In many ways, 2018 is the year that data privacy finally entered the popular mainstream. A series of high-profile data breaches at the world’s top companies was not even the top story of the year. Instead, the event of the year was arguably the arrival of Facebook CEO Mark Zuckerberg in Washington, D.C. for two days of grilling by top Congressional lawmakers about data privacy – an event that was televised live and immediately started a very public discussion about what data privacy should look like in the digital era.
The public discussion around Facebook and its data misuse scandals was followed just months later by the launch of the European General Data Protection Regulation (GDPR), which promised a fundamental reform of privacy on the web. That, in turn, led to a discussion about the changing responsibilities of companies in relation to personal data and data privacy. With that in mind, here’s a look back at the major defining moments of the year for data privacy.
Privacy notifications go mainstream
At the beginning of the year, Internet users began receiving a steady stream of messages from websites, apps and Internet-connected services, all related to data privacy. In some cases, the messages asked users to accept new updates to their privacy policies; in other cases, the messages asked users to review and approve new updates to their terms of service. This was not a coincidence, of course – it was all a prelude to the anticipated launch of the European General Data Protection Regulation (GDPR), which was set to go live at the end of May. The GDPR had already passed in 2016, so the world’s biggest tech companies and app providers had plenty of time to get ready for the launch of what promised to be the most sweeping data privacy regulation ever.
One fundamental principle underlying the GDPR involved “consent,” especially as it related to the use and collection of personal data. Until 2018, “consent” usually just involved users checking a single box when they signed up for a service, agreeing to whatever terms a tech company might have created. However, the problem was that tech companies tended to have long, rambling privacy policies written in obfuscating legalese. That was something the GDPR intended to clean up. According to the GDPR, all consent terms had to be written in an intelligible and easily accessible format. Moreover, users had to clearly and explicitly opt into having their data used, collected and potentially sold to third parties.
That, of course, required tech companies to overhaul their terms of service and privacy policies. And, in turn, that led to the torrent of messages from tech companies at the beginning of the year. If you used a social media network like LinkedIn or Facebook or Instagram, you received a message. If you used a web-connected service like Strava, you received a message. And if you used some of the most popular websites on the Internet – including Squarespace and GoDaddy – you received a message. It was all part of a coordinated strategy by the biggest tech giants to get ready for the launch of GDPR in May.
Data misuse by Silicon Valley tech giants
The one event that helped to galvanize public attention about data privacy was the breaking news about the Facebook Cambridge Analytica scandal. As part of this scandal, a third-party consulting firm (Cambridge Analytica) was found to have accessed the personal information of nearly 87 million Facebook users and used it for political profiling purposes. What the scandal helped to expose was the fast-and-loose way that Facebook enabled third-party app developers to access personal information and then, in turn, to sell or make available that information to other companies for completely unrelated purposes.
Most people had never heard of Cambridge Analytica, and 87 million people certainly had never consented for their data to be used by this company. But plenty of Facebook users had signed up for a silly personality quiz on Facebook developed by a Cambridge Analytica researcher, and had checked a simple consent box when they used the app. Unbeknownst to them, they had agreed for all of their personal data to be made available, and moreover, for all of the personal data of their friends to be made available.
Given the scope and extent of this data misuse, it was perhaps not surprising that the public outcry over the Facebook Cambridge Analytica scandal eventually led to Facebook CEO Mark Zuckerberg having to face two days of grilling by top Congressional lawmakers. And that’s where the situation really escalated – instead of simply being a question-and-answer session about Facebook’s data privacy practices, it became a far-reaching discussion about election meddling, social media censorship, ethical standards for tech companies and the need for federal regulation.
While Facebook managed to escape without being subjected to heavy fines or penalties, the public flap over Cambridge Analytica started a much wider discussion about the weaknesses of industry self-regulation, and the need for Washington to get involved. Moreover, it set up the very real prospect that further data abuses by Silicon Valley tech giants might lead to them being fined, penalized or even broken up into smaller pieces where they could much more accurately monitor data abuse violations. At the very least, stock market investors would be keeping a much closer eye on these companies.
Data breaches at the world’s top companies
2018, of course, was not without its share of high-profile data breaches. Despite years of similar incidents affecting top retail giants and government agencies, it seems that many companies still were not taking the requisite steps to beef up their cyber security defenses. As these stories impacting the likes of Quora, Marriott, Under Armour, and Cathay Pacific continued to break throughout the course of the year, one thing became clear: data privacy was still being viewed by the world’s top companies as something that could be grafted onto existing business processes at the end, rather than something that was fundamentally part of those business processes from the very beginning.
Arguably the highest profile data breach of the year impacted Marriott, the global hotel and hospitality chain. Data hackers had accessed records of 500 million people, as a result of a breach of the Starwood Hotels guest reservation system. By breaking into this system, data thieves could see the names, addresses and even passport numbers of guests. This, of course, triggered a public outcry from top legislators. New York Senator Charles Schumer, for example, said that Marriott should cover the costs of new passports to be issued to all U.S. citizens affected.
Another high-profile data breach involved the popular Q&A site Quora. This data beach impacted 100 million people, and involved hackers getting their hands on names, email, passwords, user account settings, and content created by users (including all questions submitted, all answers submitted, and all comments). Some data privacy experts compared the Quora case to the Cambridge Analytica case, because it appeared that the cyber thieves were not after financial information – instead, they were looking for the type of demographic and pyschographic information that could be used to develop very detailed personal profiles of users.
The same type of data breach occurred at Under Armour, the huge international sports and fitness brand. This time, the hackers were after the food, nutrition and fitness details of Under Armour users with a MyFitnessPal account. There is now a lawsuit seeking class action status, given the scope and breadth of this data hack.
GDPR changes the discussion around data privacy
Another defining moment for data privacy was the launch of GDPR in May 2018. There had already been a tremendous amount of speculation about the new regulation back in 2017, with some predicting that it would forever change the way the world thinks about data privacy. Some warned that the GDPR might have a chilling impact on business.
While the European GDPR was designed by European regulators with European citizens in mind, the effects were far-reaching beyond just Europe. That’s because, according to the way the regulation was designed to protect the information of EU residents, it would apply not just to European companies, but also to any company processing the data of those EU residents. And it didn’t matter where the data processing centers were located, or the home HQ location of that company. Thus, if a company like Google or Facebook planned to do business in Europe, they would have to follow the GDPR – or risk significant fines and penalties.
One goal of the GDPR was “privacy by design.” This refers to the process of making privacy a fundamental requirement of any business process and any interaction with consumers. In many ways, it would require companies to re-think the way they did business. At the very least, it would force companies to get a handle on exactly what type of data they were collecting, how they were using it, and with whom they were sharing it.
And, unlike predecessor regulations, the GDPR actually had teeth, meaning it could be used to impose massive fines on companies found to be willfully bypassing or circumventing the GDPR. For a Silicon Valley tech giant, potential fines might reach into the hundreds of millions of dollars, if not the billions. Thus, the launch of the GDPR immediately became a wake-up call for tech executives around the world, essentially giving them fair warning that they could be facing an existential risk to the future survival of their companies if they did not start changing their old ways of doing business, especially as it related to data privacy and the use, collection and sale of personal information.
The regulatory landscape around privacy continues to shift
Heading into 2019, it’s clear that the GDPR has already started to galvanize other nations to overhaul their data privacy laws and regulations. Apple CEO Tim Cook warned of a “data-industrial complex” in Silicon Valley, and the data privacy topic has continually found new ways to enter the mainstream public discussion. It’s no longer unusual to see TV talking heads debating Facebook and Google, or to hear about efforts underway to tighten up regulations. This is particularly true in the United States, which has seen state after state take efforts to toughen their regulations related to data privacy.
Perhaps the best example is the state of California, home to many of the world’s top tech giants. California has passed the California Consumer Protection Act (CCPA), which is set to go into effect on January 1, 2020. The CCPA follows the spirit of the GDPR, and is designed around the idea of stronger data privacy protection and greater data transparency. Consumers must be notified what personal information is being collected, and whether it is being sold or disclosed to others. The CCPA also will give residents the right to say “No” to the sale of personal information to third parties.
One key provision of the CCPA is the requirement by companies that they must provide equal service and price, even if consumers choose to exercise their privacy rights to the maximum extent. It also empowers citizens to bring civil actions against companies, with damages ranging from $100 to $750 per person. Thus, a social media network like Facebook would not be able to “penalize” some users by giving them a slower, inferior version of the Facebook experience if they refuse to share their personal information with others.
The big question, of course, is whether or not the United States will introduce sweeping federal-level privacy legislation in 2019. Already, the big tech giants have dispatched their lobbying troops to Washington, D..C., where they hope to shape the overall debate over any future federal data privacy law. Moreover, big tech companies like Intel are now moving forward with efforts to steer the public narrative and discourse over future data privacy regulation. In many ways, it appears that they have accepted the fact that federal privacy regulation is going to happen sooner or later, and it is best to be in front of it so that it is as palatable as possible for their business models.
Things have changed
Even with greater public consciousness around data privacy, and even with new regulations and legislation designed to protect user information and personal privacy, it’s clear that there is still a long way to go in 2019 before personal data is truly protected. In the past, a data breach involving 1 million people might have made headlines. Now, it takes 100 million (as in the case of Quora and Facebook) or even 500 million (as in the case of Marriot) to generate buzz-worthy headlines. But there is certainly hope that things will change soon. One thing is certain: the GDPR has fundamentally changed the way we think about privacy, and 2018 will forever be remembered as the year that data privacy finally went mainstream.