A strong global trend in data handling regulation is taking shape, typified by the EU’s General Data Protection Regulation (GDPR). While many countries outside of the EU are just beginning their serious conversations about their new laws (including the United States), some states and localities are forging ahead on their own. One of the main trailblazers is California. The state is not only set to implement a “GDPR lite” bill in 2020, but also now has a proposal on the table to force big tech companies to create a digital dividend fund to share revenue from any personal data monetization.
California Governor Gavin Newsom used his most recent State of the State Address to introduce the idea of a digital dividend scheme for some of tech’s biggest names, which would enable Californians to ” … share in the wealth that is created from their data.” Newsom framed it as a general idea rather than enumerating any specifics, but did mention that he had already directed a team to develop a proposal.
The State of California
As home to Silicon Valley and the headquarters of many of the biggest names in tech and “big data”, California is uniquely positioned to deploy such a revenue sharing system.
Fortune 1000 tech companies based out of the state with business models that might be the focus of such a data monetization law include Adobe Systems, Apple, Facebook, NetApp, and Google parent company Alphabet.
Newsom’s proposal dovetails with two emerging trends seen both in California and across the United States as a whole: an increased demand for transparency and oversight in the handling of personal digital data, and increasing concerns about income inequality and propositions for government involvement in wealth redistribution. The California-based digital advertising companies that such a law would impact are among the world’s largest in terms of revenue; Facebook brings in over $55 billion USD per year, while Google brings in over $100 billion.
Data monetization and the rules of ownership
In Europe, the GDPR has formally tied the concept of data privacy to fundamental rights of personal privacy. As it stands in both California and the United States in general, this is not the case. United States law only addresses privacy rights when the data assets are being handled by companies in certain industries, such as health care and financial services.
Outside of those exceptions, companies are free to collect valuable data with a simple notification. In most cases, transmission of the data and use of the site or service is considered implied consent to collect and use this information in a variety of ways, including data monetization. And there is nothing approaching the “right to be forgotten” in the GDPR that allows individuals to request removal of their information from data sources at any time.
That essentially makes companies the de facto owners of data once consumers give it to them.
This data is not only an immensely valuable asset (as demonstrated by the rapid rise of Facebook), but also a constant threat to consumer safety and security that needs to be managed appropriately. As numerous recent data breaches demonstrate, that asset is not always being appropriately secured.
Colin Bastable, CEO of security awareness company Lucy Security, feels that the digital dividend proposal is only the beginning of leveling the playing field for the benefit of consumers:
“I’m glad that politicians are taking this issue seriously – but we need to go further. Consumer data is digital gold, and its value is at the heart of the cybercrime wave engulfing American consumers. FAANGs (companies like Facebook, Apple, Amazon, Netflix and Alphabet’s Google) and hackers alike are appropriating and abusing consumer data.
As I have proposed before, consumers should have lifetime ownership of their data, and we need politicians to enshrine this ownership in law. Any organization seeking to monetize consumer data should annually obtain consent to do so, and should share the gross profits of selling such data on a fifty-fifty basis.
Furthermore, we need the Federal government to regulate the license terms by which companies offer their software and services. Onerous terms should be outlawed, and primacy of the consumer’s rights should be established. We live in a world where software drives most technology with which we interact, and unfair terms are imposed on consumers by default. These are cybersecurity issues.
Only governments and lawyers benefit from GDPR-type fines levied on organizations that are hacked or are careless with consumer data. By giving American consumers lifetime ownership of their data, we would give consumers rights under the civil law to sue for lost income, as well as for privacy breaches.”
The point about fines that Bastable makes is particularly salient, and it will be interesting to watch how American data monetization law develops along this line. The GDPR provides for very large fines, but fines of a substantial size are only just beginning to roll out. The most noteworthy thus far has been the €50 million fine Google was hit with in France, but even that is a drop in the bucket next to the company’s annual total revenue of about $136 billion USD. Enough financial pain caused to a company can indirectly translate into better outcomes for data subjects, but there is no direct remuneration for those who suffer some sort of loss or damage due to improperly handled data.
The downsides of data dividends?
Jonathan Deveaux, head of enterprise data protection at German server security company comforte AG, provides an alternate take on the potential impact of a digital dividend implementation:
“It’s refreshing to hear the new California governor comment on the responsibility of data protection. Understanding his suggestion that companies have a duty to protect personal data is a positive message, especially in times where the number of data records lost to data breaches, and exposures are at an all-time high.
Sharing in “the wealth that is created” by personal data is a bold concept and may have some not so good consequences. Some studies show users are spending more and more time on their devices than in previous years. You can catch a subway train, or walk down busy streets – people are staring at their mobile devices. What will be in the impact of this should people now have access to the “digital dividend” based on their personal data? Texting while driving is already a huge concern – will this risk increase as well?
If there’s a way to share in the revenue stream created for our own data, that’s great. But we also need to be aware of the unintended consequences of doing so, and how they may impact society today.”
It’s difficult to assess the potential negative impacts of this nature with no firm terms yet announced from Governor Newsom’s office, but it is certainly a point worth exploring. If digital dividend shares increase with the amount of personal data provided or use of the service, it is possible that perverse data monetization incentives could develop. If data subjects are directly paid for sharing their data, they may also end up sharing even more sensitive data more freely due to the financial incentive.
No matter what happens, American companies will probably soon find themselves having to make major updates to their data security practices due to new regulations to protect personal data. The law may also need to provide for some manner by which to educate low-information data subjects who are not aware of the scope of use of their personal data or the risks they are subject to by supplying it.
Digital dividends and the future of data monetization
It will be interesting to see what shape the Newsom proposal ultimately takes. Sen. Mark Warner of Virginia predicted in November that the state would make such a move, guessing that any data dividend for Californians would equal about 25% of the estimated worth of an individual’s data set.
It’s unclear if Warner had any conversations with Newsom about this data monetization proposal, or how exactly an individual’s data stores would be valued in relation to company revenue streams. An Axios report simply divided annual company revenue by number of active monthly users to come up with some very small numbers – $7.37 USD for each Facebook user, $2.83 for Twitter users and a mere 30 cents for each Redditor. Of course, this methodology is flawed for a number of reasons. Some users are certainly more valuable to these companies than others in terms of data quality and quantity, and this method fails to adjust for accounts that are anonymous or contain no personal information of value whatsoever.
One possible model that could be used as a precedent for this scheme is the Alaska Permanent Fund, which consists of a state-owned corporation set up to collect a percentage of state oil revenue and then redistribute it annually to long-term state residents who have registered for the fund. Alaska makes about $1 to $6 billion in oil revenue each year, and Permanent Fund members receive checks that range from about $1,000 to $2,000 once per year. In one of the simplest possible scenarios, companies selling data might be directed to contribute some fixed percentage of their overall revenue to a similar fund.