Give It Away
Most consumers care about their personal data privacy but don’t know how to: a) take back their data, and b) monetize their data. Not only are governments stepping up regulations to protect consumers, but awareness around the value of personal data is starting to proliferate across the media. As consumers realize the value of their personal data, they may be inclined to protect it and find a way to monetize it.
Here is what happens when we use social media, applications and websites. In exchange for free access, we provide (often voluntarily) details about who we are, what we do, where we are, our interests, apps we use, Internet pages we visit, who are friends are… you get the point. Companies create a profile about you from your personal data, which is then packaged by companies like Oracle and sold to brands and data companies. The providers of personal data collect fees for selling your info (Facebook made about US$30 per American and Canadian in Q1F19). Even the largest social media companies use third-party data to enhance their profile about you because you are not only a user and promoter of their platforms, but you are also their product.
They monetize your personal data, and you get squat. Worse, we know that many of the largest companies aren’t good stewards of our personal information. Your data is circulating around the Internet and stored in data centers waiting to be hacked, the consequences of which can be devastating as this man discovered seven years ago.
Consumer Privacy is Paramount
Data breaches are a regular occurrence. The Yahoo! attack in 2013 exposed names, email addresses, dates of birth and impacted 3 billion user accounts and compromised the phone numbers of 500 million users. This past April, UpGuard, a provider of cybersecurity research, reported that two, third-party Facebook apps it analyzed exposed 540 million records. Separately, an app called At the Pool exposed databases that appeared to include data about Facebook user IDs, friends, photos and location check ins, as well as unprotected passwords for 22,000 users.
These types of breaches are one catalyst that prompted the European Union to implement the General Data Protection Regulation (GDPR) in May 2018 to protect the data and privacy of citizens. Organizations, both European and non-European, breaching GDPR can be fined up to the greater of 4% of annual global turnover or €20 million. A company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject within 72 hours of a breach, or not conducting impact assessments. Okay – these fines aren’t onerous for larger non-compliant firms, leading us to believe that the bigger reason for GDPR is to inform consumers about how companies are collecting, using and monetizing their personal data.
Take it Back!
Although the United States doesn’t have a comprehensive national law like GDPR that regulates the collection and use of personal data, the Data Care Act of 2018 introduced to the U.S. Senate in December 2018 seeks to incentivize “online service providers” into protecting certain types of personal data.
California has taken the lead in the U.S. with the California Consumer Privacy Act, (CCPA), giving consumers new privacy rights to control their personal information. The Act used GDPR legislation as its foundation and goes live on January 1, 2020.
CCPA Section 1798.102 applies to California businesses that is any ONE of: a) generating annual gross revenues of $25 million or more, b) receiving or sharing personal information of at least 50,000 California residents annually, or c) 50% of their annual revenue comes from selling the personal information of California residents. The Act grants consumers the right, at any time, to opt out of the sale of their personal data by any business. The Act also specifies that businesses cannot deny goods or services to customers that opt out of the sale of personal data.
But there is a bigger problem than just California for companies doing business in the United States; many U.S. states are in the process of enacting GDPR-like legislation, including: Alabama (SB 318), Arizona (HB 2145), Colorado (HB 1128), Iowa (HF 2354), Louisiana (Act. No. 382), Nebraska (LB 757), New York (Senate Bill S5642), Oregon (SB 1551), South Carolina (H4655), South Dakota (SB No. 62), Vermont (H.764), and Virginia (HB 183). An online survey published by TrustArc in March 2019 found only 14% of companies surveyed were CCPA compliant. With potentially 50 different data privacy regulations, companies operating in the United States that handle personal data may be facing a logistical nightmare.
Don’t Worry Be Happy
Companies are rightfully spooked by personal data laws. Think about the California-based goliaths that will have to comply not only with CCPA for Californian consumers come January 1, 2020 but also all the other states enacting laws to protect our personal data. Several firms stopped doing business in Europe because of GDPR (California’s Drawbridge, Factual and Verve). We haven’t heard how these firms plan to comply with California’s CCPA. Keep the Internet Free, an Internet Association project (see members here), has suggested that CCPA may cause many free advertising supported websites to start charging users for access. This may be a scare tactic to get consumers to back down from opting out of personal data monetization. Or, maybe they are scared and trying to get CCPA amendments because they know the Act will disrupt their business models.
Up Next… The Million You Never Made
Sophic Capital client Freckle (TSXV:FRKL) has an application called Killi that addresses GDPR and CCPA data privacy issues. It allows users to control and sell their personal data directly to brands and platforms and be compensated in cash, bypassing the firms who have been selling this data unbeknownst to the consumer. In Part 2 of Sophic Capital’s Give it Away – The Million You Never Made, we’ll explain how brands and data brokers make money from your personal data.