Every story exploring how much data companies have on us can be quite scary, and one new piece (in The New York Times) is no exception. We learn that more than 75 companies draw specific data from apps designed to serve up benign information, such as news and weather; some of those businesses track 200 million mobile devices in the U.S.; and details on movement, purchases, etc. are updated thousands of times a day. Not so long ago, the most sophisticated intelligence services couldn’t track known spies with such precision.
That’s why we’re now seeing some of the biggest names in the freewheeling technology industry not only accepting the idea of greater regulation but advocating it. Apple CEO Tim Cook recently gift-wrapped this shift by acknowledging that the free market isn’t working, and more legislation is inevitable.
At this point, debating the merits of more government involvement is a waste of time. It’s coming—and we’ll probably see the first outlines of the eventual legislation within the next few months. Yes, 2019 could be a big year in ways we can’t imagine yet.
So are companies ready? Are the industries and functions most likely to be affected by a wave of mandates prepared to change their ways? The painful answer is no—and that’s even before they get a full picture of what data they own, where it resides, and who else has access to it.
A little context here. First, we’re not getting more regulations because some executives believe the market isn’t working. (If that was the case, we’d be seeing more government interference in every field.) This is happening in part because data is a unique component of every business transaction and personal interaction, and we generate so much of it now that some degree of oversight—self-imposed, industry-guided or government-mandated—is probably a good call.
Second, look across the pond. The European Union (EU) and the European Economic Area (EEA) have given us GDPR—the General Data Protection Regulation, a sweeping set of laws designed to give individuals more control of their personal data. Among many stipulations, no data can be processed unless it’s specified in the regulation, or consent has specifically been granted (and can be revoked at any time). Sound reasonable? Sure, but GDPR only went into effect this summer, and Google’s already been accused of violating it by seven countries.
Next, it’s not happening only in Europe. This summer we got the California Consumer Privacy Act (CCPA), which is scheduled to go into effect in 2020. There are tweaks still to come, but the outlines are already clear: CCPA grants residents of the Golden State the right to know what personal data is being collected about them, how it’s being used or disclosed, and prevent the sale of this information.
To be fair, CCPA is not GDPR lite. For example, it bypasses one critical issue that’s embedded in the European law—that permission must be tracked on a company-by-company basis. However, it does introduce some different issues, such as the lack of a distinction between identifiable and pseudonymous data; this creates problems when we seek to apply verification criteria to compliance requirements.
More importantly, in a borderless digital economy, state lines represent a more fluid dynamic than ever before. And of course, what happens in California. . . happens in a whole lot of other places. We’re going to get a patchwork of state-specific mandates that make for a nightmare in any context.
And then there’s the ultimate concern: national mandates. It’s entirely possible that we’ll soon see the beginnings of a federal bill that, at least in some areas, supersedes state legislation. In a normal environment, this would be a natural evolution—political posturing on both sides followed by bipartisan consensus. But these aren’t normal times, and every discussion turns into a war zone.
Underlying this problem is the fact that data is not a zero-sum game. To start with, some organizations in some industries have far more consumer data in their possession than others. For example, many familiar brands and OEMs have little consumer contact, and therefore only scant 1st-party data. On the flip side, every retailer sits on mountains of personal information supporting business operations, and those areas are likely to get hardest hit. We could see contentious lawsuits regarding who owns what data, and who is liable for the way it’s used.
And there’s yet another factor that should get priority. Data science is less scientific than it sounds: There’s a lot of data floating around that was commissioned by one company, collated by another, analyzed by a third or fourth, and used in business initiatives by several more. Various data exchanges attach their tags and cookie IDs to each marketing campaign, for example, and capture the data, which ends up in third-party silos and servers.
It’s time companies take back the data they own—and easier compliance is just one reason for that. Sure, it’ll help with the next wave of compliance mandates and prevent asset theft. But the business benefits are even more important. Having all data in a company’s own data lake with open and extensible layers means that operations like data attribution, segmentation and orchestration can be achieved by outside vendors coming to the company with their custom apps, not the other way around. This will enhance many operations and cut costs, even as it drives numerous sales and marketing initiatives.
We don’t yet know much about future regulations. But if fear of non-compliance helps motivate enterprises to take back their data, then that’s a good thing—and it will drive better business practices.