In many ways, 2018 is the year that data privacy finally entered the popular mainstream. A series of high-profile data breaches at the world’s top companies was not even the top story of the year. Instead, the event of the year was arguably the arrival of Facebook CEO Mark Zuckerberg in Washington, D.C. for two days of grilling by top Congressional lawmakers about data privacy – an event that was televised live and immediately started a very public discussion about what data privacy should look like in the digital era.
The public discussion around Facebook and its data misuse scandals was followed just months later by the launch of the European General Data Protection Regulation (GDPR), which promised a fundamental reform of privacy on the web. That, in turn, led to a discussion about the changing responsibilities of companies in relation to personal data and data privacy. With that in mind, here’s a look back at the major defining moments of the year for data privacy.
Privacy notifications go mainstream
At the beginning of the year, Internet users began receiving a steady stream of messages from websites, apps and Internet-connected services, all related to data privacy. In some cases, the messages asked users to accept new updates to their privacy policies; in other cases, the messages asked users to review and approve new updates to their terms of service. This was not a coincidence, of course – it was all a prelude to the anticipated launch of the European General Data Protection Regulation (GDPR), which was set to go live at the end of May. The GDPR had already passed in 2016, so the world’s biggest tech companies and app providers had plenty of time to get ready for the launch of what promised to be the most sweeping data privacy regulation ever.
One fundamental principle underlying the GDPR involved “consent,” especially as it related to the use and collection of personal data. Until 2018, “consent” usually just involved users checking a single box when they signed up for a service, agreeing to whatever terms a tech company might have created. However, the problem was that tech companies tended to have long, rambling privacy policies written in obfuscating legalese. That was something the GDPR intended to clean up. According to the GDPR, all consent terms had to be written in an intelligible and easily accessible format. Moreover, users had to clearly and explicitly opt into having their data used, collected and potentially sold to third parties.
That, of course, required tech companies to overhaul their terms of service and privacy policies. And, in turn, that led to the torrent of messages from tech companies at the beginning of the year. If you used a social media network like LinkedIn or Facebook or Instagram, you received a message. If you used a web-connected service like Strava, you received a message. And if you used some of the most popular websites on the Internet – including Squarespace and GoDaddy – you received a message. It was all part of a coordinated strategy by the biggest tech giants to get ready for the launch of GDPR in May.
Data misuse by Silicon Valley tech giants
The one event that helped to galvanize public attention about data privacy was the breaking news about the Facebook Cambridge Analytica scandal. As part of this scandal, a third-party consulting firm (Cambridge Analytica) was found to have accessed the personal information of nearly 87 million Facebook users and used it for political profiling purposes. What the scandal helped to expose was the fast-and-loose way that Facebook enabled third-party app developers to access personal information and then, in turn, to sell or make available that information to other companies for completely unrelated purposes.
Most people had never heard of Cambridge Analytica, and 87 million people certainly had never consented for their data to be used by this company. But plenty of Facebook users had signed up for a silly personality quiz on Facebook developed by a Cambridge Analytica researcher, and had checked a simple consent box when they used the app. Unbeknownst to them, they had agreed for all of their personal data to be made available, and moreover, for all of the personal data of their friends to be made available.