Dark Patterns: The Dangerous State of US Data Privacy

Happy belated Data Privacy Day! I don’t post on Fridays. How did y’all celebrate? Oh wait, you didn’t celebrate and you’ve never heard of Data Privacy Day? Let me guess, you’re American.

Privacy is a crazy and exciting field these days for professional practitioners like myself. But it’s a giant headache and growing pain point for more and more US technology companies. I want to take this opportunity to offer a brief comment and the current state of the privacy space followed by a call to action for organizations to get a handle on their privacy posture starting today.

To set the stage, let’s have some fun for a minute. Imagine you’ve dimmed the lights in your media room and queued up a Sci-Fi thriller on your favorite streaming service for Friday night movie time. This movie is set in a not-so-distant dystopian future. An evil government has the ability to continuously monitor and log everything about you. Your movements and exact location are meticulously tracked and displayed on a digital map. Every internet search, every message you send, and everything you read, watch or listen to is recorded in your user profile. Every person that you meet, or stand within 6 feet of, is recorded including the amount of time you spent together. Your profiles are systematically compared to determine your shared interests, activities and groups. All of your speech and everything you say throughout each day is recorded. All of these data points are streamed through AI-enhanced analytics and prediction engines in order to classify and bucket you for every imaginable purpose; your education, your job and professional skills, your driving ability, credit worthiness, political views, terrorism risk, sexual and religious preferences, shopping habits, what books, music, movies, websites and podcasts you like, where you vacation, your diet, vaccination status and general health risk, including how many steps you took today, oh, and what color running shoes you prefer. Basically everything about you is digitally captured, analyzed and scored. This information is extremely valuable for advertisers, product marketers, law enforcement, security agencies, customs and border patrol, college admittance officers, employers, insurers, mortgage underwriters, dating services, the IRS, you name it.

So what technology is being used to meticulously track you? You might think that Bill Gates and the one world government finally succeeded in mandating that you get injected with an illuminati tracking device. But it was far easier and arguably more insidious than that. You didn’t get forcibly injected with a tracking device, you went out and voluntarily bought the tracking device, and you happily carry it with you at all times. The data collected from your tracking device, along with all the smart, voice-activated, and networked devices in your home, workplace, and transportation create a very complete profile of you and your activities. See where this is going? This isn’t the future, this is the present. Except you’re not being tracked by an evil government, rather by a big technology company. Don’t worry though, it’s just for targeted advertising, not social control. And you can opt out of this tracking at any time via your preferences.

Oh shoot, wait. Breaking News: Multiple US Attorney Generals are suing Google for misleading people into thinking they turned off location tracking when, in reality, they turned off tracking for one service but multiple other services are still tracking them. Tricking and misleading users into consenting to privacy choices that they didn’t understand or intend is known in privacy lingo as a “dark pattern.”

So here’s the point. The privacy risks to humans from this level of PII data collection and processing are well known and embedded into European culture. This understanding resulted in the codification of data subject privacy rights in the General Data Privacy Regulation (GDPR). However, the US political culture, frankly, lacks this level of privacy awareness. We tend to think of privacy risk in the context of specific harms in siloed consumer verticals like healthcare, finance and education. As a consequence, even though the US Chamber of Commerce, along with several activist groups, recently lobbied Congress once again to pass “comprehensive privacy legislation,” I haven’t seen any market observers who seem particularly optimistic that this will happen any time soon.?

So what is the danger? First, there are obvious dangers in allowing a handful of large, powerful, technology companies to build comprehensive data profiles on individuals for profit. It’s hard to put the genie back in the bottle and you should expect rich and powerful companies to fight tooth and nail to protect these extremely profitable data collection practices. In addition, as European data authorities understand, there is an ever-present risk that the US national security apparatus will compel disclosure of this private information along with a gag order to prevent the data subject from being informed. Lastly, of course, you have the hackers and bad guys who will look for new and creative ways to mis-use personal data for crime and profit. There are additional risks, but I don’t work in politics, I work mostly with private SaaS companies, so these aren’t the dangers I’m talking about.

The danger I worry about is the fact that this distrust between Europe and the United States on the issue of data privacy is hampering the competitiveness of US companies. At present, US SaaS companies are having to go to great lengths when selling to EU, international, and global enterprise customers in order to demonstrate that their data processing does not pose an unreasonable risk to data subjects because US privacy laws have been formally deemed inadequate following the death of Privacy Shield. And while data transfer from the EU to the US is still legal based on the Standard Contractual Clauses (SCCs) along with “additional safeguards,” or from the UK based on the IDTA, European companies, consulting with risk-averse law firms and data protection consultancies, are increasingly asking for “data residency” within the EU. That requirement is no big deal for the global tech giants, but it’s a major pain point for small and medium sized technology businesses. It’s beside the point that data residency is mostly cosmetic and doesn’t really address the potential risks from US surveillance. Having to spin up, support, and maintain a product hosting environment in a foreign jurisdiction just for compliance purposes is costly and inefficient. Having to convince prospects that their commercial data will not be subject to a FISA 702 warrant can feel ridiculous and surreal on sales calls, but that conversation is happening daily. This isn’t just an issue when selling into the EU, large enterprises in the US now have similar privacy requirements for vendors since they need to safeguard their own EU data processing ecosystem, or have simply established a universal corporate standard set to the highest bar. Piling on the pain for small businesses, the vacuum of US national leadership is quickly being filled by a patchwork of US state-level regulations and, while they are fairly consistent, having to navigate compliance with fifty (50) data privacy laws is more costly and less efficient than just one.

Here’s the call to action. Focus on the things you can control and don’t worry about those you can’t. It’s 2022 and data privacy is in, information security is so 2013, hopefully you have already knocked out a SOC 2 or ISO 27001 certification. Organizations need to get their own data privacy programs buttoned up. Like now. Political solutions are not forthcoming. We all want our brands to be seen as good global citizens and we want to provide assurance to our customers and partners that we are trustworthy stewards of their personal data. Closing the next deal may depend on it. The future of your organization will require it.