The ink feels nearly dry. Final negotiations appear to be coming into focus, and deals are likely to be cut. It’s time for businesses to contemplate how to comply with the soon-to-be-finalized rewrite of Europe’s consumer privacy laws.
A key takeaway from the draft General Data Protection Regulation is the importance of companies providing meaningful notice to consumers about—and choice with respect to—the companies’ collection, use, sharing, storage and security of consumer data. What isn't clear from the draft, despite nearly five years of debate over its text, is what constitutes effective notice and choice.
While the regulation is nearly finalized, the time is just beginning for EU data protection authorities to consider how to wisely implement requirements that companies give consumers real notice of their practices regarding their customers’ data and obtain and demonstrate implicit or explicit consent from those consumers. Given the U.S. Federal Trade Commission’s (FTC's) repeated reaffirmation of the same principles, it too should seize this historic moment to better align consumers’ privacy needs and its enforcement efforts with the realities of how companies ascertain and act on consumers’ desires.
For nearly five decades, the goals of providing clear notice and meaningful choice for consumers concerning businesses’ data practices have been too often conceptual. Too many responsible companies failed in their attempts to achieve these goals, while others simply ignored these concepts intended to increase personal control of data in a fully digital age.
Moreover, regulators gave rhetorically forceful speeches but too often failed to give meaningful, operational guidance to companies about how to implement these concepts in ways that didn’t deter consumers from interacting with companies altogether at the cost of lost business and lost benefits to customers. Guidance from the FTC, various state attorneys general (AGs) and the EU was often impractical or poorly conceptualized for the modern reality of consumers encountering companies through small phone screens. The mandates concerning notice and choice that have poured forth were even less useful—and, perhaps even harmful—for well-known companies launching entirely new, innovative, data-driven products and services, or for brand new start-ups trying to provide products and services through apps.
Worse still, in situations where a consumer lacks any direct relationship with a company that analyzes, utilizes or manipulates the consumer’s data, there has been little regulatory action to empower consumers to help them make educated choices about control over their data. For example, regulators provide no actionable guidance to limit the vast and opaque data broker industry that buys and sells consumers’ data, including our financial, health and tax data, without ever seeking our permission. On the privacy-risk spectrum, the data brokers should shoot to the top of the list where regulators should intervene to mandate real notice and choice.
It is, therefore, time for businesses of all sizes, vintages and industries, whether offline, online or both, to push for better, context specific implementation of the concepts of notice and choice. Business should ask regulators to implement revised mandates in a manner that best aligns consumers’ privacy needs, the relationship, if any, of a businesses in the stream of commerce to the consumers whose data it handles, and the aspirations of privacy and consumer advocates and well-intentioned regulators.
Privacy regulators in the EU, at the FTC and with state AGs should focus enforcement of consumer privacy laws and regs where the greatest risk to consumers may occur as they reaffirm mandates for real notice and choice. Consumers want and need efforts focused on the most damaging privacy violations. Not all data privacy risks are created equal. They fall along a wide spectrum, from creating only theoretical risk and no tangible harm whatsoever to significant and tangible consumer industry. Mandates for the amount, type and form for providing notice and choice should also mirror this risk spectrum. Those companies that consumers intentionally interact with and whose data practices pose only theoretical risk should have to satisfy a lesser burden.
One key to analyzing the potential risk of any company’s consumer data practices is to ascertain where a company stands in relation to the consumer. Consumers every day make dozens of choices online and elsewhere to bring their business to certain companies and brands they trust and to interact with services they know or think they might enjoy. These are knowing, intentional interactions directed by consumers. This ought to form the core of satisfaction of the goals of notice and choice. Companies that consumers intentionally and knowingly choose to interact with generally should be granted greater freedoms with respect to their use of customer data than should companies that have no direct relationship with consumers. General counsels everywhere refer to these as “first-party” relationships, in contrast with the relationships that are one step removed in personal data transactions and services that are “third-party” relationships.
When a U.S. consumer willingly chooses to interact with a company, regulators everywhere ought to assume the consumer voluntarily created a relationship with a company that will collect, store, use and share the consumer's data. That’s akin to achieving clear notice and consent. If those companies fail to satisfy their privacy promises to consumers, the consumer knows whom to sue; regulators can find and fine the business at fault, and the press and Congress can name and shame the company into corrective action that, hopefully, remediates any privacy injury.
Similarly, brand-name companies that consumers know and trust should be given greater latitude to innovate with that customer data than should analytics or data brokerage companies that have little or no direct relationship with consumers. Consumers prefer brands they know and trust when they share their precious personal data. That can be a barrier to entry for start-ups and a competitive advantage for market-leading companies. Consumers, however, prefer start-ups to companies that they could never know are involved in a transaction, such as data brokers or third-party data processors.
Regulators eager to make notice and choice more than an aspiration in the future should focus additional privacy efforts on pushing third-party companies that handle data of consumers but are not connected directly to consumers to become less opaque and give consumers a means of giving permission to those companies or restricting it.
First-party companies should not be offered lesser privacy burdens unless they meaningfully satisfy their responsibilities to be transparent and get clear OKs from consumers. While we should give some first-party companies greater freedom to use our data for innovations to improve our products and services, we should ask more of them when they undertake unexpected data-driven innovations or outsource handling of our data.
When a first-party company outsources data manipulation, storage, security or collection and sharing services to a third-party company, that first-party company might need to give consumers’ notice that transfer of personally identifiable data is occurring and obtain some modicum of consent from their customers. So regulators should lessen notice-and-choice privacy burdens in favor of innovations for in-house functions and increase them for outsourced functions. Moreover, when the brand-name company that a consumer is interacting with outsources its customers' data to a third-party company, the latitude given to that first party should shrink again and more should be demanded of it unless the first party contractually binds the third party to the same privacy obligations it made to its customers.
Third-party companies should be pushed to make themselves and their role utilizing consumers’ personally identifiable information more apparent.
We don't want to foreclose data innovation with third-party companies, many of which will be start-ups, but we do want our privacy rules and privacy enforcement actions to focus on where there could be no awareness by consumers that their data is being bought and sold to a variety of companies that they've never heard of and never given permission to. It's not that we should ban these services; it's that we should encourage the market to advantage known and trusted brands and companies that interact directly with consumers over those that have no relationship with consumers that was chosen by the consumers themselves.
Privacy laws in Europe and in the U.S. fail to recognize this choice.
The companies that consumers create a knowing, intentional relationship with are being entrusted by the consumer to do things for the consumer, and we should reorient our data innovation rules around these intentionally formed relationships.
In light of the impending finalization of a rewrite of the EU's omnibus consumer privacy laws, businesses should consider whether this is a better way to encourage implementation of effective notice-and-choice mandates. Regulators across the U.S. and EU should not employ a one-size-must-fit-all assessment of when sufficient notice and choice has been achieved but, rather, align their requirements with the relative data risk and the relationship, if any, between a company and the customer whose personal data is involved.
If you want to comment on this post, you need to login.