With the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020, I think it’s timely to look at how digital natives may change the way we view data privacy altogether. If you were a toddler when Voyager 1 and 2 buzzed Saturn in 1980 and 1981 respectively, you are a digital native, as is anyone who came along after you. Maybe you started high school when email and file-sharing started going mainstream, and by the time you graduated, The New York Times had a homepage, at least one of your parents was likely online, and we, consumers at large, were beginning to experience FOMO (fear of missing out) if we weren’t online.
Ubiquitous tracking and big data pools as we know them today weren’t even a glimmer in a mad data scientist’s eye back then — and yet, people born before we learned who shot J.R. (or digital immigrants, as they came to be known) had already been making privacy mistakes for years.
Privacy Habits of the Past
Although the term was coined in the 1960s, identity theft has been with us for much longer. This author shares a name with a notorious horse thief, born Henry McCarty in the 19th century American Wild West. This scoundrel misappropriated the name William Bonney from an obituary in a New Jersey newspaper before he went west and famously fell into considerable mischief.
Two generations after his demise, the U.S. government began handing out identifiers for the new Social Security program. That’s where the trouble began in earnest. Many states put that number on their state-issued driver’s licenses — and this practice wasn’t banned until 2005. When Medicare came along in the 1960s, the Social Security number (SSN) was used as an identifier for each recipient. It was convenient, and it seemed like a good idea at the time, but the practice was officially ended in 2017.
Another habit we all got into long before digital natives started tagging themselves in hundreds of social media photos was putting our driver’s license numbers, addresses and phone numbers on the face of our checks. Credit cards weren’t widely accepted at grocery stores until the late 1990s, and who wanted to carry cash? None of us wanted to wait in long lines while the cashier wrote our phone and driver’s license numbers on our check to guard against fraud. It was easier and faster to have the info printed right on the check when we ordered them. The banks knew all about it. It was convenient, and yes, it seemed like a good idea at the time.
As we started using credit cards more broadly, we found ways of getting into even more privacy trouble. Rewards programs started sprouting like weeds. There were airline miles, discounts at the check stand and loyalty points for every possible purchase. Now, we coin new currencies faster than influencers gain followers. For 15 percent off, we allow our pharmacy, grocer, clothier and online retailer to track everything we buy, and we’d dutifully bark our phone number at clerks with people all around us to make sure we got credit for every purchase.
Digital natives certainly aren’t alone in posting photos, videos and online journals from their own social media accounts. While it might be easier for someone who grew up with the technology to post a fully captioned photo that tags five friends or colleagues, the consequences seem to vary more by the reach of the social profile in question than demographic factors. These consequences can range from varying degrees of embarrassment to ostracization and severe career impact. Sharing photos, videos and inner thoughts seemed like a good idea at the time — just like sharing SSNs, driver’s license numbers and phone numbers did before.
Data Privacy Expectations Are Rapidly Evolving
Our collective attitude toward data privacy is changing as we learn more about how maintaining data privacy is both desirable and difficult. We are now more attuned to the effects of sharing and the consequences of subtle privacy violations. In short, we’re in an era of rapidly evolving data privacy expectations. We’re increasingly turning to regulators to help us corral entities who would sell pieces of our information that we wouldn’t necessarily share on our own. Partly due to the experiences of digital natives, we are reconsidering the rules of data sovereignty.
As the consequences of data sharing become more evident (think public shaming versus identity theft) and long-lasting (searches often expose events going back decades), we are recognizing that our online images and thoughts can define us and should be owned by us, regardless of whether we fully understood the impact of sharing them. If a musical group can stop a political campaign from using its song or an actor can stop a merchant from using their image in an advertisement, it is my opinion that each of us should be able to determine how our images and musings may be used by collectors and whether to allow their collection at all.
The Berne Convention, which was adopted way back in 1886, established that publication alone is enough to establish a copyright. I’d assert that it’s not much of a stretch to extend that to what we publish about ourselves, whether that information is generated intentionally or as a byproduct of living in the digital age.
Should We Have Personal Sovereignty Over Our Data?
Regulators alone cannot solve this problem. It seems to me that what digital natives have asked us to do — sometimes explicitly, but often indirectly — is create the technical means to grant and revoke permission to collect, access, use and share the data we all produce.
Regulators could force each covered entity to create processes whereby current data subjects can request agency over their data privacy. New technologies could be created to encode each atomic unit of data and establish clear ownership. With options such as blockchain and smart contracts, I believe we could honor evolving data privacy expectations and enable data subjects to set or change the rules to which data brokers and users must adhere. If those parties fail to act in accordance with those rules, they could be prohibited from using that data.
Certainly, this concept has a more complex application when it comes to the digital exhaust we create (think location data and log data) as opposed to data elements that are more obviously descriptive, but this seems like more of an architectural challenge than one of scale to me. After all, we’ve managed to solve the scale problem for collection and use. As I see it, giving data subjects sovereignty over their data seems like a logical next step for our time — one that might just remain a good idea as we look back on this time years from now.
President, CISO DRG, Inc.