Apple CEO Tim Cook recently accused other tech companies of violating their users’ privacy in the name of profit. One U.S. Representative (Ro Khanna, D-CA 17th district) crafted a “Bill of Rights for the internet.” And even data-siphoning companies such as Google and Facebook have begun making noise about protecting customer information more stringently.
Is it time for the U.S. to adopt regulations similar to GDPR (‘General Data Protection Regulation’), the framework for data protection that applies to all EU citizens? That’s already a topic of strenuous debate within the tech industry. Every time another company suffers a catastrophic data breach, or admits that its users’ data ended up used for nefarious purposes, the cries for some kind of law grow louder.
Indeed, those U.S. companies that do any kind of business in the EU have already been forced to adapt to GDPR. If a company database stores something as simple as a European customer’s home address, email, fingerprints, facial image, or MSISDN (mobile station international subscriber directory number, used to identify mobile phone numbers internationally), then the regulations apply.
But that adoption wasn’t easy. Many businesses chose to retreat from the EU—or even shut down entirely—rather than re-architect their systems for GDPR compliance. If future U.S. regulations end up modeled after GDPR, here are some things that tech pros might end up dealing with:
Updated user interfaces that prioritize opt-ins for newsletters, special offers, and so on (as opposed to having users automatically signed up for such services).
If your company built its database via scraping other sites or social networks, or through purchasing email lists, new regulations may demand a “re-engagement” campaign to obtain opt-ins from everyone on those lists. (For companies that had to modify their operations to comply with GDPR, this proved particularly time-consuming and expensive.)
Right to be Forgotten
Companies may need to offer a “right to be forgotten.” In other words, if a user wants their account deleted and all their information stripped from the company’s system, the company must comply.
Users may have the right to receive data in a portable, machine-readable format, which will allow them to more easily move between similar services.
Companies would have to admit to any data breach within a few days of discovery. (If this kind of regulation goes into effect, it could prove extremely lucrative to crisis-communications firms.)
The bottom line is that tech companies would end up more accountable to users. And who doesn’t love accountability, aside from the CEOs, CFOs, project managers, product designers, and everyone else who would need to burn 80-hour weeks for a year or two in order to bring their company into compliance? We’re joking, of course, but the underlying point stands—instituting regulations means a lot more work for folks (and a lot of money to contracting firms willing to take over the workload; remember everyone who profited immensely from Y2K work?).
Apple also has some ideas about how U.S. tech firms can more strictly enforce privacy. In fact, Tim Cook was kind enough to boil it down to a few Tweets:
It was an honor to be invited to #ICDPPC2018 in Brussels this morning. I’d like to share a bit of what I said to this gathering of privacy regulators from around the world. It all boils down to a fundamental question: What kind of world do we want to live in?
— Tim Cook (@tim_cook) October 24, 2018
Since Apple makes its money from hardware, as opposed to monetizing user data, it can use privacy to its competitive advantage. But that shouldn’t discount the broader momentum toward stricter data protections. And if those regulations are put in place, tech pros (and their companies) could find themselves buried under a ton of new work.