Posted on: Friday 24th of February 2012
The US Government’s planned new Privacy Bill of Rights marks a decisive moment in the control shift. The first clause and sentence effectively makes the first half of the control shift ‘official’. They read:
1 INDIVIDUAL CONTROL: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
The only question now, is how far and how fast the control shift moves (the second, decisive, half being empowering individuals as managers of their own data).
One step forward …
Highly symbolic as it is however, the US Administration’s initiative is actually quite modest. The six key clauses of the new Privacy Bill of Rights (Individual Control, Transparency, Respect for Context, Security, Access and Accuracy, and Focused Collection) pretty much mirror European data protection legislation – the legislation that was passed in 1995 however, not the new draft regulations.
The Bill steers clear of the EU’s proposed rights of data portability (including the midata right to have data released back to you) and the right to be forgotten, though it does follow the EU in extending the definition of personal data to include “any data, including aggregations of data, that is linkable to a specific individual” including “data that is linked to a specific computer or other device”. That has big implications for behavioural targeting and the use of mobile data.
The big question now is how companies respond. There are two main options.
1. Protect business as usual Many companies’ instinctive reaction is to protect business as usual. The best way to do this is to gain PR brownie points by conceding a few general principles at the level of slogans while neutering their practical import via the details of implementation.
It’s big news for example, that 400 US companies including Google and Facebook have agreed to back a ‘Do Not Track’ button in web browsers. But actually, ‘Do Not Track’ is a misnomer. They’ll still be tracking individuals and using and selling the data. The only thing they won’t be doing is using the data for one specific purpose: targeted advertising.
Besides, the critical question is the default mode. Will consumers be required to take a specific action to turn ‘Do Not Track’ on? Or will the default work the other way round – so that individual have to take a specific action to turn it off? For all practical purposes, the default mode is all that matters. If the default mode is ‘to track’, with consumers having the option to turn on ‘Do Not Track’, the real impact will be close to zero.
If you don’t believe this, take a look at organ donor stats in Europe. In Austria, organ donations on death are close to 100%. In Denmark, they’re just 4%. The difference? The power of the default. In Austria, you have to take a specific action to opt out of donating your organs. In Denmark, you have to take a specific action to opt in. In situations like this, he who sets the default effectively makes the decision.
So while these two-connected moves – the new Privacy Bill of Rights and the Do Not Track commitment – are hugely important symbolically, we shouldn’t expect too much change on the ground just yet.
2. Embrace the control shift The second option is to pro-actively embrace the control shift. The underlying logic of this is simple. There is more money to be made from empowering people (consumers, customers, citizens) than there is to be made from trying to control them and treat them as the raw material of value extraction (by collecting data about them and treating them as the passive subjects and targets of data-based activities).
The empowerment strategy recruits the individual as an active data managing and sharing partner. It sidesteps the conflict and inefficiencies of today’s approach and unleashes rich new data assets – VPI, the Volunteered Personal Information that individuals could contribute if they could trust the people they were sharing the information with and were getting a benefit from doing so.
This approach does, however, require the careful construction of new types of data sharing relationship with individuals.
There’s a world of difference between these two approaches: while the general direction of travel towards the control shift gets clearer by the day, there’s still everything to play for.