User Data Privacy for Dummies

Many of us have been following the recent updates in data privacy. Milestones such as removal of 3rd party cookies by Chrome (by 2023) and the iOS 14 privacy features are watershed moments in the history of privacy and the internet. 

While privacy seems like a drab topic to many, it is quintessential for each one of us to understand how the changes impact our businesses and us, and what is the way forward.

In the data privacy landscape, there are 3 key stakeholders involved:

1.     The user:

 Central to any data privacy issue is the user. What is it actually that the user wants?

 Let us imagine a scenario in a non-digital interaction. When I am shopping at my local grocery store, the grocer usually knows my preferences and recommends relevant products to create pure customer delight.

On my birthday, she could recommend the best chocolate I could treat myself with. Now, when I visit the florist, it would be a sweet surprise if he offers me a discount because he heard from the grocer it is my birthday. Who doesn’t like personalized service?

However, imagine the grocer stalking me to figure out what else I am buying, or sneakily going through my ID card to know my birthdate. I might feel violated even if she is doing it with the intent of delighting me as a customer.

This is the biggest dichotomy that users face today :

Finding a solution to this dichotomy has been hard and we still haven’t reached a stable equilibrium. This is the angst fueling years of debate about 3rd party cookies & legislations such as the GDPR and the California Consumer Privacy Act (CCPA).

Until these legislations happened, privacy was mostly about self-regulation by businesses. The regulations and the discourse on 3rd party cookies has kickstarted the journey towards a sustainable solution but we have a long way to go.

2.     The Business (and their partners and competitors)

While the user is at the center of data privacy, let us not forget the other stakeholder – the business. Think about the grocer and the florist whose intent was to help me find the right chocolates and the best deal on flowers, while growing their livelihood. After all, they are spending time, effort and money to create value for me and for themselves.

 What are companies trying to achieve? In a nutshell, here are the key things:

·      Monetize their offering - after all, there is no free lunch

·      Market their products, so we know about the great things they have to offer!

·      Create personalized offerings that are relevant to us

The Cookie Monster:

In the consumer digital world, companies achieved some or most of these by heavily relying on cookies. 1st party cookies make it easy for the business to personalize your interaction and 3rd party cookies help other businesses market their products. While 3rd party cookies became the norm, the user dichotomy was largely ignored, leading to a precarious state.

The large tech companies admitted the need for a balance, and mulled killing off 3rd party cookies in the search for a stable equilibrium.

Birds of the same feather, flock together:

Google, for example, tested a new approach called the FloC, which is part of its ‘Privacy Sandbox’ initiative. FloC stands for ‘Federated Learning of Cohorts’. While this sounds like a US government top secret project, it really isn’t!

 Here is FloC for dummies, by a dummy:

·      Instead of using 3rd party cookies to track a user across sites, Google would understand the content & context of the web pages a user is browsing, and store that information locally.

·      The browser would then send the information, while completely anonymizing the user, and create a cohort or ‘flock’ of people with similar behaviors & interests

·      This cohort of anonymous folks would then be targeted for promotions, ads & content with relevant offerings, while protecting the identity of individual users

 As a strong advocate of user privacy, Google has made a noteworthy attempt in solving the user dichotomy of personalization and privacy. However, there has been some resistance in the last few months since it announced the trials of the ‘Privacy Sandbox’. 

What is this resistance about?

Google owns two key solutions that enable the world of cookies and digital ads: the ad-serving business, and the browser.

While there are a few large players in the ad-serving business, Google takes the cookie in the browser world, with 2.65Bn people - a whopping 67% of desktop users - using Google Chrome. With the decision to remove cookies and enable FloC like solutions, the ad-platform competitors are concerned they would be left high and dry with little user visibility left for them.

Apple is working on its own OS-level approach to tackle privacy, and has faced its fair share of backlash from competitors, most notably Facebook. Since Facebook has a dependency on browser and OS for its key solutions, it has been particularly vocal about finding a balance between privacy, personalization and fair competition. After all, it has a lot to lose with the new solutions in the works by the other two giants. It has suggested solutions such as on-device AI for personalization.

On-device AI solutions are piquing the interest of the world, with a lot of research and efforts going in to this field. The jury is still out on what is the sustainable solution that will benefit the user and be acceptable to all parties involved.

3.     The Government:

Our knight in shining armor 

    While we discussed the role of authorities in user privacy(with GDPR & CCPA), government has another critical stake in the privacy story: that of defense against terrorism.

After the 9/11 and a slew of other terrorist attacks, governments across the world became more vigilant so they could track abnormal activity and prevent terrorism. After all, the common goal of all governments is to protect the state.

For instance, the ‘US Patriot Act’ was signed to enable government agencies to intercept and obstruct such activities. Similar anti-terrorism laws were passed in other countries, including India. Governments mostly have the right intent on this, but often end up overstepping the lines of user privacy.

Now visualize the international data transfer and storage scenario with a constant struggle for balance between local laws, international treaties, company policies, and above all – users’ privacy!

Making data go around the world:

While rights of citizens and national security are paramount, most governments also understand the need to simplify business to boost the economy. EU and US have been leading the way by implementing frameworks that simplify data transfer and processing between the two regions.

The first attempt to enable this was the ‘US-EU Safe Harbor Framework’ developed between 1998 and 2000. This Framework provided a method to legitimately transfer user data by thousands of companies.

In 2015, holes were poked into this by Max Schrems, an Austrian data privacy activist, and this resulted in EU judiciary stepping in and the framework getting scrapped. Soon, it was replaced by a more advanced ‘Privacy Shield’ framework in 2016.

All seemed hunky dory on this front, with thousands of businesses ensuring compliance to the framework to enable user data transfer between EU and US. Until, one day Schrems poked another giant hole in the Privacy Shield in 2020, and Humpty Dumpty had a great fall.

All the king’s men are still working together to come up with ‘Privacy Shield 2.0’, but until then, businesses are struggling to enable data transfer in compliance with local laws because of the vacuum created by the death of Privacy Shield 1.0.

What next?

Finding the balance:

The world is putting its brain power together to come to a sustainable, ethical solution to user data privacy, that keeps the user at the center, but doesn’t provide sub-optimal outcomes for business and for national security.

While Google, Apple and Facebook are some of the strategic stakeholders and have been putting in a lot of leadership and development effort to find a long-term solution, it is imperative for businesses and consumers around the world to be involved in the discussion and ensuring an equitable solution is reached.