The Growing Importance and Focus on Data Privacy in Technology

Man on computer

In early 2019, viral short-form video platform TikTok settled claims with American regulators that they violated data privacy laws for collecting personal information of children without their parent’s consent. At around $6 million, the settlement was the largest ever for a children’s data privacy case. Seven months later, Alphabet’s crown-jewel, YouTube, was fined $170 million, a record for a fine imposed for child data privacy violations. In between both those instances, it was announced that social-media giant Facebook reached a $5 billion settlement with the US Federal Trade Commission due to their data privacy violations and improper business practices related to consumer data privacy.  

These instances are all overshadowed by the fact that in May 2020, during the COVID-19 pandemic, the Privacy Commissioner of Canada made it clear that meaningful consent will be still required for any Coronavirus tracking applications and that other privacy safeguards would be required for any public health application before they could be introduced. 

Why is Data Privacy Important? 

In the current digital world, companies and governments are asking their users, customers, the general public and their citizens for an increasing amount of personal information in exchange for better and more efficient services. When signing up for accounts or making purchases online, people may share their name, age, credit card numbers, medical records, email and phone numbers. Online service providers may also track users’ activities on their services or elsewhere and store that information in servers domestically or abroad. While many companies and organizations take appropriate steps to safeguard the personal information they collect, others do not, which has resulted in numerous data breaches, exposing many people to identity theft. With the proliferation of new businesses and government programs that rely on applications that collect troves of information in creative ways has led to an increase in the number of avenues a person’s private data may be improperly collected, used or safeguarded. 

What are Data Privacy Rights? 

Data privacy rights are rights conferred to individuals that may broadly cover how their information is collected, used and disclosed. These rights may vary by either the jurisdiction of where a person is located or the location of where the information or data is stored. In Canada, for example, people have the right to access the personal information a business has collected from them, as well as the right to be informed of the purposes for information being collected, used and disclosed. According to the European Union’s data privacy rules, citizens in the European Union and the European Economic Area have the right to access their information, the right to have the information erased and the right to withdraw their consent at any time. With the California Consumer Privacy Act having recently come into effect, California residents have the right to opt-out of their data being sold and the right to know the kinds of information larger businesses possess on them. Under most current legal frameworks, when an individual’s data rights are violated, the general mechanism for recourse is to make a complaint to a regulatory body that will investigate the complaint and determine whether corrective action, a monetary penalty or both is required. 

How Are Things Changing? 

Across the developed world, there is a growing consensus that protecting individuals’ data privacy is of the utmost importance. In Toronto, for example, Alphabet’s Sidewalk Labs “Smart City” project has been curtailed due to data privacy issues, and the use of ShotSpotter by the local police force was blocked due to data privacy concerns. Data breaches at well-known companies such as FacebookCapital OneDoorDash & Equifax over the last few years have spurred government action to ensure their citizens’ data is secure. The European Union’s introduction of the General Data Protection Regulation (GDPR) in 2016 was seen as the most stringent data privacy legislation at the time, but that distinction is now bestowed on the California Consumer Privacy Act. With companies becoming more creative in how they obtain data and more data breaches predicted to occur in the future, data privacy laws globally are becoming more stringent. 

Another nascent trend calls for data privacy rights to turn into property rights. Government officials in both the United States and Canada are starting to agree that individuals should have ownership rights over their information data. By conferring property rights over people’s information and data, one likely outcome would be the main recourse for data breaches shifting from regulatory bodies fining and penalizing companies to individuals having personal claims against companies for the violation of their property rights. This change would likely make it more difficult for companies to collect private information en masse, which could be detrimental for companies employing big data, machine learning or artificial intelligence solutions that require a certain velocity of new data to properly operate. 

Why Do I Need a Privacy Policy & Strategy? 

Every business that collects information from users or uses services that do so must have a privacy policy. In Canada, businesses are required to identify and inform consumers as to what information they will be collecting from them before or at the point when information starts being collected by them. When information is collected by third-party payment processors, Google Analytics or other data collectors, these third parties will generally require their customers to employ a privacy policy outlining their use to be compliant with data privacy rules.  

Privacy policies can be used strategically to create trust among users and limit potential risk. Users of a site or service will have more confidence using and trusting a service with their data when it is clearly articulated to them what information is being collected, how it is being handled, how it is being stored and the measures that are being employed to protect the information. Being able to justify the collection of certain kinds of information to users and communicate expectations can be turned into a competitive advantage. These are just some of the reasons to have a well-drafted privacy policy. 

In terms of strategy, it is important to be aware of the following considerations: 

  1. What information and data will be required from users of the service; 
  1. How consent will be obtained for the collection, use and disclosure of the information and data; and  
  1. Why that kind of information or data is required. 

Understanding these aspects will allow a business to both recognize what information is necessary to collect from its users, but also what unnecessary information could lead to complications or risks. In Google’s case, it had always possessed the capability to obtain parental consent, limit the information collected from children, and prevent advertising towards children. However, without prioritizing privacy in its operations in that respect, Google unnecessarily exposed itself to liability by violating its users’ privacy rights. 

For many businesses, the cost, both in time and money, of having to restructure the collection and management of private data can be massive and prohibitive, especially for start-ups that incorporate artificial intelligence, machine learning and big data. Utilizing a privacy strategy from the beginning is just one measure that businesses can use to be on the right side of the constantly changing privacy landscape.