The Way The Cookie Crumbles

The U.S.A. will show the way in data privacy and security.

Last year there was a wave... no, almost a frenzy of activity around the ‘deadline’ for GDPR (the European Data Privacy Regulation).

So far, the promise of huge fines and severe repercussions have amounted to not anything more than words.

Discussions about fines and media coverage about the ‘usual suspects’ (Facebook, Google, Apple, Netflix, Spotify). Tempered ‘legal discourse’ about the possibility of being fined, with appeals processes and politics sure to make anything fizzle out.

The issue isn’t with the approach, the concept, the planning. It’s all to do with politics and whether to ‘bare teeth’ or not. In the current political climate, financial threats to non-EU countries will not be taken too kindly. My view is that GDPR will eventually ‘bare it’s teeth’. But of 59000 notifications there have only been around 91 fines.

There are some positive effects in swing. More companies outside the EU have been murmuring about the impact it might have on them and taking a cursory glance at the weak text in their privacy policies and how they use cookies.

Cookies...

..are a favourite American treat, or so my years of watching American movies, sitcoms and drama’s would have me believe.

The United States of America is a country I love. Ingenuity, innovation and entrepreneurship are mainstays of the culture. The United States undoubtedly has the power to drive pivotal change in privacy regulation. Can it accelerate past GDPR to be the shining light of data privacy globally? Yes.

I firmly believe that it’s the ‘USA all the way’, when it comes to the next significant political moves with regard to global data privacy concerns.

Not only is Silicon Valley the main loitering area of the large data factories of the global data giants, but the USA is also a leading country for the consumption of data. Data and analytics are consumed at an ever increasing rate. It’s a data analytics monster.

Monsters

Consumer concern is certainly heightened at the realisation the Silicon Valley ‘monsters’ are performing ever more advanced analytics and sending data everywhere.

LinkedIn, for example, confidently asserts I’m Male and could probably tell you a little more than that.

But are people concerned? Not on an individual level (How many Ts&Cs have you ignored recently?).

Large U.S. consumer groups such as the ACLU are taking action and a there’s a wave of interest in privacy regulations, brought about by sweeping state-wide legislation in California last year.

Other states are working toward similar goals at varying pace. Slowly consumer thinking is swinging to back to the 4th amendment and privacy as a fundamental right.

In addition (and I don’t mean to bring politics into the politics) the distrust that’s been brought about by the previous presidential campaign and all its data trickery (I’ll say it, ”Fake News”) leaves people unsure of who to trust any more. Hacking and Fake News are now a part of everyday (or at least every second day) conversation.

The New Year predictions I made about a wave of countries focusing on the sovereignty of their own citizen’s data are also a factor. Through this year I can see a number of countries reassessing their ‘data borders’.

It is debatable the motivations of the nationalistic/tribalistic reasoning for closing down borders, both real ones or data ones. Are these countries oncerned about privacy or concerned about the monetary value of data? You Decide!

But uncertainty in people and politics coupled with the realisation that data is the new oil moves the conversation along substantially.

Regardless of the colour on the political rainbow that an American citizen happens to be invested in, people in the United States are beginning to pipe from the same privacy flute.

Wheels, Crowns and Flutes

Ok, I’ll admit there’s a Cookie Monster theme.

The Wheel. There is a constant merry-go-round of discussions over privacy that continue to go full circle. I am willing to give my data to LinkedIn because it provides a service and a platform for me. At the same time, millions of other people’s data is aggregated and LinkedIn can gain powerful insights. It is intelligent. However, it is the misuse of that data that needs to be controlled and that control enforced.

The Crown. GDPR is yet to bare its teeth. It will. It is the king of privacy regulations and as we move through this year news will certainly surface of big breaches and bigger (but not big enough) fines.

Will U.S. statewide or even countrywide regulations enter the fray as pretender to the privacy regulation throne? Probably not for a while. But over the course of the next few years there will be significant changes in attitudes to privacy in the USA. Certainly it seems momentum has shifted toward the idea of a federal privacy bill in the US.

The Flute. For GDPR there has been a lot of hot air generated over recent years. Not much to show for it. Except that is, the influence it has had from being a ‘pied piper’. If Europe can do it, "so can we". Other regions of the world are beginning to follow suit. There are a host of reasons why this could be the direction of privacy in the coming year:

? The US has a lot of the data and data = $$$

? The Forth Amendment and HIPAA

? Rising State #legislation and heightened awareness of Fake News

? #FOIA requests and Consumer Activism

? Privacy globally and reaction to GDPR

? Microsoft and Apple taking privacy seriously as a commercial proposition and corporate entities are getting wise to what’s happening to their data in the #cloud.

? The US needs to drive hard on AI regulation to dominate that market.

? Even more recently a legal judgement to support the case.

? And Cisco Chief Legal Officer, Mark Chandler throwing his influential weight behind the argument.

Me Want Cookies

Ok, ok, so what is the main point of this latest diatribe?

It's a warning (or helpful hint, which sounds much friendlier) for U.S. firms to get ready for increased focus on privacy.. and for Global firms to pay attention.

A high percentage of US firms even claim GDPR compliance because they had a lawyer read the clauses and nod wisely, while approving the branding for the image of a rosette on the website.

Speak to people in Europe about GDPR and the changes it has meant for their organisations. Start treating privacy as a fundamental building block of your systems, processes, policies and procedures. Privacy by Design.

And make sure you're getting ready for an oncoming wave of corporate crisis around privacy (Marriot/Starwood anyone?)

I promise you’ll be innovative and ahead of the curve for once. And web-tech people, maybe your cookies will finally crumble?

Om nom nom nom.

Martin.

Disclaimer: this is all my own opinion and isn't necessarily reflective of the views of my current or previous employers.

About Martin: Over the past 16 years I've worked with Chief Legal Officers, General Counsel, Compliance Professionals and ‘Big Law’ firms globally, to provide, create and implement systems and processes that reduce the likelihood of failure during a crisis.

About Cookie Monster: Cookie Monster is a Muppet on the long-running children's television show Sesame Street. He is best known for his voracious appetite and his famous eating phrases, such as "Me want cookie!", "Me eat cookie!" (or simply "COOKIE!"), and "Om nom nom nom" https://en.wikipedia.org/wiki/Cookie_Monster