Earlier this year, the Cambridge Analytica data scandal resulted in 87 million Facebook profiles being harvested for data. Over and over, we see scandal after scandal of our personal data, that is collected by a major company, compromised. The company admits to the occurrence, the public reacts in outrage and the company promises transparency and increased security in exchange. And although we nod our heads and say it’s enough, is it really? What happens when another company is hit and the cycle starts over again? Will enough ever be enough?
Thankfully, governments are starting to look out for us and say enough is enough. Big regulations like the GDPR are a step in the right direction when it comes to managing your personal data. Let’s take a look at how these laws and regulations are offering us more protection and forcing companies to be more transparent.
Giving in to the Giant’s Power
During the Cambridge Analytica proceedings, Mark Zuckerberg was asked to define the equivalent social media platform consumers could use if they were unhappy with Facebook. Unfortunately, no other social media platform comes close to the connectivity and social interaction that Facebook provides. Although I’m personally a fan of Twitter and LinkedIn, I can’t think of any reasonable way that I could operate 100 percent without the use of a platform that is owned by Facebook—I’m looking at you, Instagram.
What about Amazon? Can you live without Amazon? I know I can’t. The list goes on and on for every industry. But the question remains: do you know what data these companies have on you? How are they managing your personal data? Sure, as a consumer you can switch and use a competitor—simple economics, afterall—but that doesn’t mean the companies that have already collected data on you will suddenly stop using it.
Managing Your Personal Data with Government Intervention
While the U.S. government hasn’t enacted any laws at the federal level, there are state laws that will soon require companies to be more transparent with the data they collect. In June, California passed the strictest data protection law to date. The California Consumer Privacy Act stipulates that companies will now have to tell consumers what types of data they’re collecting and give consumers the option to opt out of having their data sold. Companies must also have data that they transfer to third parties in a readily available format should a California resident request access to it.
This law won’t come into play until January of 2020, giving companies plenty of time to prepare for it, but most national companies who do business with California residents will have to comply with the law. Again, while it’s not a national law, it’s a step in the right direction.
The California law is similar to the GDPR that went into effect in May of this year. Any company that does business with EU residents has to comply with the law meaning lots of US companies that do business overseas have to comply or face stiff penalties. The regulation is unique in its ability to who is managing your personal data.
However, is it really enough?
A Step in the Right Direction
Like I said, the California regulation and the GDPR are a step in the right direction. However, it won’t necessarily stop disasters such as the Cambridge Analytica scandal from happening. Under the GDPR, companies must have user permission prior to collecting their data. During the Cambridge Analytica scandal, consent was not required to retrieve the personal data belonging to the friends of those who downloaded the harvesting tool. Would they be protected by the GDPR in this instance?
The California law while strict in forcing transparency, does not have much in the way of consequences. If there is an unauthorized breach of your non-encrypted personal information—which is still widely defined—you can sue the company for up $750. That’s it. The state attorney general could levy addition fees, but there is no set penalty like the GDPR has. And to be honest, if there is a breach, how many of us would actually take the time to pursue a lawsuit knowing we are only going to get at most $750? I probably wouldn’t. So, while companies are moving towards transparency when managing your personal data, there’s still not a lot on the line for them if they screw up.
Also, it’s worth noting that GDPR and the California laws don’t protect everyone. Companies could create data management policies for EU residents, California residents, and everyone else.
Where Are We Now?
More companies right now are limiting what types and the amount of data they’re collecting. You can opt out of sharing your data with apps on Facebook. Major regulations like the GDPR have given the consumer more protection and are pushing for more transparency. We are already seeing a push to give more power back to the consumer.
The real value of our data needs to be continuously monitored. It is a commodity to companies that deal in data and regulations could have a tremendous impact on business models. I think the forward-thinking companies that put the consumer first will figure out a way to continue to use data to generate revenue but will also protect the consumer. The government will also have to step in and create more regulations and laws that ensure our protection. Consumers will also need to be more vigilant of the data we give away for free. Managing your personal data is not a job for one entity, but rather all three and will require continuous feedback and open dialogues across many levels to ensure continued protection. It might take time, and while I’m skeptical we will ever achieve a perfect balance, I do fully believe we can and will do better. Don’t you?
The original version of this article was first published on Forbes.