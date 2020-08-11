To say consumers have embraced a digital lifestyle would be a huge understatement. That structural shift in how we conduct our lives, transact, consume content, pay bills and so forth has led companies to respond with new services and points of connection while others have sought to leverage all the data crumbs to be collected and monetized along the way. We recently discussed the growing threat of cyber vulnerabilities but there is also the growing concern over digital data privacy. So much so, that we are seeing data regulations being enacted across the globe, and the fines associated with these regulations can not only do serious financial harm to a company found in violation, but they also open up a new attack incentive for bad actors.

Privacy concerns aren’t new

“Caveat Emptor” is a legal doctrine that has been in use since the Middle Ages and has traditionally been implemented in transactions involving property. Over time it has been adapted to describe the responsibility of any buyer to be aware of “what they’re getting [them]selves into." Back in the days of physical goods, this was a fairly easy doctrine to follow and if there was an issue, there were rules around returns. Services were a little trickier but again, there was (oftentimes) common sense, contracts and if those failed, courts. Physical goods and services are still a large part of the global economy, as are companies' desire to identify better and better ways to identify, serve, and expand their customer base.

That desire to "know your customer" used to be relegated to satisfaction surveys or, if the company had a big enough budget, third-party administered focus groups. As dealing with customers moved to a digital experience, companies found they could grab much more detailed information about how customers interacted with them as everything from keystrokes to mouse movements could be captured and analyzed. Prior to the internet, companies could only know what their customers purchased but in today's e-commerce world, companies know not just what you've purchased but everything you've put in your cart and then removed or even simply looked at and in some cases, where you are physically located when you do all of this.

So far, this is not extremely invasive. But what has been happening is that while customers might expect the merchant they deal with to scrape this kind of data, they didn't necessarily expect that the web browser they were using, as well as any number of third-parties, were also capturing this information about that transaction ... as well as everything else they did online.

Online privacy begins with your browser...

There are two browser add-ins we use and tell friends to use. One is AdBlock and the other is Privacy Badger. To give you an idea just how effective these utilities are, when we access the AT&T (T) owned CNN home page in Google Chrome, for example, AdBlock shuts down 28 ads and Privacy Badger stops 34 different trackers from scraping user activity on the site. To be unbiased, the numbers on the Fox Corporation (FOX) run Fox News website are 2 and 32, respectively. We’re not sure of the cause of the difference in AdBlock stops but believe it has to do with the Acceptable Ads Program offered by the company. Some developers have taken data privacy quite seriously and have integrated privacy-preserving precautions (say that 5 times fast…) into the DNA of their browser product. For example, when I open the aforementioned sites in the Brave browser, Privacy Badger blocks only 5 trackers on CNN because the native privacy protection is already blocking 56 (!) items. Fox News? The browser shuts down 25 items and Privacy Badger blocks an additional 16 trackers. Ad blocking technology is built into the browser so there is no additional add-ins needed.

So we’ve given you some tips on how to manage unknown parties who want to observe your online activities but what about the data that you need to provide companies to do business with them?

...but that is only the beginning of privacy concerns

What about personal information like your name and address or financial information like your credit card or bank account numbers and codes? Clearly, any fraudulent use of financial data can be tracked and remedied, but what about your personal information or even information the company has acquired as you’ve done business with them?

Up until recently, your personal data security had been solely at the mercy of the IT and network group at your favorite retailer. If they got hacked, then you would expect to receive a notice of the hack a few months after it was discovered (which could be more than a few months or even years after the hack actually happened) and told that they have graciously signed you up for n months of credit monitoring through a company like Norton LifeLock (NLOK) and how profusely sorry they are “that this happened.” Affected customers can always attempt a class action lawsuit (assuming your contract with the company doesn’t involve an arbitration clause) but that takes a lot of time and money. Further, now that we have established that customer information needs to be protected in the same way that products need to be produced and sold so that they do not harm their users (in moderation and when used responsibly in some cases or not at all in another case). Of course, this is achieved through? Say it with me - Regulation!

Privacy regulations ahoy

According to a recent Deloitte US Consumer Data Privacy study, nearly half of US consumers (47%) feel they have little to no control over their personal data, and one in three has had their data compromised.

As some might have expected, Europe has taken the lead in producing a regulatory framework to enforce data protection standards. The General Data Protection Regulation (GDPR) was adopted in April of 2016 and became effective in May of 2018. It is important to note that unlike some other initiatives, GDPR is not a guideline or suggestion, it is the law and prescribes not only clear standards of care for customer data collection, storage, and transmission (as well as how customers can interact or suppress their data) but also very clear outcomes for those companies that fail to maintain these standards.

GDPR fines (administrative fines) can be as high as €20 million or 4% of annual global turnover, whichever is highest. Before GDPR’s enforcement, the maximum fine for any data protection violation was £500,000 ($624,000).

So far there have been several high profile GDPR fines awarded. British Airways faced a record $230 million fine after its website failure compromised the personal account details of roughly 500,000 customers. That $230 million fine is roughly 1.5% of British Airways’ annual revenue.

Separately, Marriott International was slapped with a fine of just over $124 million for exposing a variety of personal data in 339 million guest records globally.

In the United States, a similar regulation has been passed in the California Consumer Privacy Act (CCPA). The CCPA went into effect on January 1, 2020, with final guidelines expected by 60 calendar days after July 1, 2020, given an extension granted due to the COVID-19 pandemic. Eyeing the calendar as we tend to do, this means we should be hearing more about this in the coming weeks.

The CCPA brings with it a host of new regulations that will significantly restrict how brands collect and manage the consumer data that has fueled the growth in digital advertising. The law will require an “opt-out” button on every page of every website, allowing consumers to easily tell companies that they don't want any of their data to be harvested, managed, and/or sold. Consumers can also tell tech companies, publishers, or brands to delete their data. People may also opt-out of a company's terms of service without losing access to its offerings. Companies are also barred from selling data on anyone under the age of 16 without explicit consent.

In terms of fines for those found violating these and other associated regulations, the CCPA sets out a per user fine of $100 - $750 or actual damages (whichever is larger) for even an unintentional breach. What this means is a relatively small web service with 1 million accounts could be fined $100 - $750 million, a sum that could put them out of business. As the CCPA marches toward finalization and implementation, additional American legislation is winding its way through various statehouses in the US.

The next state to watch will be New York with its Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) that went into effect in March 2020. The SHIELD Act expands the definition of "personal information" to include not only name and address data but also biometric data, login user names or email addresses and security questions, or any combination of those items whether encrypted or not.

A reminder that data privacy is a global concern, the substantive part of Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - Law No. 13,709/2018; LGPD) takes effect August 16, 2020. Those looking to sink their teeth into LGPD to better understand how it compares to GDPR and CCPA can read further here.

Final thoughts

Canvasing news headlines, it seems a day doesn’t go by that we don’t learn of a new digital privacy violation. While we were writing the above, France’s data privacy watchdog CNIL announced it opened a preliminary investigation into Chinese-owned video-sharing app TikTok after it received a complaint in May. In June, the European Data Protection Board (EDPB) said it would set up a task force to assess TikTok’s activities across the bloc after a request from an EU lawmaker concerned about its data collection and security and privacy risks. And U.S. officials have said TikTok poses a national security risk because of the personal data it handles. In our view, this potentially complicates things for any would-be TikTok suitors, such as Microsoft (MSFT) and others. It also likely means privacy-focused Apple (AAPL), which had been reportedly talking to TikTok, will probably take a hard pass on the company.

The implications of the above data privacy regulations and those being formulated elsewhere will have massive implications ranging from altering existing business models, adding a new layer to corporate due diligence, and opening up new cyber attack vectors. Entering 2020, we at Tematica Research believed digital privacy would be a key topic in 2020 and beyond, and we see no reason to change that view.

