Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
Google’s $391.5 million settlement over its location tracking practices has been touted as the largest attorney general-led consumer privacy settlement ever.
But does it go far enough?
Sort of, say experts, pundits, advocates and stakeholders. There’s agreement that the case raises awareness and sets a precedent of sorts. But many still say it’s just a toe in the water in addressing the intertwining conundrum of personal data collection and protection.
“We’ve seen to date that large fines haven’t changed anything,” said Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance. “And these companies can afford to absorb fines as a cost of doing business.”
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
True, in some cases fines can be a key tool for driving corporate behavior. But in the case of a multinational company like Google, they would need to be in the billions of dollars to prompt significant policy change, said Art Shaikh, founder and CEO of CircleIt. (Consider, for instance, the fact that Google’s revenue was $257.6 billion in 2021.)
“The fines, while astronomical to the average person, are almost nothing to a company like Google, especially when compared to the amount of money they earn by providing that data improperly to third parties,” said Shaikh.
Why issues like the Google location-tracking fine keep happening
Forty state attorneys general, led by Oregon and Nebraska, struck the settlement with Google this week. It came about after it was revealed that Google had misled users into thinking they had turned off location tracking in their account settings — when, in fact, the tech behemoth continued to collect their location information.
In addition to the financial settlement, Google has agreed to “significantly improve” its location tracking disclosures and user controls starting in 2023.
It might be a sad truth, but companies continue to mishandle customer data because it is more profitable for them to do so than to find alternative revenue streams, said Shaikh.
Also, regulations and directives from regulators are not always clear, said Joseph Williams, partner of cybersecurity at Infosys Consulting.
“So, companies seem to be willing to skate on the very edge of what might be compliance so they can optimize their revenues,” he said. “When regulators disagree with where that edge is, the result is that companies get fined or pay settlements.”
Others are a little more forgiving. Matt Mudra, VP of planning and performance at Schermer, said that respected brands like Google don’t necessarily collect data improperly on purpose.
“I believe it’s more a factor of how fast privacy regulations are changing and how difficult and complex it is for these really large organizations to update their marketing technologies quickly enough to meet those fast-changing regulations,” said Mudra.
Indeed, penalties are important in holding businesses accountable when they break the rules. “But some of these fines and penalties may be enforced a little too quickly,” Mudra said. “There should be longer grace periods for companies to make good before a fine or penalty is enforced.”
The big question, said Cerby chief trust officer Matt Chiodi, is: “Will it bring the U.S. one step closer to the privacy privileges afforded automatically to EU citizens? This remains to be seen.”
McLellan posed a more existential question: “Does any organization anywhere — even multinational conglomerates with virtually unlimited resources — truly have the ability to control sensitive and personal data in its possession?”
No, he said; that’s partly because of the way today’s apps and systems fragment information into databases, data warehouses and spreadsheets. Inevitably, this leads to unrestricted copying of data for the purposes of data integration.
Google’s settlement offers “yet more proof” that real innovation without retribution requires equipping technologists with new tools and approaches, said McLellan.
“Organizations need to get serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage,” he said.
Transparency, transparency, transparency
It starts with transparency, said Mudra. Organizations must tell people how they collect and use personal data. An important part of that is providing specific examples in layman’s terms, “not technical speak.”
This includes transparency into how data policies change across regions, he said, or whether they are consistent globally.
Also, there should be a better mechanism for determining if a business has any outstanding violations regarding data privacy — and if so, it would be in those businesses’ best interest to share their plans to address those violations, said Mudra.
“Companies need to stop seeing compliance as a necessary evil, and refactor their thinking around privacy and transparency as creating value for customers,” Williams agreed.
As he put it, companies spend millions on packaging as a way to sell. “It behooves them to think of privacy as creating the same value as packaging,” he said.
Organizations should not deceive customers about whether they are actually implementing the practices that they purport to have implemented, he said. They also need to provide consumer notices upfront that are clearly articulated and easy to understand.
“Instead of being minimally compliant, why shouldn’t companies strive to be best in class?” asked Williams.
Ultimately, organizations that have respect for customer privacy at their core already have their customers’ trust, Shaikh pointed out.
This involves being vigilant about actually respecting privacy, as opposed to “paying it lip service or having shady privacy policies crafted,” he said.
Because (face it) many consumers likely won’t review policies in depth, it would be best to put together explainer videos or release semi-regular statements about the use of data, Shaikh suggested.
Simply put, “be clear and simple in your policy,” he said.
In the long run, McLellan said, “fines aren’t the answer.”
Organizations must be encouraged to use new technologies, standards and methodologies that help address the root causes of “data chaos” in the first place: silos and copies.
For instance, the Data Collaboration Alliance advocates for the Zero-Copy Integration framework, which is set to become a national standard in Canada and is gaining traction in the U.S. and Europe.
The core idea of this framework is decoupling data from individual applications and replacing copy-based data integration and data sharing with “zero copy” data collaboration, McLellan explained.
“This pioneering framework for the development of new applications is vastly more efficient, controlled and collaborative than current approaches,” he said.
The outcome for end users, partners and other stakeholders is meaningful control over data access, custodianship, portability and deletion, he said.
All told, organizations must be far more purposeful in their collection of data, and do so only where there’s a clear and transparent need for it to be collected. In fact, “purpose-based access control” has emerged as a core tenet of modern data governance, said McLellan.
What is true control?
Still, there are no instant fixes to get rid of data silos and copies, he conceded.
“Unwinding 40-plus years of the ‘app for everything, and a database for every app’ mantra will be difficult,” said McLellan.
Thus, it is best approached in two stages, he said. First, immediately treat the symptoms of data proliferation. Do this by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent.
Organizations should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps, he suggested. And, organizations should adopt processes and workflows that help them establish “purpose-based” data access requests.
Second, organizations should explore ways to address the root causes of data proliferation.
McLellan advised getting your CIO, CDO, application development, data and IT teams familiar with emerging frameworks like Zero-Copy Integration.
“It’s the evolution of ‘Privacy by Design,’ and signals the beginning of the end for application-specific data silos and copy-based data integration,” he said. And it is supported by new technologies including data fabrics, dataware and blockchain.
Ultimately, “how data rights and data ownership evolve will determine the winners and losers in our future economy,” he said. “We are now witnessing a fight to own the future by owning data.”
But there’s a stark truth, said McLellan: “There’s an assumption that many people have that someone, somewhere is in control of our personal information — when, in fact, nobody has true control.”