To me, the most meaningful meme of this year was “OK, Boomer” (Baby Yoda was a non-event, don’t @ me). It not only perfectly captures the very real, politically potent generational conflict going on right now, but it also reflects how completely ignored Generation X is in our current culture wars. (I feel no guilt in noting this, given that I am part of that post-X/pre-Millennial group that is the most ignored of all). X-ers, unsurprisingly, are unhappy that they’ve been passed over and, unsurprisingly,aren’t really that motivated to do anything about it. But I think this general avoidance of X-ers is unfortunate when it comes to thinking about 2019, because the best way to characterize this year, at least from a privacy and data perspective, is the most GenX response of all:
Running to Stand Still
That seems like a strange characterization for a year that began with huge promises of change and a flurry of activity. This was the year we needed to get ready for CCPA! The year when federal privacy legislation would change the way we thought about privacy! The Year Of The Privacy Professional! And, to be fair, there were some important changes this year. States other than California (Nevada springs to mind) started to change their approach to privacy, the EU and Japan agreed to the world’s largest data free trade/exchange zone, and Facebook/Google got hit for billions in penalties. Any of those headlines would have been huge news, even just a few short years ago. Today? Meh.
But why? What has changed that led to this privacy ennui, this sense that, despite monumental advances in technology and fundamental shifts in global business models, the centralization of power by AMGAF and the relative disinterest governments show in protecting privacy will continue?
One answer is the endless, needless, pointless hype. This year began with seemingly every news outlet proclaiming that Big Change was coming, and that without concerted effort, businesses and individuals would be left behind. There were no shortage of privacy “experts” who hopped on the gravy train, assuming that they could scare people into paying for advice that was, at best, generic, and, more likely, flatly wrong. There were also the repeated claims that, absent the expenditure of huge sums of money on a (completely undocumented) privacy and compliance regime, the EDPB would shut down your business, or you’d be banned from selling widgets in Sacramento. Of course, neither of those things make sense as a starting point, but both of those things make sense if you’re trying to use fear as a lead generation strategy.
To be sure, there was also a lot of talk about what needed to be done in order to be safe from regulatory wrath — a whole lot of time, energy and money needed to be spent on new technology, new tools, and new platforms in order to be safe. Our favorite type of privacy charlatanism is the company that promises (or hints at) “GDPR Certification” — like this site, helpfully titled “GDPRCertified.eu.” Of course, there’s no such thing as GDPR certification (at least not yet), and so what these companies offer is regulatory snake oil, the chance to waste resources on tools and advice that don’t measure up. Between the massive hype and underwhelming delivery from so-called experts, many people have felt a justifiable belief that this whole “privacy regulation” stuff was not getting them anywhere.
Why Care Anyway?
What, though, were the real stakes this year? As we have already mentioned, it wasn’t as though the regulators dropped the hammer on everyone or the federal government stepped in to change the way we think about privacy. And the data hoarding approach we have consistently identified as a major contributor of bad data habits continues without any sense of abatement. So why should 2019 have been any different, and why was our “meh” response so problematic?
For reference, here are some of the less than ideal privacy and data events of this year:
- The First American Data Breach lost more than 850,000,000 American mortgage documents and records;
- Facebook exposed half a billion records on AWS; Facebook also exposed a quarter of a billion passwords in plaintext, Facebook just generally acted like Facebook;
- AT&T sold your location to bounty hunters;
- The US government uses facial recognition without your permission;
- China and India increasingly used the Internet for dystopian/authoritarian ends;
- Apple allowed contractors to listen in on recordings from your phone;
- “Smart” toys and monitors gave strangers access to kids.
If all of this is just a snapshot, why, then, aren’t we responding? Why are we locked into our “meh” response?
It’s largely a matter of conditioning. The very frequency of these events makes it likelier that we’ll become inured to their presence. And, too, the longer we go without a shift in thinking about privacy and the right way to use data, the harder it will be to make the kind of necessary changes. As new businesses open, they see a market where the wholesale collection of personal data is not only permitted, it’s a strong way to get attention from venture capital firms looking to expand their own data portfolios. The SaaS platforms and service businesses see the potential to grow by offering data-scooping and data-bundling tools to those startups, and then larger businesses, in turn, buy the newly created datasets or just buy the startups outright. It’s a tried and true method, and one that has worked so well, it’s become a model for businesses everywhere: just ask Instagram. Facebook bought the photo sharing site in 2012 for the (then) eye-watering sum of $1 billion. Today, that investment looks like a steal, and it’s for one reason: the data Facebook has been able to mine.
Given the level of attention on privacy and data, 2019 was the year everyone became aware that this is going on, both personally and professionally. We just aren’t interested in doing anything differently.
Moving on from Meh
How does all of this change, given the power of inertia and our love of data-consumption as a business model and a way of life? It will take legal and regulatory solutions, in part, to be sure. Without a feeling that there will be meaningful and painful economic consequences for persisting in the status quo, we won’t see anything change. And plans to break up Facebook or treat Google like a public utility won’t amount to anything anymore, because it isn’t just Facebook or Google that are the propagators of the problem. As we said above, millions of businesses are part of the cycle of monitoring, tracking, and profile sharing that leads to the depersonalized approach to personal data. A serious shift in enforcement priorities and financial risk will help change the laissez-faire approach to privacy and data consumption.
But more than this, we need a change in how we think about privacy (our own, and others’) and how privacy relates to data usage. We suggest asking a few simple questions before using a new tool, starting a new project, or agreeing to a new use case:
- What added benefit will this bring?
- If it’s a personal decision, how is this going to demonstrably improve what I already do? If it’s a business decision, how does this directly tie to revenue in a provable way?
- What are the risks of what you’re planning to do?
- This is so frequently overlooked, but it is inseparable from the first question. If you’re downloading a new app for your phone, do you read the privacy settings first (don’t lie, you don’t). Do you change the tracking settings? If your company is going to buy a new dataset, can you trace its origins to a lawful exchange with a data subject who knew what they were doing? Think of it like ethical sourcing for food — if you don’t know where it came from, are you comfortable consuming it?
- Will this be legal in the near future?
- Obviously, you shouldn’t do anything that breaks the law (free legal advice for the New Year!). But it’s not nearly enough to know what the laws are right now — you need to know what the laws will be in six months or a year. CCPA enforcement starts June 1; Brazil’s LGBD goes live February 1. Are you sure that the data architecture you’re building now is going to make sense in a few weeks? Are you taking the time to add the fields and metatags today that will make compliance with the law much, much less costly later? If you don’t know, do you know who can answer these questions?
- Is this something I’m comfortable explaining to people?
- Are you going to use jargon to get around what you’re up to? Corporate speak about leveraging synergies in untapped resource pools of human capital, rather than saying “we’re going to track how long people watch baby pandas online?” If you can’t provide a short explanation of what you’re doing to a reasonable person, ask yourself why.
There are countless other questions you can ask, but these four should be enough to help you start the process. If you want to move beyond “meh,” you’ll need to know the reasons for using or collecting data, or for why you want to install that Ring Camera that your cousin got you this year. Because, in this case, the opposite of apathy isn’t hypermotivated activism, it’s simple knowledge. Understanding how data and privacy are an aspect of everything you do, both in a personal and a commercial capacity, is the first step to leaving meh” behind — and that’s something we’ll all need to do in 2020.
The good news — a very un-meh sentiment — is that the past two years really have laid the groundwork for the kind of fundamental change we’re talking about. GDPR, as slow as it has been to get going, is the kind of law that defines an era, one that is just beginning. Privacy laws of any kind getting on the books in the US have been a rarity; now we see them cropping up with more frequency, and with more nuance and sophistication. And privacy-enhancing technologies are more popular with consumers today than at any time before. Was 2019 a “meh” year? Yes. But sometimes enthusiasm takes a while to build before it becomes something meaningful and transformative. We think that process has already begun, and expect it to grow to something powerful in 2020. We’ll tell you why in our first post of the new year. Until then, we hope the last bit of 2019 is anything but “meh” for all of you.