What’s the privacy tax on innovation?

(Pixabay)

The recent White House Executive Order (EO) on protecting American’s sensitive data is sure to drive new discussions on privacy controls. Matters in the US are further complicated by a patchwork of different privacy regulations that will make it harder for enterprises operating across state lines. It’s reasonable to wonder how much this might slow innovation and productivity since data is sometimes portrayed as the raw material fueling innovations in AI and business transformation. 

The US has the world's largest market for data services in terms of the raw number of data providers and the value of their data. The EU data market pales in comparison despite a slightly higher population. According to a 2020 European Data Market Study compiled by IDC in concert with the European Commission, the 2020 data market stood at €211 billion in the US compared to €80,253 in the EU+UK. A comparison of this value to GDP shows that it was 1.34% in the US versus 0.55% in Europe. Japan came in a close second at 1.21% of GDP.

The EU also has a different culture and has had many privacy controls over the years. Perhaps somewhat surprisingly, the new GDPR requirements that went into effect in 2018 had a marginal impact on the growth of the data market industry or the knock-on impact on the economy. Another measure of Data Economy Value included the financial impact of data products more broadly across the economy. In 2020, this was €443.9 billion in the EU+UK. Here, the value continued to grow at 8.4% per year for two years after introducing GDPR controls. 

Unfortunately, no comparable numbers were available for the US in the report to compare the relative impacts of data markets across economies outside the EU. But what is clear is that data broker firms have grown much larger in the US when measured in absolute terms or relative to GDP. Also, the study was completed before generative AI innovations emerged that could improve the analysis of non-structured data sets. 

It's also important to note that much of the data measured in this survey is not necessarily consumer data. For example, the financial impact on industries was led by Financial Services, followed by Mining & Manufacturing, Professional Services, Retail & Wholesale, and Information & Communication. Across all categories of data, the US had 316,000 data companies compared to 107,000 in the EU in 2020. 

A thriving data market

Sophie Stalla-Bourdillon, Senior Privacy Counsel and Legal Engineer at Immuta, said that due to the different levels of regulation in the US compared to the EU and the UK, the data broker market is bigger for citizen information. The barriers to collecting, storing, and transferring/selling personal data have traditionally been lower in the US, and data brokers can work with less fear of falling on the wrong side of regulators. However, the US Federal Trade Commission has targeted data brokers for several years. 

But she believes things may begin to change more quickly with state privacy laws in place, such as the California Consumer Privacy Act. The California Civil Code requires data brokers to register with the California Privacy Protection Agency, and consumers are granted the right to opt out of sales and sharing of personal information. Other states that have begun enforcing privacy laws include Colorado, Connecticut, Utah, Virginia, Delaware, Indiana, and Iowa; eight other states are not far behind. 

Stalla-Bourdillon says whether these have a major impact on data broker practices will depend upon the level of enforcement and the types of sanctions issued by regulators, as opt-out rights remain relatively weak mechanisms to curb opaque practices.

An emerging challenge for US companies will be a patchwork of different privacy frameworks that complicate compliance and the data and IT infrastructure controls required to support different rules. Anthony Cammarano, VP of Security, Privacy & Strategy at Protegrity, says it will incur a huge expense for businesses to do the same task in different ways:

There are about eight states with privacy laws, and none of them line up. There are about twenty other states looking to write and enact their own versions of privacy law. Think about the costs to a business to handle a customer from California differently from a customer in Ohio differently from a customer in Washington. That’s not scalable, and I think this is why you’re seeing businesses push for a federal mandate. It may cost them in the short-term, but at least there’s a standard which is non-existent today.

Tragedy of the Commons

One consequence of the current privacy framework in the US is that data brokers can realize sales and profits from the data of people they have legally collected while offloading much of the damages incurred by breaches and misuse of the data to consumers and businesses. Rod Boothby, co-founder and CEO of IDPartner, explains:

The data broker model is not just broken. It can be seriously dangerous. Data brokers gather massive amounts of personal information about Americans and then sell that data to the highest bidder. Remember when Target sent mailers telling a father his teen daughter was pregnant? The same data-broker systems can figure out who you vote for, tell your boss if you're looking for another job and reveal other deep secrets. Worst of all, this data can be sold to adversarial nations that run state-sponsored hacking systems to influence our democratic elections and manufacture division. Businesses usually use data brokers to try to stop fraud.

Stalla-Bourdillon says it is also important to consider the significant economic costs of personal data breaches and identity thefts. Several data brokers have already exposed huge amounts of personal information due to inadequate security measures. She notes:

What is more, the potential for individual and societal harm is actually quite substantial, with data brokers selling data to criminal scammers, freely providing information to law enforcement bodies without any warrant, court order, or even subpoena, as well as to political consultants engaged in disinformation campaigns and foreign actors.

For example, the 2018 Equifax breach exposed the sensitive personal information of 148 million consumers. By 2020, the breach cost Equifax $1.7 billion. This included $796 million to settle government investigations and $337 million to bolster its data security infrastructure. But it only set aside up to $425 million for people affected by the breach. That’s $2.87 per person!

Arguably, many of the individuals affected by the breach did not have their identities stolen or their financial accounts hacked as a result of the breach. But for those that did, Equifax offered them $25 per hour for their time, up to $20,000 for out-of-pocket losses, and free identity restoration services through January 2024. Individuals who get hacked after that or lose more than $20,000 are out of luck despite their sensitive data still floating around in the wild. 

Taking back trust

Today, businesses turn to data brokers to prevent fraud, which is of immense value to businesses and consumers. However, much of this data is outside the consumers' visibility or control in terms of accuracy or how it is being used.

Jeff Reich, Executive Director at Identity Defined Security Alliance (IDSA), a non-profit for sharing identity best practices, says:

Individuals need the education and tools to see the true value of their identity data. Once at that stage, people need to take the right steps to protect their identity data strongly and consistently. When we stop handing over that data that we should be controlling, those who are using and selling the data will need to find another target or method.

Fortunately, innovative American businesses have rushed in to fill this gap. For only $8.71 per month or $20 per month for your family, DeleteMe will scour the data broker market and remove all your personal data being sold online. 

Boothby, whose firm sells bank-based identity verification tools to businesses, suggests a better alternative to the data broker free-for-all is to turn to banks since they have already earned enough trust from safely managing our money. In this model, rather than businesses using data brokers to check on customers, those same customers can use banks to prove they are who they claim to be. Boothby explains:

Privacy is not total secrecy. Instead, privacy is having control over what information is shared about you and control over who gets to see it. The data-broker model doesn't give end users control. A better model is to use a bank-based ID. ‘I'm Rod Boothby. I am over 25. I can prove it to you. Just ask my bank. I know my bank will only share what I ask them to share.’

My take

A few decades ago, California had one of the strongest definitions for certifying Organic foods in the US. Eventually, the US government stepped in with a watered-down definition. Despite the pain of new privacy controls, the US data broker industry will lobby for a similar approach to at least harmonize privacy regulations at the Federal level that limit the impact on their business models when operating across state lines. 

For businesses and consumers, a more equitable approach would be to add a few more teeth to the cost of data misuse arising from legal sales, employee theft, or breaches. A few high-profile payouts arising from theft or when this data is used as part of multi-million dollar ransomware attacks on critical business systems would have a focusing effect on better privacy management practices.  

Another option is to turn to banks as holders of trust. Banks may be a good first point for managing the financial data we directly share with them. But what about all the data that others gather that may not be tied to traditional identifiers like social security numbers (SSN) used to unify data, such as IP addresses, phone numbers, Wi-Fi hubs, or the trail of GPS dots that gravitate to your home or office?

Here are some ideas for the next Uber or Airbnb to fill this gap by innovating to #acceleratetrust: 

1. Simplify the user experience for organizing and sharing all sensitive information tied to your SSN, home address (including GPS), IP addresses, and anything else that can be tied to you. 
2. Store only the data people might want to keep fully encrypted at rest and in motion but allow users to share it with any apps and services they want in a fully revokable way. 
3. Curate an Appstore for algorithms and tools for learning from your data footprint, which aligns with or deviates from your personal and community values, such as what you eat, where you go, what you buy, how you spend your time and health impacts.  
4. Set up a social network that allows people to monitor and mirror life value or privacy role models, similar to the way the Robinhood investment service makes it easy to mirror favorite investors. This will make it easier to fine-tune privacy settings automatically rather than getting bogged down in the details.
5. Build buy-in by informing people how their data improved scientific research, impacted their communities, drove sustainability, and pay them directly when it provides financial benefits to enterprise customers. 
6. Offer the DeleteMe experience to allow anyone to remove their sensitive data for free from everywhere else. This will be costly but will also build a moat for data broker competitors who have lost trust. At first, people might want to delete everything, but they will change their minds when they see people finding innovative ways to create value for them. 
7. Learn from the big data brokers forced to pivot to this trust-based business model as a result of losing so much money to the hot new Uber or Airbnb destroying the status quo.