazon has since appealed, stating that “there has been no data breach, and no customer data has been exposed to any third party.”
Leaked audios from TikTok meetings mention employees in China accessing U.S. user data. A Buzzfeed report claimed that U.S. TikTok employees had to request their colleagues in China for data as “everything is seen in China”. TikTok is working with Oracle and the Committee on Foreign Investment in the United States to redirect and delete data to “fully pivot to Oracle cloud servers located in the U.S.” This has led to FCC Commissioner Brendan Carr requesting Apple and Google to remove TikTok from their app stores for “its pattern of surreptitious data practices.” Apple and Google were told they have until July 8 to remove the app and provide a response if not completed. Almost 2 months after the supposed deadline, there has been no update.
Twitter followed after paying US$150 million in fines to the U.S. government for misleading users on personal data protection. Twitter had been using users’ contact information for marketer’s advertising purposes which violates a 2011 privacy settlement with the FTC.
On August 18, 2022, a class action lawsuit was brought against tech giant Oracle, accusing them of running a worldwide surveillance machine. With detailed information on around 5 billion people, the company has been accused of tracking where people go and what they do. However, the suit faces a seemingly uphill battle with no comprehensive federal privacy laws in place in the U.S.
A week later, on August 29, 2022, the U.S. Federal Trade Commission filed a lawsuit against data broker Kochava for selling the geolocation data from hundreds of millions of devices. The data in question could be used to trace individuals’ movements to and from sensitive locations.
The Perfect Storm
Everything is pointing to where individuals can exercise full control over their personal data. While consumers still seek the conveniences and benefits that flow from their data, they will be the ones to set the terms over what data they share and who they share it with. People want and are starting to expect protection, governments are complying, and technology companies are falling in line, with data privacy policies now impacting financial bottom lines.
Governments, consumers, market forces, and security risks are converging, pulling back the digital curtain. Governments are introducing legislation to give consumers more control, forcing private companies to comply with stricter rules. Tech giants like Apple, Google, and Meta are feeling the pressure from consumers who have become increasingly aware of lax data regulations. Add a long history of ransomware, hacks, and data breaches and you have the perfect storm. All these changes reducing in data supply, making access to compliant, zero-party data an increasingly hot commodity. Once a freely harvested resource, personal data is now being treated as an asset and, if not acquired with consent, a liability.
In our fourth Data Privacy Report, we’ll learn how Sophic Capital client Reklaim [TSXV:MYID, OTC:MYIDF] allows consumers to confirm their identity and unveil data that has been collected and sold without the consumer’s explicit consent for years. Reklaim enables consumers to take back control of this data by setting up a Reklaim account where, should they choose to, they can be compensated for their data.