At the heart of GDPR and California’s Consumer Right to Privacy Act 2018 (a GDPR-like law that the state’s voters will consider in November) is a simple and appropriate concept: consumers ought to have a say in how companies use their personal information. Although still somewhat vague, supposedly GDPR places the spotlight on consumer privacy by forcing action around consent.
The proposed California regulation is focused on eliminating third-party data selling by encouraging class action remedies. But perhaps we’re putting the cart before the horse. Without a clear framework for talking about privacy, consumers, advertisers and technology companies will continue to talk past each other.
What do we mean by privacy?
Ask your friends and family who don’t work in ad tech to tell you what privacy means in the digital age. Some will say there’s no such thing as privacy. Others will mention Facebook and Cambridge Analytica or rant about the NSA spying. If anyone says advertising, you’ll get an earful about the “creepy” ads that follow them around the internet. Bottom line: privacy is more of a buzzword that sends a conversation splintering in different directions than an organizing principal. That needs to change.
What should our privacy framework look like?
Personally Identifiable Information (PII), at least as it was used in the offline context, is widely accepted as a term referring to the collection of personal information. In its original context, the personal information collection concern was framed in how PII could be used by criminals to stalk or steal the personal information of a person
A good framework for talking about privacy should include two things. First, it has to be readily understood by the vast majority of consumers. Second, it should reflect the widely held views of consumers who can distinguish between information collected to do harm versus information that could be reasonably interpreted as benefiting them. If we could manage to lower the hyperbole, maybe we can then have a meaningful conversation about privacy, user consent and permissible purpose.
We don’t have to start from scratch
HIPAA laws regarding personal health information provide a good starting point for bringing consumers into a constructive conversation about personal data. Though the laws are complex, it’s well understood that what you tell your doctor stays with your doctor.
When a doctor informs a patient that they have diabetes, that diagnosis is private information under HIPAA. The patient’s information is not being sold to Johnson & Johnson or Novo Nordisk. However, if that patient goes online to request research on their diagnosis via health sites, and they get on boarded and then followed up with by advertising for Jardiance (a diabetic support drug), it may not be a HIPAA violation, but it would likely run afoul with GDPR and California 2018.
Receiving an ad about refinancing your mortgage because you live in a ZIP code where home prices are rising isn’t something most Americans would consider an invasion of privacy. However, if that same ad is targeted to you because your bank sold the details of your mortgage to a loan broker, who sent you a direct mail offer and targeted you with online ads, is there a meaningful difference?
Is the consumer actually harmed or put at risk by either of these offers, or would a reasonable person recognize the potential for benefit to that consumer in the offer — and understand it to be data being used for permissible purpose?
While we may be inching closer toward a protectionist posture with GDPR and California 2018, it may not be too late to start a conversation about a more nuanced digital privacy. By drawing on models like HIPAA, the Fair Credit Act and other frameworks for the sensible applications of data, consumers can actually benefit from targeted online engagements without risk of harm.