CCPA is here. Are you compliant?

CCPA is here. Are you compliant?

As of January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect and has already altered the ways companies can make use of user data. 

Before the CCPA implementation, Big Data companies had the opportunity to harvest user data and use it for data science, analytics, AI, and ML projects. Through this process, consumer data was monetized without protection for privacy. With the official introduction of the CCPA, companies now have no choice but to oblige or pay the price. Therefore begging the question; Is your company compliant?

CCPA Is Proving That Privacy is not a Commodity- It’s a Right

This legislation enforces that consumers are safe from companies selling their data for secondary purposes. Without explicit permission to use data, companies are unable to utilize said data.

User data is highly valuable for companies’ analytics or monetization initiatives. Thus, risking user opt-outs can be detrimental to a company’s progressing success. By de-identifying consumer data, companies can follow CCPA guidelines while maintaining high data quality. 

The CCPA does not come without a highly standardized ruleset for companies to satisfy de-identification. The law comes complete with specific definitions and detailed explanations of how to achieve its ideals. Despite these guidelines in place, and the legislation only just being put into effect, studies have found that only 8% of US businesses are CCPA compliant.  

For companies that are not CCPA compliant as of yet, the time to act is now. By thoroughly understanding the regulations put out by the CCPA, companies can protect their users while still benefiting from their data. 

To do so, companies must understand the significance of maintaining analytical value and the importance of adequately de-identified data. By not complying with CCPA, an organization is vulnerable to fines up to $7500 per incident, per violation, as well as individual consumer damages up to $750 per occurrence.

For perspective, after coming into effect in 2019, GDPR released that its fines impacted companies at an average of 4% of their annual revenue.

To ensure a CCPA fine is not coming your way, assess your current data privacy protection efforts to ensure that consumers:

  • are asked for direct consent to use their data
  • can opt-out or remove their data for analytical purposes
  • data is not re-identifiable

In essence, CCPA is not impeding a company’s ability to use, analyze, or monetize data. CCPA is enforcing that data is de-identified or aggregated, and done so to the standards that its legislation requires.

Our research found that 60% of datasets believed, by companies, to be de-identified, had a high re-identification risk. There are three methods to reduce the possibility of re-identification: 

  • Use state-of-the-art de-identification methods
  • Assess for the likelihood of re-identification
  • Implement controls, so data required for secondary purposes is CCPA compliant

Read more about these effective privacy automation methods in our blog, The business Incentives to Automate Privacy Compliance under CCPA.

Manual Methods of De-Identification Are Tools of The Past

A standard of compliance within CCPA legislation involves identifying which methods of de-identification leaves consumer data susceptible to re-identification. The manual way, which is extremely common, can leave room for re-identification. By doing so, companies are making themselves vulnerable to CCPA.

Protecting data to a company’s best abilities is achievable through techniques such as k-anonymity and differential privacy. However, applying manual methods is impractical for meeting the 30-day gracing period CCPA provides or in achieving high-quality data protection.

Understanding CCPA ensures that data is adequately de-identification and has removed risk, all while meeting all legal specifications.

Achieving CCPA regulations means ditching first-generation approaches to de-identification, and adopting privacy automation defers the possibility of re-identification. Using privacy automation as a method to protect and utilize consumer’s data is necessary for successfully maneuvering the new CCPA era. 

The solution of privacy automation ensures not only that user data is correctly de-identified, but that it maintains a high data quality. 

CryptoNumerics as the Privacy Automation Solution

Despite CCPA’s strict guidelines, the benefits of using analytics for data science and monetization are incredibly high. Therefore, reducing efforts to utilize data is a disservice to a company’s success.

Complying with CCPA legislation means determining which methods of de-identification leave consumer data susceptible to re-identification. Manual approach methods of de-identification including masking, or tokenization, leave room for improper anonymization. 

Here, Privacy Automation becomes necessary for an organization’s analytical tactics. 

Privacy automation abides CCPA while benefiting tools of data science and analytics. If a user’s data is de-identified to CCPA’s standards, conducting data analysis remains possible. 

Privacy automation revolves around assessment, quantification, and assurance of data. Simultaneously, a privacy automation tool measures the risk of re-identification, applying data privacy protection techniques, and providing audit reports. 

A study by PossibleNow indicated that 45% of companies are in the process of preparing, but had not expected to be compliant by the CCPA’s implementation date. Putting together a privacy automation tool to better process data and prepare for the new legislation is critical in a companies success with the CCPA. Privacy automation products such as CN-Protect allow companies to succeed in data protection while benefiting from the data’s analytics. (Learn more about CN-Protect)

Join our newsletter


Big data privacy regulations can only be met with privacy automation

Big data privacy regulations can only be met with privacy automation

GDPR demands that businesses obtain explicit consent from data subjects before collecting or using data. CCPA affords consumers the right to request that their data is deleted if they don’t like how a business is using it. PIPEDA requires consumers to provide meaningful consent before their information is collected, used, and disclosed. New privacy laws are coming to India (PDPB), Brazil (LGPD), and over 100 other countries. In the US alone, over 25 state privacy laws have been proposed, with a national one in the works. Big data privacy laws are expansive, restrictive, and they are emerging worldwide faster than you can say, “what about analytics?”.

Such has made it challenging for businesses to (1) keep up, (2) get compliant, and (3) continue performing analytics. Not only are these regulations inhibitive, but a failure to meet the standards will result in astronomical fines — like British Airway’s 204.6 M euros. As such, much distress and confusion has ensued in the big data community.

 

Businesses are struggling to adapt to the rapid increase in privacy regulations

Stakeholders cannot agree whose responsibility it is to ensure compliance, they are struggling with consent management, and they are under the interpretation that removing direct identifiers renders data anonymous.

Major misconceptions can cost businesses hundreds of millions. So let’s break them down.

  1. “Consent management is the only way to keep performing analytics.”

While consent is essential at the point of collection, the odds are that, down the road, businesses will want to repurpose data. Obtaining permission in these cases, due to the sheer volume of data repositories, is an unruly and unmanageable process. A better approach is to anonymize the data. Once this has occurred, data is no longer personal, and it goes from consumer information to business IP.

2. “I removed the direct identifiers, so my data is anonymized”

If this were the case, anonymization would be an easy process. Sadly, it is not so. In fact, it has been widely acknowledged that simply redacting directly identifying information, like names, is nowhere near sufficient. In almost all cases, this leaves most of the dataset re-identifiable.

3. “Synthetic data is the best way to manage emerging regulations.”

False! Synthetic data is a great alternative for testing, but when it comes to achieving insights, it is not the way to go. Since this process attempts to replicate trends, important outlier information can be missed. As a result, the data is unlikely to mirror real-world consumer information, compromising the decision-making process.

What’s evident from our conversations with data-driven organizations is that businesses need a better solution. Consent management is slowing them down, legacy approaches to anonymization are ineffective, and current workarounds skew insights or wipe data value.

 

Privacy automation: A better approach to big data privacy laws

The only manageable and effective solution to big data privacy regulations is privacy automation. This process measures the risk of re-identification, applies privacy-protection techniques, and provides audit reports throughout the anonymization process. It is embedded in an organization’s data pipeline, spreading the solution enterprise-wide and harmonizing the needs of stakeholders by optimizing for anonymization and preservation of data value.

This solution will simplify the compliance process by enabling privacy rules definition, risk assessments, application of privacy actions, and compliance reporting to happen within a single application. In turn, privacy automation allows companies to unlock data in a manner that protects and adds value to consumers.

Privacy automation is the best method for businesses to handle emerging laws and regain the mission-critical insights they have come to rely on. Through this approach, privacy unlocks insights.

Join our newsletter


De-identify your data, or be in violation of CCPA

De-identify your data, or be in violation of CCPA

On January 1, 2020, California implemented a landmark law that is reshaping data analytics and data science worldwide. This is the day the CCPA became effective, and businesses’ consumer data became a significant legal and financial risk to the company. 

While the tech industry has tried to restrict the legislation since its birth, its lobbying efforts have fallen short. In one month, business as usual will result in class-action lawsuits. At this time, Californians will enjoy a new set of privacy rights and regain ownership over their own information.

 

CCPA transforms data from a commodity to a privilege that can be revoked

Under the CCPA, Californians will be able to demand access to the data that companies collect on them, and how they have used it. Not only does this put the onus on businesses to manage verifiable consumer requests, but also to ensure that all collection and uses of data are in the best interest of people.

However, the CCPA is much more extensive than that. Businesses not only have to give customers access to the data they have on them but have to inform them and provide the opportunity to opt-out or request deletion when they want to leverage that data.

Through de-identification, businesses unlock consumer insights

Under the CCPA, if you want to use data beyond the original purpose for which it was collected, you have two choices:

  1. Inform consumers of every data use and risk deletion requests, or
  2. De-identify the data.

The first option is impractical. The second is possible, but not through traditional methods of privacy protection. Our research demonstrates that at least 60% of datasets that are thought to be de-identified are not de-identified. The result is that most organizations will be unknowingly violating the CCPA.

Every time data is used in a way that violates the CCPA, businesses risk $7500 in civil penalties and $750 in statutory damages per consumer.

To avoid this, businesses need a guarantee that their data has been de-identified. This is something only an automated risk assessment tool can provide. Yet, “according to Ethyca, more than 70% of companies have not built any sort of engineering solution for policy compliance.” (Source)

 

Traditional anonymization strategies will not satisfy CCPA.

Traditional approaches to anonymization are unreliable, ineffective, and often wipe the analytical value of the data. Legacy approaches, like masking, were never intended to ensure privacy. Rather, these were cybersecurity techniques evolved in a time when organizations did not rely on the insights derived from consumer data. 

Manual approaches, where risk and compliance teams restrict access to data lakes and warehouses, impede business goals. Worse, they are cumbersome, involving significant and impractical overheads. The volume and velocity at which data is accumulated in data lakes make traditional methods of anonymization impractical. 

It is only possible to truly anonymize data to a CCPA-compliant level and retain the analytical value of the data by using a solution that optimizes for a reduced privacy risk score and minimal information loss. 

Consequently, to continue deriving insights in the CCPA-era, enterprises need to invest in optimized anonymization now. Combining advanced privacy-preserving techniques with privacy risk scoring will allow for a balance between privacy compliance and business insight goals.

By handling indirect or quasi-identifier information carefully – and using advanced privacy-protecting techniques like k-anonymity and differential privacy – enterprises can have the best of both worlds. Compliance and data science success.

However, this privacy stance cannot be achieved manually. It requires a dedicated, automated, specialist privacy platform. 

 

Avoiding the de-identification illusion

To ensure this de-identification process is defensible, businesses must understand, to a high degree of accuracy, the proportion of records that would be correctly identified in a given dataset by an attacker. This is what is known as a privacy risk score, and is based on the principle of Marketer Risk. The methodology is approached from the perspective of someone who wished to re-identify as many records as possible in a disclosed dataset. 

From this point of view, businesses are able to gain an accurate understanding of how privacy actions affect their dataset, and continue to adjust their techniques until an acceptable risk threshold is met (Learn more: https://cryptonumerics.com/privacy-risk-score).
If businesses invest in privacy risk scoring and advanced protection solutions, they can ensure privacy compliance is automatically enforced throughout their data pipeline. Effective anonymization leaves data monetizable and provides a necessary degree of certainty for leadership that analytics will not harm your business. Anonymization is the only viable solution for data-driven companies to meet CCPA-regulations without harming their business model.

Join our newsletter


2019 was a game-changing year for data privacy

2019 was a game-changing year for data privacy

Amidst the rise of data science and analytics years ago, concern for privacy faded. This year, that sentiment has been eradicated. Data privacy and governance are of great significance, fuelled by an increase of regulations and consumer awareness.

2019: the year of privacy awareness

Last year, the General Data Protection Regulation (GDPR) was implemented. Today, more than 100 countries have developed data protection laws. This shift signals the quickly growing significance of privacy to the average person, and the relevance to business operations.

While regulations are increasingly being adapted and standardized, the rapid trajectory of stricter governance and requirements is unavoidable. Regulations are evolving and spreading across the globe with a vengeance. In particular, GDPR has showed some teeth, actioning €405,871,210 in fines. 

In turn, anonymization has jumped in popularity as a method for avoiding significant fines and regulatory penalties by taking data out of scope. But, organizations are benefiting from their privacy investments beyond compliance. 

 

Growing investment in privacy

In a survey by Cisco, 97% of companies who have made investment in privacy, have experienced at least one of the following benefits:

  1. Enabling agility and innovation from having appropriate data controls (42%)
  2. Gaining competitive advantage versus other organizations (41%)
  3. Achieving operational efficiency from having data organized and catalogues (41%)
  4. Mitigating losses from data breaches (39%)
  5. Reducing sales delays due to customer concerns (37%)
  6. Gaining appeal with investors (36%)

Consequently, this year we watched privacy protection transform from a burden to a competitive advantage that encouraged companies to maximize their investments and achieve a standard beyond that which is expected by regulations. However, most organizations still have a long way to go to achieve that.

While we expect privacy-preserving solutions to be increasingly implemented next year, 2019 was all about a shift in perception. Privacy is important! Privacy is important! Privacy is important!

 

Our ten favourite achievements of 2019

1. Microsoft announced they will honour CCPA-compliant protocols across their US operations.

Microsoft is making privacy moves, and we respect that. In November, they vowed to afford all US residents with the “core rights” outlined in the landmark state privacy law. This includes the Right to Know, Right of Access, Right to Portability, Right to Deletion, Right to be Informed, Right to Opt-Out, and Non-Discrimination Based on Exercise of Rights.

2. Apple rewrote their privacy page.

Apple’s privacy page explains how they’ve designed their devices with their consumers’ privacy in mind and set the standard for taking consumer privacy seriously. 

We covered this earlier. Read this post to learn more.

3. Twitter launched a privacy centre to centralize data protection.

Earlier this month, Twitter launched the Twitter Privacy Center, a resource aimed at centralizing the business’s data privacy efforts. We believe a centralized and easily approachable platform like this is the future of privacy communication.

4. GDPR is holding businesses accountable and setting precedent.

With €405,871,210 in fines announced, GDPR is doing a lot of work to bring businesses’ privacy procedures up to date. What’s more, it is spurring and inspiring similar legislation worldwide. Importantly, GDPR is sending the message that businesses cannot act without first considering their consumers.

We have written about the impact of non-compliance on businesses extensively. Check out this piece on Deutsche Wohnen SE.

5. Google launched their own open source differential privacy library

Google has come under scrutiny recently over their privacy practices, and rightly so. Between Project Nightingale, the acquisition of Fitbit, and their oversharing with the University of Chicago Medical Center, Google has made some very poor choices for consumers this year. However, one success that we commend is the new open source library that institutes differential privacy. Learn more here.

 6. The rise of second-party data, and rejection of third-party marketplaces.

Amongst the new wave of privacy regulations and demand for transparency, achieving the same level of understanding has become a challenge. It has also increased the risk of using third-party data because businesses cannot trust that the outside sources have met compliance regulations or provided accurate data. Consequently, more are turning to second-party data sources.

7. More than 25 state privacy laws were proposed to address consumer data rights in the United States.

Currently, 25 US states have data privacy laws that govern the collection, storage, and data usage of residents. This is a significant improvement, stimulated by GDPR, that is encouraging the development of a national privacy law.

8. Consumers called out businesses for not respecting their privacy.

It’s not only government pushing businesses to be more privacy-conscious; customers are also leading the way. For example, when Google acquired Fitbit, users tossed their devices. These actions are pushing the privacy movement forward and making a real impact on the nature of insights to date. Read more on this here.

9. Privacy has become a key message in the upcoming US presidential election.

Data privacy has become a major campaign issue in the upcoming election, signalling the importance of the topic to citizens. We love hearing this shift in rhetoric and are excited that candidates have been encouraged to speak to its importance.

10. CN-Protect was launched.

CryptoNumerics is on a mission to ensure privacy protection is not detrimental to businesses. We believe privacy and insights can exist in conjunction. That’s why we launched CN-Protect, a solution to optimize anonymization and data retainment. It is the ideal solution to get compliant while realizing the business benefits of a privacy focus.

2019 has been a game-changing year for data science and privacy, both for those who failed to meet compliance standards (hello, massive fines!), and those who reaped the economic benefit of their privacy investment. If 2018 was the year of regulations, 2019 is the year of privacy awareness. We expect 2020 will be consumed with privacy action.

Join our newsletter


The top five things we learned about privacy in 2019

The top five things we learned about privacy in 2019

2019 has been a trailblazing year for data privacy, that left us with a few clear messages about the future. We’ve collected our top lessons to help inform your privacy governance strategy moving forward.

1. Privacy is a multi-dimensional position: legal, ethical, and economic

Since the implementation of GDPR in May 2018, people have been quick to consider privacy from a legal perspective – as something that must be mitigated to avoid lawsuits and regulatory fines. In doing so, they have all missed the other important factors to consider: the people and the data utility advantage.

When your business collects consumer information, it is important to remember that this is personal data. As such, there is an intrinsic duty and trust linked to the collection. There is an ethical responsibility to do right by your customers, determining that you will only use their data for reasons they are aware of and have consented to, and that you will not share the data with others. Responsible data management is fundamental to your relationship with customers, and it will have a significant advantage to your business to do so.

Economically speaking, positioning your business as a privacy leader is the best strategy, and not only from a brand perspective. If you anonymize personal information, your analysts will have increased access to a valuable resource that can help improve strategy and a product or service.

2. Privacy is not one-size-fits-all

Consumer data contains an inherent privacy risk, even after it has been de-identified. That is why a privacy risk score is essential to understanding the effects of privacy protection methods. Even if you mask the data, you don’t know how successful your process was until you assess the re-identifiable risk. That is why we believe a privacy risk score is so fundamental to the anonymization process.

However, we’ve learned that a score also enables businesses to customize their personal risk thresholds based on activities.

Such is important because businesses do not use all of their data to undertake the same activities, nor do they all manage the same level of sensitive information. As a consequence, privacy-preservation is not a uniform process. In general, we suggest following these guidelines when assessing your privacy risk score:

  • Greater than 33% implies that your data is identifiable.
  • 33% is an acceptable level if you are releasing to a highly trusted source.
  • 20% is the most commonly accepted level of privacy risk.
  • 11% is used for highly sensitive data.
  • 5% is used for releasing to an untrusted source.

3. Automation is central to protecting data assets

Old privacy solutions are no match for modern threats to data privacy. Legacy approaches, like masking, were never intended to ensure privacy. Rather, these were cybersecurity techniques evolved in a time when organizations did not rely on the insights derived from consumer data. 

Even worse, many businesses still rely on manual approaches to anonymize the data. With the volume and necessary precision, this is an impossible undertaking doomed for non-compliance.

What businesses require to effectively privacy protect their data today is privacy automation: a solution that combines AI and advanced privacy protection to assess, anonymize, and preserve datasets at scale.

4. Partnerships across your business teams are essential

Privacy cannot be the role of one individual. Across an organization, stakeholders operate in isolation, pursuing their own objectives with individualized processes and tools. This has led to fragmentation between legal, risk and compliance, IT security, data science, and business teams. In consequence, a mismatch between values has led to dysfunction between privacy protection and analytics priorities. 

In reality, privacy has an impact on all of these figures, and their values should not be pitted against each other. In today’s regulation era, one is reliant on the other. Teams must establish a unified goal to protect privacy in order to unlock data. 

The solution is to implement an enterprise-wide privacy control system that generates quantifiable assessments of the re-identification risk and information loss. This enables businesses to set predetermined risk thresholds and optimize their compliance strategies for minimal information loss. By allowing companies to measure the balance of risk and loss, privacy stakeholder silos can be broken, and a balance can be found that ensures data lakes are privacy-compliant and valuable.

5. Privacy is a competitive advantage

If you want to take cues from Apple, the most significant is that positioning privacy as central to your business is a competitive advantage. 

Businesses should address privacy as a component of their customer engagement strategy. Not only does compliance avoid regulatory penalties and reputational damage, but embedding privacy into your operations is also a method to gain trust, attention, and build a reputation for accountability. 

A Pew Research Center study investigated the way Americans feel about the state of privacy, and their concerns radiated from the findings. 

  • 60% believe it is not possible to go through daily life without companies and the government collecting their personal data.
  • 79% are concerned about the way companies are using their data.
  • 72% say they gain nothing or very little from company data collected about them.
  • 81% say that the risks of data collection by companies outweigh the benefits.

Evidently, people feel they have no control over their data and do not believe businesses have their best interests at heart. Break the mould by prioritizing privacy. There is room for your business to stand out, and people are waiting for you to do so.

Privacy had a resurgence this year that has reshaped law and consumer expectations. Businesses must make protecting sensitive information a business priority across their teams by investing in an automated de-identification solution that fits their needs. Doing so will improve the customer experience, unlock data, and serve as a differential advantage with target markets. 

Privacy is not only the future. Privacy is the present. Businesses must act today.

Join our newsletter


Privacy as a commodity deepens inequality

Privacy as a commodity deepens inequality

Privacy is fundamental to societal and consumer values. Consequently, people have demanded privacy regulations to bar businesses from secretly monetizing their sensitive information. Yet, new policy proposals suggest treating data as a commodity will rebalance the relationship between Americans and the technology industry. Implementing legislation of this form perpetuates a future of data colonialism and threatens to disproportionately strip low-income communities of their privacy rights. 

Americans value their privacy and expect businesses to respect it

The last few years have embodied a transformation of data value. Often it is referred to as the new oil, encompassing the proliferation of business insights and the impact of such on business revenue. However, since the beginning of GDPR talks, a wave of concern over the disregard of people’s privacy has occurred. This has lead privacy and insights to be portrayed as polarizing priorities, with businesses and consumers shaping opposite ends of the argument. While such needs not be contrasted amidst the launch of advanced privacy-protecting and insight-preserving technology, people’s fight to be protected signifies a clear prioritization of their privacy.

In support of this, a new privacy bill, dubbed the Consumer Online Privacy Rights Act (COPRA), was proposed by Democratic senators on Tuesday that may be the push needed to implement a federal privacy bill in America.

This is intended to afford US citizens similar rights to their EU counterparts under GDPR. COPRA would:

  • Allow subjects to request what data companies are holding on them and ask for it to be deleted or corrected
  • Require explicit consent for companies to collect and share sensitive data
  • Forbid companies from collecting more information than is reasonable to carry out the service consumers signed up for
  • Necessitate CEOs of data-collection companies will have to annually certify that they have “adequate internal controls” and reporting structures to be compliant 
  • Capacitate private-citizens lawsuits over data collection become a possibility

Sen. Maria Cantwell (D-Wash.) declared that “In the growing online world, consumers deserve two things: privacy rights and a strong law to enforce them.” Steve Durbin, manager director of the Internet Security Forum, seems to agree, writing in an email,  “What is clear is that privacy is becoming more of an issue in the United States.”

This week, a new Pew Research study questioned how these values impact Americans’ view of smart speakers. It demonstrated that more than half of Americans are concerned about data privacy and that 66% of respondents were not willing to sacrifice more data for more personalization.

As smart speakers continue to grow in popularity, data privacy concerns will continue to rise. However, consumers are making decisions as to where to buy based on the privacy stance of the brands. Such is seen in the fact that Google has negative growth in the market share (-40.1%) in light of their GDPR-fine, secret harvesting of medical records, and acquisition of Fitbit. 

Learn more about how consumer purchasing decisions rely on product privacy in our blog: https://cryptonumerics.com/blog/consumer-purchasing-decisions-rely-on-product-privacy/.

Treating data as a commodity effectively monetizes your privacy rights 

In mid-November, Democratic candidate Andrew Yang proposed a four-prong policy approach to tackle the inadequacy of American privacy legislature today. Part of this plan is what is referred to as “data as a property right.” The idea is that people should profit from the money companies make collecting and monetizing their personal data. That is to say that, businesses would provide consumers with data payments if they chose to give them access to their personal information.

While the proposal seeks to rebalance the American relationship with big tech, this model will normalize the idea of privacy as a commodity, and disproportionately strip low-income communities of their data privacy.

Ulises Mejias, an associate professor at the State University of New York, explained that “Paying someone for their work is not some magical recipe for eliminating inequality, as two centuries of capitalism have demonstrated.” This argument signals that not only would treating data privacy as a commodity not rebalance the power, but will normalize systemic “data colonialism.”

In the article, “Data Colonialism: Rethinking Big Data’s Relation to the Contemporary Subject,” researchers Couldry and Mejias suggest that continuous tracking “normalizes the exploitation of human beings through data, just as historic colonialism appropriated territory and resources and rules subjects for profit.” Such is based on the unprecedented opportunities for discrimination and behavioural influence that would only be scaled if data goes up for sale.

The reality is, if data is considered a commodity, people would not be selling their data, but their privacy. After all, there are no reasonable statistics to determine the value of data, “[t]here’s no going rate for Facebook likes, no agreed-upon exchange rate for Instagram popularity.” (Malwarebytes Labs) So, the question becomes, not how much am I willing to sell my age information for, but how much do I value the safety afforded with location secrecy and right to non-discrimination based on sexual orientation, for example. 

When data is a commodity, private information that individuals should choose whether or not to disclose becomes transactional. “It’s much easier for a middle-class earner to say no to a privacy invasion than it is for stressed, hungry families, Marlow said.” (Malwarebytes Labs) In essence, treating data as a commodity is like a pay-for-privacy scheme, designed to take advantage of those who need extra money.

When the world is pushing for data privacy to be considered a fundamental human right, moves to monetize privacy reflects the historic appropriation of resources and people. Data colonialism will disadvantage those in low-income communities and regress the revolution of privacy prioritization.

An alternative way to empower autonomy over consumer data is to regulate Privacy by Design and Default. Businesses should embed privacy into the framework of their products and have the strictest privacy settings as the default. In effect, privacy operations management must be a guiding creed from stage one, across IT systems, business practices, and data systems.

This promotes anonymization as a solution and leads to a future where business insights and consumer privacy are part of a common goal. In revoking the commodity nature of the Yang proposal, we rescind the deep-seated inequality ingrained in pay-for-privacy schemes while accomplishing the original intent and building a better future. Privacy is not a commodity, it is a fundamental human right.

Join our newsletter