O P I N I O N
50 Very Data Hungry CEOs (Out of About 30 Million) Try to Fool Congress into Letting Them Abuse Your Data
A group of big data CEOs wrote a letter to Congressional leaders requesting a Federal privacy law which would usurp the state’s rights to protect their consumers as they see fit.
A spokesperson for Facebook responded several months ago to a reporter’s question about a New York bill requiring companies to be a data fiduciary with the response that if the bill passed (it didn’t), Facebook might as well shut down in New York. The spin doctors tried to walk that back the next day, but the reality is, if that law passed, it would require Facebook and companies like them to change their business models.
In fairness, it is difficult for companies to keep up with all the privacy laws (we help companies do that), but unless your business model requires that you sell your customer’s data to stay in business, complying is manageable, but it does take work. Unfortunately, the Facebooks and Googles of the world have made things more complex for everyone else.
The state of data privacy is roughly in the same place that cybersecurity was in after California passed it’s landmark security bill (CA SB 1386) in 2003. SB 1386 is the model that every other state drew from for enact their security laws. Now CA AB 375 (the new California Consumer Privacy Act) has already begun this process over again with privacy laws.
Even though they don’t say this, what they really want is for Congress to pass a law because they know that their lobbying billions will allow them to buy a very weak law that will nullify laws like the ones in California, New York, Nevada, Vermont and other states.
The longer Congress doesn’t act, the more states will pass strong privacy laws, because that is what consumers want and the harder it will be to get votes at the national level to obliterate rights people already have – hence the urgency from these CEOs.
The California law would allow people to sue businesses that have breaches, which would dramatically change the economics of lax security practices – right now, at the federal court level, you have to prove that you have been tangibly damaged to sue after a breach. The defense that some companies are using is that there are so many breaches, how do you know that your damage was from our breach. The California law removes that requirement to prove that the consumer had tangible damages. That alone scares the crap out of the Facebooks and Googles – and it should.
They are trying to pass this off as stopping consumers from being confused about their rights (like the right to tell Facebook not to sell your data – that is certainly confusing and hard to understand), but that is completely bull. The 6 rights that the California law gives consumers are each spelled out in one sentence and are easy to understand. For example:
- The right to know what data a company has and to get a copy of it
- The right to request that my data be deleted subject to a list of exclusions
- The right to stop a company from selling my data
- The right to equal price and service even if I tell you not to sell my data
And a couple of more rights. These rights are easy to understand and the real problem for CEOs like Amazon’s Jeff Bezos is that people will likely actually use these rights and that might force companies like Amazon to change their business models.
If companies are transparent about their data collection practices, then this is a pretty simple choice. People can choose to do business with companies that want to sell their data. Or not.
One thing that makes this conversation different than the conversation around security in 2003 is that places like Europe, Japan and a significant number of others have already given their consumers these rights, so the big data companies already have to deal with this. No matter what happens in the US, this will happen in the rest of the world.
At that point, as we are already beginning to see, the lack of a strong national privacy law in the US makes it MORE difficult and MORE expensive for US companies to compete in the rest of the world.
In Europe, the first EU/US privacy agreement, Safe Harbor, was struck down by the EU courts as not protecting EU citizens’ rights. That was replaced by Privacy Shield (which many people say was just Safe Harbor with lipstick) and Privacy Shield is being attacked in the EU courts. We do not know the outcome of that court battle, but we will soon. If the courts strike down or force substantial changes to Privacy Shield, that will make the arguments of these 50 CEOs even less intelligent. Many companies have already decided that it is cheaper, simpler and better PR to have one set of consumer friendly privacy policies worldwide.
Stay tuned; this will not end any time soon.
NOTE: This is likely a hot button topic for folks. Please post your comments to this. I promise to approve any comment that is moderately sane and rated PG or less.