One goal of the GDPR was “privacy by design.” This refers to the process of making privacy a fundamental requirement of any business process and any interaction with consumers. In many ways, it would require companies to re-think the way they did business. At the very least, it would force companies to get a handle on exactly what type of data they were collecting, how they were using it, and with whom they were sharing it.
And, unlike predecessor regulations, the GDPR actually had teeth, meaning it could be used to impose massive fines on companies found to be willfully bypassing or circumventing the GDPR. For a Silicon Valley tech giant, potential fines might reach into the hundreds of millions of dollars, if not the billions. Thus, the launch of the GDPR immediately became a wake-up call for tech executives around the world, essentially giving them fair warning that they could be facing an existential risk to the future survival of their companies if they did not start changing their old ways of doing business, especially as it related to data privacy and the use, collection and sale of personal information.
The regulatory landscape around privacy continues to shift
Heading into 2019, it’s clear that the GDPR has already started to galvanize other nations to overhaul their data privacy laws and regulations. Apple CEO Tim Cook warned of a “data-industrial complex” in Silicon Valley, and the data privacy topic has continually found new ways to enter the mainstream public discussion. It’s no longer unusual to see TV talking heads debating Facebook and Google, or to hear about efforts underway to tighten up regulations. This is particularly true in the United States, which has seen state after state take efforts to toughen their regulations related to data privacy.
Perhaps the best example is the state of California, home to many of the world’s top tech giants. California has passed the California Consumer Protection Act (CCPA), which is set to go into effect on January 1, 2020. The CCPA follows the spirit of the GDPR, and is designed around the idea of stronger data privacy protection and greater data transparency. Consumers must be notified what personal information is being collected, and whether it is being sold or disclosed to others. The CCPA also will give residents the right to say “No” to the sale of personal information to third parties.
One key provision of the CCPA is the requirement by companies that they must provide equal service and price, even if consumers choose to exercise their privacy rights to the maximum extent. It also empowers citizens to bring civil actions against companies, with damages ranging from $100 to $750 per person. Thus, a social media network like Facebook would not be able to “penalize” some users by giving them a slower, inferior version of the Facebook experience if they refuse to share their personal information with others.
The big question, of course, is whether or not the United States will introduce sweeping federal-level privacy legislation in 2019. Already, the big tech giants have dispatched their lobbying troops to Washington, D..C., where they hope to shape the overall debate over any future federal data privacy law. Moreover, big tech companies like Intel are now moving forward with efforts to steer the public narrative and discourse over future data privacy regulation. In many ways, it appears that they have accepted the fact that federal privacy regulation is going to happen sooner or later, and it is best to be in front of it so that it is as palatable as possible for their business models.
Things have changed
Even with greater public consciousness around data privacy, and even with new regulations and legislation designed to protect user information and personal privacy, it’s clear that there is still a long way to go in 2019 before personal data is truly protected. In the past, a data breach involving 1 million people might have made headlines. Now, it takes 100 million (as in the case of Quora and Facebook) or even 500 million (as in the case of Marriot) to generate buzz-worthy headlines. But there is certainly hope that things will change soon. One thing is certain: the GDPR has fundamentally changed the way we think about privacy, and 2018 will forever be remembered as the year that data privacy finally went mainstream.