301.519.9237 exdirector@nesaus.org

7.20.23 – SIW – Arlo Gilbert

If it’s bad form to break into someone’s home and steal their valuables, organizations shouldn’t use private data without consent

From social media to work emails to Googling where else have you seen that actor, the average person spends over six and a half hours per day online. All that online activity is not without its risks, however, and people are becoming increasingly digitally aware of their data privacy. In fact, 85% of surveyed adults admitted wanting to do more to protect their online privacy, but 51% weren’t sure how.

Enter data privacy regulations, specifically put in place to protect consumers’ data. Overarching federal data privacy legislation has yet to pass in the U.S. But the potential remains for the American Data Privacy Protection Act (ADPPA) — which oversees how companies use AI — to become law after it passed the House Energy and Commerce Committee with nearly 100% agreement in 2022. The ADPPA has major buy-in from bipartisan legislators and constituents, with four out of five Americans supporting its contents. Even if there is no law, the smartest organizations will go the extra mile to protect consumers’ data privacy because it’s the right thing to do.

The European Union (EU) leads the way in data privacy protections, implementing the General Data Protection Regulation (GDPR) in 2018. The GDPR has served as a model for comprehensive global privacy laws. In the U.S., the GDPR influenced the creation of state-level data privacy laws, like the California Consumer Privacy Act (CCPA) enacted in 2020.

The CCPA allows California residents to access and manage their personal data, including its usage and storage. The California Privacy Rights Act (CPRA), which became effective on Jan. 1, 2023, amends the CCPA by providing clearer language and updated regulations. Noncompliant organizations face significant penalties under these laws. However, many organizations still struggle between risk and non-compliance.

But why such disregard for the rules? The answer is data — a rich resource for any business. Companies rely on data, which some resort to obtaining at any cost because of it:

●    Influences marketing strategies.

●     Helps customize consumer experiences.

●     Facilitates streamlining business processes.

●     And so much more.

Yet for some organizations, these ends justify willfully ignoring data privacy regulations. Ignoring these regulations has consequences, even for huge companies. Because of their dishonest data privacy practices, these organizations are the subject of lawsuits quite frequently.

For some organizations, the ends justify willfully ignoring data privacy regulations. Ignoring these regulations has consequences, even for huge companies.
For some organizations, the ends justify willfully ignoring data privacy regulations. Ignoring these regulations has consequences, even for huge companies.

Don’t Do As They Did

Facebook was recently implicated in its use of deceitful data privacy processes. Facebook shared 87 million of its users’ information with now-defunct consulting firm Cambridge Analytica — but neglected to ask for consent. Facebook’s parent company Meta paid a $725 million penalty in late 2022 to settle the class action lawsuit even after paying a $5 billion penalty in 2019 after the FTC found it violated a 2012 privacy control order.

A different class action lawsuit filed in January 2023 accused Twitter of poor (or nonexistent) privacy practices. According to the lawsuit, a defect in Twitter’s application programming interface gave cybercriminals access to users’ personal identifiable information, including usernames, email addresses and passwords. Twitter neither notified the affected parties nor offered any remediation. This lawsuit is ongoing.

Unethical behaviors of big companies like Twitter and Facebook carry risks beyond fines and lawsuits, including damaged reputations and lost revenue. When customers learn they can’t trust an organization to protect their data, they leave. Almost half of surveyed adults have halted relationships with companies over data misgivings.

One strategy for preventing staggering fines and protecting reputation is simple: complying with guidelines imposed by the strictest data privacy regulations — the GDPR and the CCPA/CPRA. Although the GDPR is an EU law and the CCPA/CPRA applies primarily to California, following these rules will prevent data privacy backlash throughout the U.S.

Through the lens of big tech’s shortcomings, you can determine how to best manage data privacy and avoid making the same costly mistakes.

  1. Avoid the loophole trap.

While it’s one of the most valuable assets in an organization’s toolbox, data’s value hinges on its honest collection. Dishonest data aggregation is unethical and can cost a company millions of dollars — just ask Google. This industry powerhouse used a “dark pattern” to influence users’ privacy decisions.

 A dark pattern is a purposeful design choice manipulating users to select the option most beneficial for the organization. In this case, Google complicated its cookie consent processes. Rather than placing an equally prominent “decline” button next to “accept,” the company required users to navigate through multiple pages to refuse cookies. Most frustrated users opted to simply accept cookies because it was easier than figuring out how to opt out. The French Data Protection Act concluded that this loophole violated users’ freedom of consent, and Google paid a €150 million fine.

The FTC took action against Epic Games, Inc., the makers of the video game Fortnite, after finding the game maker violated the Children’s Online Privacy Protection Act (COPPA) and used dark patterns to trick players into making purchases. The FTC imposed a $275 million fine for the COPPA violation and mandated Epic to pay $245 million to refund customers who were victims of the dark pattern.

To avoid expensive penalties, organizations need a straightforward data collection approach that clearly explains their data collection policies enabling users to make informed decisions about the data they choose to share — or not share.

  1. Champion clarity in privacy policies.

To empower your users to make informed choices about their privacy preferences, provide transparent privacy policies. Clear policies explain what data — and why — your organization is collecting from its users.

 Avoid making the same mistake as WhatsApp, which violated GDPR regulations. Between its unclear privacy policies and failure to sufficiently inform users how it processed their data, WhatsApp was fined €225 million ($250 million). To give users an agency and avoid hefty fines, specify how your organization will use their collected data.

  1. Gain consent before using personal data.

Your organization should never track, store or otherwise use customer data unless they’ve given explicit permission to do so. In 2021, Amazon violated GDPR compliance by failing to obtain user consent before processing personal data. This failure cost the company €746 million ($830 million) — the biggest GDPR fine levied to date.

 More recently, Italy’s data protection authority banned ChatGPTcountrywide in March, citing illegal user data collection by the platform’s parent company OpenAI and threatening penalty fees of up to €20 million ($22 million). ChatGPT services in Italy resumed at the end of April after OpenAI added privacy disclosures and controls like age-gating and privacy policy expansion. Despite its availability in the country, the Italian data protection agency is still in the process of determining if ChatGPT’s data processing violated the GDPR.

To avoid fines for skipping consent, explicitly ask before using personal data. Plenty of approaches exist including consent forms or emails and privacy policy pop-ups. Use clear language and obvious opt-in/out options to empower your users to make the privacy decision that is best for them.

Here’s the bottom line: if you wouldn’t break into someone’s home and steal their valuables, you shouldn’t use their data without consent. It is your organization’s responsibility to do right for your customers. The most ethical organizations prioritize data protection, which enhances their reputation, increases trust and protects the bottom line.

About the author: Arlo Gilbert is the co-founder and CEO of Osano, a data privacy platform. He has 20+ years of experience in building companies in various industries. He is a high-growth leader with a track record of success.