Since entering the post-GDPR era, U.S. lawmakers have been working to bring stateside the EU’s initiative to put data privacy back in the hands of consumers. We’ve seen California enact the California Consumer Protection Act (CCPA), though the New York Privacy Act (NYPA) – the most recent U.S. effort to tackle data privacy – failed to pass in a recent legislative session. It would have given New Yorkers the right to sue companies directly over online privacy violations, and, unlike the CCPA, it would apply to all organizations that conduct business in New York state or that target residents of New York state. In other words, “too small to matter” would not be an excuse for non-compliance.
However, the NYPA was not the only egg in U.S. legislators’ data privacy baskets. The Senate recently introduced the Dashboard Act (Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data). This legislation would require “commercial data operators” with more than 100 million monthly active users to disclose the type of data they collect from users and provide “an assessment of the value of that data.” By default, giant data operators such as Google, Amazon and Facebook would be covered – both in terms of profitability and data management.
Quantifying the invisible data gold mine
Why is the Dashboard Act important? First, it shows that legislators are beginning to address the privacy issue on a national level. It also demonstrates the growing recognition that data has intrinsic value, and takes a step toward having that data included as an asset on the balance sheet – which has been a long time coming. In the information economy, data is often the most valuable asset for many companies. It’s surprising, then, that legislators have yet to address or quantify the value of data that companies hold or the value that consumers give up when they opt in, or don’t opt out of, data collection. So far, the Financial Accounting Standards Board (FASB) hasn’t enacted any legal requirements, despite examining the question more than once. Perhaps because it’s hard to define an approach to consistently value data.
The Dashboard Act would codify the concept of “data as an asset” for companies whose business depends on the value of data they collect from users. Users have been paying for these “free” online services – some unknowingly – with their data all along. Under the Dashboard Act, data collectors would be required to tell consumers how the company will financially benefit from the data they or their partners collect. Consumers will then truly understand the value they’re giving the collecting organization and the real price they’re paying to use a service like Facebook or Google.
Consumer data is a powerful currency, so consumers should know the value of the transactions taking place. With greater visibility, users can then decide if they want the data operator to delete all data that the company possesses or maintains access to.
The Dashboard Act may also be a step toward enabling the individual to monetize their own data – truly recognizing that we own our personal information and can trade it when we have more knowledge of its value. With the ability to explicitly “pay” for services with personal information, consumers may start saying, “my data is worth more than your product or service,” enabling them to leverage this value in future online transactions. This could significantly change the financials of internet services for consumers.
Managing information for data privacy laws
While the Dashboard Act would give consumers more insight into how giant data collectors’ businesses are run, it would also require data operators to take a closer look at how they manage information. Reporting how data has been provided to third parties will require an added set of governance and tracking.
Companies will need to follow their information supply chain – the way information moves through their organization – beyond the boundaries of the enterprise. They need to extend their lineage to track where data has left the organization, to whom it went, for what purpose and what agreements exist around how it can be used. Robust data intelligence practices will be critical to ensure companies have a full view into their data estate, so they can report the origins, movement and flow of data. Without the ability to manage the lifecycle of personal data, companies will struggle to capture and manage proof of an individual’s consent.
This level of visibility will be imperative as auditors come knocking. Data collectors will need to be able to prove they’re compliant in real time – which means quickly discovering and retrieving consumer information, and deleting it when requested.
As U.S. legislators take steps to design a safer, more balanced data-driven future, regulations will continue to demand better information management from organizations. We have entered the information economy and there are no signs, or likelihood, of going back. As such, it is critical to lay the legislative groundwork today to ensure consumers and businesses operate with transparency moving forward.