A deep history of pivotal moments gave root to our modern idea of human rights. Ancients, like King Hammurabi, set in stone (literally) some parts of the idea that every person has basic rights and freedom. Along the way, the Magna Carta, the English Bill of Rights, the Virginia Declaration of Rights, and the U.S. Bill of Rights codified human rights into the current local incarnation.
However, it was not until the end of World War II and the scale of human tragedy that the world adopted a global declaration of human rights. It was then that the Universal Declaration of Human Rights (UDHR) was formalized.
Today, the world is at another precipice — a digital one. Once the U.N. declared internet access as a human right, it became apparent that protecting personally identifiable (PI) data or data privacy is a significant concern for all consumers, not just a privileged few.
As the clamor for better data privacy protection gets louder, consumers are beginning to see it as their human right. They want to take control over their PI data and be the one to determine how it is shared, used, and analyzed. This is creating a fundamental shift in the way we handle data, especially PI data, and the relationship between governments, consumers, and businesses.
Consumers have had enough
Data privacy is not a new consumer or government concern that came out of the blue. In highly regulated industries, such as financial services and health care, a whole department is dedicated to compliance. Governments and their regulators have always created guardrails to ensure consumer privacy is protected.
However, for a long while, data privacy was a back-of-mind and out-of-sight issue that saw businesses meeting regulators’ needs. It was a remit for compliance and privacy teams, not for consumers to demand action. Provisions for the right to be forgotten (RTBF) were unthinkable, and the primary focus has always been about weeding out bad actors and fraud.
Then consumer perceptions changed, driven by the consumerization of the internet. The current pandemic also has played a part when consumers had no choice but to live digital lives.
Public spats and missteps by social media companies and the growing onslaught of cyberattacks targeting PI data have raised public concerns. Consumers want to take back control of their PI data. What they really want is transparency and better access; they see it as their right.
When regulators listen
Regulators listened. GDPR, CCPA, and CPRA allow consumers to determine how businesses use their PI data and have the option to alter it, if necessary. Although by no means airtight or perfect, these laws brought data privacy a step closer to becoming a human right.
Some industries are more prepared than the rest. Sectors, like health care and financial services, already follow stringent guidelines for their compliance practice. Their challenge is to give more control to consumers over their data and shift their thinking.
Meanwhile, retailers are beginning to see that they are sitting on a data privacy minefield after years of collecting and analyzing data from consumers, data brokers, and social media for better consumer behavior tracking. While this may have helped them create personalized value propositions and closer relationships with their buyers, it also increased their business risks.
Fines have become heftier. As a percentage of revenues (not fixed penalties or a percentage of profits), they can seriously dent topline and bottom line growths. This becomes a significant issue for small and medium businesses — especially those without privacy or compliance teams who can’t afford to make any missteps.
When privacy becomes less clear
Having new laws also introduces a different sort of challenge for consumers.
Let’s use privacy speak for a while. In the world of privacy, users are called subjects. A subject can be a consumer, employee, contractor, or partner. And, as a subject, you need to know your rights in a given jurisdiction and how to exercise them. This is where regulators are adding more clarity with new acts and regulations, sometimes with differences.
While GDPR and the CCPA are often cited as benchmarks, local nuances exist. They are also not global standards. Hidden between the legal lines are also many gray areas that current amendments or new regulations have yet to address.
To make it more complex, you may be a consumer, data user, or custodian at different times in your life. For example, if you reside in California, you also work for a U.K.-based company and consume a service from a China-based company, in every instance, your rights differ. Understanding how you can exercise them in different jurisdictions can help you during a breach but requires the subject (you) to be aware.
This requires a new level of awareness among consumers. And, current observations show that consumers are becoming more aware of their need to understand how their rights shift across jurisdictions and roles.
A McKinsey article noted the increased use of cookie blockers, ad-blocking software, and incognito browsers. At the same time, consumers demand their brands create better data catalogs and follow privacy by design (PbD) principles that both CCPA and GDPR advocate.
All these new regulations and consumer demands have significant implications on how we create, deploy, and use applications.