June 27, 2022
A Brief History of Data Privacy, and What Lies Ahead
There are very few concepts that have undergone such rapid transformation, both in terms of how it’s understood and the level of public awareness, as data privacy. Although the concept is not new, the meteoric growth of personal data collection over the last two decades has completely altered how people, companies, and governments look at privacy.
With the flow and analysis of personal information being central to many modern business models, particularly social media, consumers sometimes use ad-funded products without fully grasping the exchange that's taking place. The increasing frequency of data breaches and privacy enforcement actions has made businesses of all types more aware of the hazards of carelessly handling sensitive customer data.
Recently, there has been an increasing public awareness of the importance of data privacy, spurred by revelations from privacy advocates and regulators, and the general shift of our lives online. As this awareness grows, it has revealed a large gap between what companies do with personal data and what their users are comfortable with.
In this post we’ll discuss how we got to this point, where we might be headed, and how Skyflow can help companies ensure data privacy for their customers.
Privacy Before the Internet
First, I’d like to give a brief overview of how the legal concept of “privacy” has evolved in the United States. The first example of privacy legislation we can find in the United States is the 4th Amendment to the United States Constitution, which became law in 1789 and forbids illegal search and seizure of people's property by the government. Although it was not directly related to data as we now understand it, the 4th Amendment created a basic understanding that people’s property was their own and could not be interfered with without their consent.
It wasn’t until the middle of the 20th century that ‘data privacy’ began to come into focus. As data collection tools became more sophisticated, companies began to experiment with personal data collection in various forms, including mailing lists and collecting customer banking information. This data was useful as a marketing tool, making it tremendously valuable for companies.
At the same time, government services like Social Security, Medicare, and Medicaid were aggregating and storing huge amounts of personal data in order to provide necessary services to Americans. They realized the need to safely collect, store, retain, and use this data for the purposes that it was collected for, and started to develop fundamental frameworks for assessing the risks around data storage and usage. The Department of Health and Human Services created the original privacy impact assessment as a way to identify data risks, and assessments like this became a standard practice for measuring the impact of data collection on individuals.
In 1967, the Supreme Court decision, Katz vs. The United States expanded the interpretation of the Fourth Amendment that initially referred only to people and their possessions (“persons, houses, papers, and effects”) to cover anything that a person “seeks to preserve as private”. Because the basis of this case was a wiretap of a public telephone, this ruling had major implications for US residents’ expectation of privacy, particularly when using electronic devices. With this new decision, “property” encompasses more than just physical items — it includes personal information, including information that was communicated electronically.
In the 1980’s, the Organization for Economic Co-operation and Development (OECD) came out with privacy best practices and principles, titled the OECD Privacy Principles. These guidelines asked simple questions, like: why are you collecting this data and how is it being used? Is it being shared, and with whom? These questions and principles would be used as the basis for much of the current privacy legislation in the United States and around the world.
Although these laws and practices were obviously not created with the internet in mind, they also form the foundation of many of the legal definitions, policies, procedures, and norms shaping privacy practices in the internet era.
Privacy in the Internet Era
In the early period of internet adoption, the concept of ‘privacy’ was secondary to the focus on ‘security’. As early internet users got used to remembering passwords and using email, companies had to devise new ways to prevent fraud and data theft. For the average user, privacy and security were one and the same — there wasn’t yet an idea of data being used beyond its explicit purpose, let alone being sold to advertisers.
This changed with the rise of companies like Google, who developed a way to leverage user data to improve the relevance of search results and the effectiveness of online advertising. Google’s business model allowed users to benefit from a free and highly useful search engine and other apps while advertisers could benefit from improved ad targeting informed by their searches and behavior. This model would really take off with the introduction of social media sites like Facebook and Twitter.
Once the value of this model became clear, the sophistication increased. Data-driven algorithms were used to predict the behavior of consumers, with results that some found alarming. This led those in the space to self-regulate online advertising without laws (Similar to PCI Compliance) along with efforts to educate consumers about the use of their sensitive personal data. Two examples of this self-regulation are the addition of “Why this ad?” prompts on targeted ads and the creation of tools by the Digital Advertising Alliance to let consumers opt-out of browser-level ad customization.
Despite these efforts, many consumers still didn’t fully grasp the exchange they were making and how their behavior was being tracked and analyzed to generate ad revenue.
GDPR Formalizes Data Privacy in the EU
The EU has always considered privacy as a fundamental human right and historically has had stricter privacy laws. In the early 2010’s, the European Union started drafting legislation that affirmed privacy as a fundamental human right. In 2018, the General Data Protection Regulation (GDPR) went into effect, asking many of the same questions posed by the OECD guidelines written decades before. The difference was that the GDPR had “teeth” because the regulators could fine up to 4% of annual turnover. Initially, the enforcement of the GDPR was not stringent, but as enforcement ramped up GDPR caused major changes in the way companies store and use sensitive personal data.
Although it wasn’t a law written by US regulators, due to the global nature of data collection, GDPR effectively required many companies globally to actually document what personal data they were collecting, when and for what purposes it’s used, where it was stored, and how it was being protected. Data mapping became a critical part of compliance, and an important consideration for security and encryption.
Growing Data Privacy Awareness in the US
In 2019, the California Consumer Privacy Act (CCPA) became the first modern privacy legislation in the United States focused on giving people insight and some control over how companies use their personal data. Because it covered every resident of the most populous state in the US, it created even more incentive for companies to invest in their overall privacy programs, ensuring that sensitive data was protected, secured, and properly handled.
However, no amount of legislation could have created more public awareness than the Cambridge Analytica scandal in 2019. The average user was not aware that when you shared data on Facebook through a fun “quiz”, this data could be shared with third parties, or, for that matter, what Facebook could do with this data. What the Cambridge Analytica scandal uncovered was that Facebook user data data was shared with a political consulting firm who used that data to improperly target individuals for political ads without their knowledge.
This was a major wakeup call for Americans who suddenly became aware of the broad scope of data they were sharing with Facebook and what it was being used for. Regulators also took notice, and a series of fines and investigations ensued, some of which are still in progress.
Since 2020, other US states have started looking into privacy legislation. Colorado, Connecticut, Virginia, and Utah have all created legislation similar to CCPA, and 11 other states have privacy bills in consideration. Additionally, California voters approved the California Privacy Rights Act (CPRA) , an amendment to CCPA, which will see the creation of the California Privacy Protection Agency as a privacy regulator.
Where is Privacy Headed?
Looking at the future of data privacy, we see emerging trends in a few areas:
- Expanding Global Privacy Regulation
- Changes to Ad-funded Products
- More Businesses Prioritize Privacy and Data Protection
Expanding Global Privacy Regulation
Globally, there’s an ever-increasing number of data privacy laws and regulations, most of which are modeled on GDPR. Global companies need to manage their compliance with a wide variety of laws, depending on where they operate, including: SOFIPO (Mexico), Updated Data Privacy Act (Australia), PIPL (China), LGPD (Brazil), Amended PDPA (Singapore) and DCIA (Canada).
In the US, the extent of regulatory protection for data privacy varies widely from state to state. Although there has been advocacy for federal privacy laws both from grassroots organizations and from corporate actors, it seems unlikely that any such legislation is forthcoming from the US congress. In response, many states and companies are continuing to seek other solutions.
This is likely to lead to an increasingly fragmented landscape of privacy laws and requirements for companies that operate in the US. As more states consider data privacy laws or put them into place, companies will need to develop solutions that allow them to act in concert with the requirements of a growing list of different laws. Many companies are simply choosing to adhere to the most stringent versions of these laws, as this approach necessarily brings them into compliance with the less restrictive laws in other states, countries, and international jurisdictions. This proactive approach also helps companies to avoid the need to react to each new law as it is passed, and potentially gives them a competitive advantage over companies who are taking a more reactive approach. With GDPR representing the gold standard for data privacy and serving as a template for various state-level US data privacy laws, some companies that don’t operate in the EU will nevertheless find it advantageous to become GDPR compliant.
Changes to Ad-funded Products
Technology companies that handle sensitive data will continue to make changes to their products in reaction to growing awareness and regulation of data privacy. One of the companies least likely to be impacted is Apple. Apple primarily sells devices and software, allowing them to guarantee data privacy as part of their value proposition. For companies like Google, Facebook, and to some extent Amazon, their dependence on data-driven advertising for revenue requires them to balance between strengthening their trust with consumers while ensuring the ongoing viability of their advertising businesses. These companies are now being proactive by focusing on providing more easily understandable documentation around how users can change their privacy settings. I expect more movement in this direction, continuing the development of privacy settings like those that let consumers opt out of targeted ads and the introduction of subscription fees for some products as an alternative to purely ad-funded products.
More Businesses Prioritize Privacy and Data Protection
Outside of ad-funded products, many other businesses who collect personal data for critical business operations are increasing their focus on preserving the privacy of sensitive customer data. Their motivations vary, with some businesses being motivated by data privacy laws or industry regulations like PCI, while others are eager to avoid data breaches and the cost and damage to their reputations that can occur in the aftermath of a data breach.
Beyond data breaches, companies are discovering that their employees sometimes use data for purposes other than those for which it was collected, raising the need to isolate and govern the use of sensitive data. For example, Twitter was recently fined $150m for using phone numbers that it collected for the purpose of enhancing security with multi factor authentication (MFA) but that ended up also being used for advertising purposes.
More than ever before, a growing number of businesses are looking to protect and govern the use of sensitive data so they can maintain customer trust, run critical workflows, and avoid the unintended consequences of sensitive data misuse or theft.
How Skyflow Can Help
Skyflow’s Data Privacy Vault was created in part to help companies uphold their users' right to data privacy. We believe that privacy is a human right — every person should have control of their data and awareness of what it’s being used for. Skyflow’s Vault is built with this in mind; by centralizing and securing PII, it Skyflow makes it much easier to protect, manage, restrict and delete this information.
Any company that collects personal data, no matter the size, needs a way to minimize the risk of collecting and using that data. Aside from impending privacy legislation, customers are increasingly more aware of privacy, and have more concerns about how their data is stored and who has access to this data. Skyflow’s combination of de-identification, tokenization, and polymorphic encryption can help you not only comply with regulations but build trust with your users.
Once you have identified PII and other sensitive data in your systems, you can use Skyflow to isolate and protect this data and keep it localized. Vaults can be spun up globally anywhere and be configured to restrict access to data as much as necessary. Skyflow can simplify building privacy by design into your products and necessary data collection workflows.
Skyflow lets you meet the growing customer demand for data privacy from business partners and consumers alike. With Skyflow, you can assure your users that their data will remain private and protected so you can gain and retain their trust. Having sensitive customer data centrally stored also makes it much easier for you to remove it, allowing you to quickly meet “right to be forgotten” requests when you receive them from current or former customers.
The history of data privacy helps us to understand the current moment and what to expect as the global data privacy landscape continues to evolve. One trend that is clear, though, is that businesses can no longer afford to take a reactive approach to data privacy. They need to protect customer data so that they can gain the confidence and respect of their customers. To learn more about how Skyflow Data Privacy Vault can help you to isolate and protect your customers’ data, get in touch with us.