Facebook was open to the public for more than a decade before most users thought all that much about what companies do with the data they share on social media. In the wake of the Cambridge Analytica scandal, that’s not the case anymore. And with Europe’s groundbreaking General Protection Data Regulation (GDPR) having kicked in at the end of May, the risks of mishandling user data are very real for companies of all kinds.
Data breaches have long been, and continue to be, major issues for companies, but they’re not the only problem related to handing users’ information. With the public growing more aware of how organizations use and profit from data, backlash over the standard practice of collecting as much data as possible and then selling it is growing.
“People don’t trust business with handling their personal data as much as they used to,” says Austin O’Brion, co-founder of Token of Trust, a maker of solutions that enable companies to combat fraud, account abuse, identity theft, online scams and cyber criminals. “The attitude many companies have had is: ‘With all of this consumer information, how can I make money off of it later?’ That’s now coming back to bite them. People don’t like it. Organizations should be thinking about people’s privacy first.”
How Facebook helped light the data-sharing fire
Most users of social media thought little about what they were revealing when they took “personality surveys” or random quizzes on Facebook until after the 2016 election, when allegations of manipulation of social media began to surface. Essentially, Facebook delivered data on 50 million users to a company called Cambridge Analytica, which turned around and used it to influence would-be voters on the social platform for paying clients.
The Cambridge Analytica scandal, which continues to unfold, awakened millions of users of social media not only to the value of their data but to how organizations gather and use it. Users were angry that Facebook revealed data they hadn’t expected to be revealed—despite the contents of the company’s conditions of use at the time, which allowed that activity—to a third party and overtly political organization. (Facebook has since tightened its policy on data sharing to make it much more restrictive.)
“I’m still surprised that people didn’t know that Facebook profile data is used to target ads,” O’Brion says. “This technique has been used for over a decade by online advertisers, and I don’t think this issue would have reached this level of visibility if it hadn’t impacted something super important like an election.”
But it did, and the scandal engendered a backlash that continues to flourish. A movement to quit Facebook briefly hit the company’s stock price, although has thus far done minimal damage to the company’s user numbers.
In a broader sense, though, consumers are more aware now of who might use their data and how than they were before Cambridge Analytica. And they’re increasingly willing to scrutinize data-sharing policies, which can be confusing and difficult for non-legal experts to understand, and reject doing business with organizations that don’t meet their expectations for privacy.
GDPR: Europe strikes a blow for responsible data policies
User backlash is a serious enough problem, but when governmental bodies get involved in an issue, there’s real trouble. In 2016, the European Union adopted the General Data Protection Regulation (GDPR), the law that has recently launched millions of updated privacy policies for subscribers to online newsletters and users of social media and subscription-based websites.
GDPR includes a broad set of regulations, including a rule that requires organizations to notify regulators about data breaches within 72 hours. Perhaps the most daunting aspect of GDPR, though, is that it requires organizations to provide specifics on how they use data collected from EU citizens. Organizations have to be able to reveal what data they’re collecting about EU citizens, why they’re collecting it and how they’re using it.
For the most part, companies that collect and sell data, or use data to improve their products, would rather not tell their users how they’re using their data. Perhaps as a result, even with two years to prepare, most technology companies are not ready for GDPR, according to The Verge. On the first day of GDPR, major newspapers even took down their websites in Europe for fear of running afoul of the new regulations.
“There are some companies we’ve talked to, where they say, ‘Are you kidding? If we told them how we were using their data, they’d never give it to us in the first place,’” Jason Straight, an attorney and chief privacy officer at GDPR consultant United Lex, told The Verge.
Doing the right thing with data sharing
GDPR, for all the hassle it is likely to cause, might be the tipping point that causes organizations to rethink their data strategies. And they should. Tightening data policies to protect privacy, as it turns out, it’s just the right thing to do from an ethical perspective. It also has positive practical applications even aside from GDPR compliance.
For one thing, when companies keep only the information they need on a member of the public, the consequences of data breaches become less severe. Data breaches are nearly unavoidable, but one way to minimize their impact is to limit the amount of data a thief can steal. That starts with only asking consumers for relevant information. A home-sharing service might need to know credit history or criminal record, for instance, but a website for, say, purchasing wine shouldn’t.
“I want it to know I’m of legal drinking age, and you don’t need to know much more than that,” says Darrin Edelman, co-founder and CTO at Token of Trust. It might sound like extreme example, but over-collection and over-accumulation of data is a major issue both for security purposes and for keeping the public trust.
Transparency is another issue and one GDPR has now brought to the fore for citizens of the EU. Companies need to be able to explain why they’re asking for data, which identifying items they’re storing and what they plan to do with them. The issue of public trust is at stake, as are compliance issues surrounding GDPR.
Unfortunately, providing transparency is easier said than done especially with historic data. Many companies hold massive troves of personal data, and in many cases don’t know where it originated from. Beyond that, companies who’ve not prepared for GDPR’s guidelines will likely find it difficult to reveal all of the places where user data is stored and what they intended to do with it.
“Companies were focused on collecting data and building profiles of their customers,” Edelman says. “When compiling the data, the focus was simply to collect it and aggregate it in a sensible way for future reference. Now companies with these profiles are going to be hard-pressed to justify the existence of this data, give people access to it and, perhaps hardest of all, to identify if those demanding access are the rightful owners.”
GDPR for the USA?
Across the board, companies need to rethink how they acquire, share and store data, and how they communicate to consumers what’s happening with their data. Companies also need to consider all of the ramifications of data policy when they choose to work with third-party vendors as well.
Third parties need to be compliant themselves, or they could lead their customers directly into trouble. Compliant third parties offer a major advantage over those that cannot meet regulations.
“Understanding what people need the data for is going to have to require an organizational shift in thinking,” Edelman says. “It’s a mentality that everybody has to be adopting at this point. The stakes are much higher right now, and once you give data away, there’s no taking it back.”
And businesses need to focus on compliance now, as the GDPR panic might not always be confined to Europe.
“A good percentage of the population now falls under GDPR,” Edelman says. “In order to comply, many sites have built out new controls for end users and aren’t bothering to differentiate between who is an EU citizen and who is not. This means that globally users are going to get used to having greater control and transparency from a wide range of sites – even those that do not cater to EU citizens will feel the impact in the form of changing expectations and a resetting of the norm for how sites handle personal data. It’s not that it’s coming here to the US eventually – it’s already here.”
Because of this, companies all over the world will have to quickly and completely rethink data sharing and retention. Given the lack of preparation for GDPR, which had a two-year grace period, waiting to comply seems unwise. Better to prepare now than to be caught out later.
Austin O’Brion and Darrin Edelman will speak on GDPR and data policy at the 2018 GCS Intelligent Reporting event in Denver in October. Register here!
Sovos is fully compliant with GDPR and has more than three decades of experience handling customers’ data responsibly. Contact Sovos for more information.