After the many headline-grabbing data breaches we’ve seen in the past decade, it’s clear: It’s no longer a matter of if a company will put your data at risk, but when. Simply put, the internet as we know it has not been designed to safeguard consumer data. Quite the opposite, in fact—personal data is the lifeblood of online advertising. Consumers have readily handed over their information (sharing it, on average, with 350 services, according to one study) and depend largely on the goodwill and efforts of private companies to protect their privacy—and companies across the board have been failing.
With recent regulations, governments are trying to shift the balance of power between companies and individuals. The most prominent regulations are the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA). Among other measures, both regulations empower consumers with “the right to be forgotten”.
In theory, having the right to be forgotten means you have the right to delete your data from corporate servers, thus reducing your exposure to improper use or theft. But these regulations haven’t meaningfully solved the problem of online privacy for consumers. Consumers are more empowered now to take charge of their data, but not actually equipped to do so. While you technically have the right to be forgotten, actually getting a company to forget you in the real world is incredibly difficult.
For example, as a frequent Marriott customer, I was recently notified that the company had suffered a data breach. I jumped through several complicated hoops to try to find out what data they had from me—my address? My credit card number? What else? Then I hit a roadblock: Marriott asked me to send them a scan of my passport to prove that I was who I said I was. Why would I give this company, who’s just proved it can’t be trusted to safeguard my data, even more of my personal information? It’s jaw-dropping.
Some companies offer tools to help consumers exercise their privacy rights. Mine* (a Battery portfolio company) gives consumers tools to find and delete their information across the web. Transcend and Ethyca create back-end tools for companies to delete user data more easily when requested to do so. Trace & BigID create data-management tools for companies that are designed with privacy in mind. Other companies create tools to help consumers use the internet more safely: DuckDuckGo offers a safer way to search, Brave is a privacy-first web browser, and Jumbo tightens up your social media privacy settings for you.
These tools are invaluable. But more still needs to be done to make privacy a meaningful right for consumers. Here are three ideas that would equip consumers with the tools they need to keep their personal data secure:
1. Entrepreneurs: Let’s create a trusted intermediary for data. The same way PayPal safeguards your payment information by acting as an intermediary for e-commerce transactions, a new company could become a trusted intermediary that handles all personal data during transactions. This intermediary would release data to other companies only on a need-to-know basis, and ensure that those companies delete this data once they no longer need it—for instance, once the return window has closed on the product you’ve bought.
Some precedents already exist for such a service. Password managers like Dashlane and 1Password offer a paid tier to consumers, enabling them to keep their passwords organized and secure. LifeLock empowers consumers to protect themselves against identity theft and data breaches. As consumers feel more pain around privacy and their awareness of how difficult protecting it grows, it creates market opportunity. Eventually, as these services catch on, consumers will second-guess purchases with any company that doesn’t partner with a privacy-protection service – much the way you might hesitate at purchasing from a brand-new merchant via Instagram if they don’t offer PayPal as a checkout option.
2. Companies: create a meaningful one-time checkout option. ‘Guest’ checkout is a fiction. Once you give a company your data, they have it, even if you’ve used a so-called ‘guest’ option. Every company that does business online (which, in 2020, is practically every company) should create a real one-time checkout option where customer data will automatically be deleted once it’s no longer needed. Say you’re planning to visit the Vatican and buy tickets online for a tour. The odds you’ll be a repeat customer are pretty low, so why should the Vatican store your data as if you’ll be back to see the Sistine Chapel again soon?
3. Governments: Create a CFPB for privacy rights. If you’re having a dispute with your mortgage company, you can file a complaint with the Consumer Financial Protection Bureau (CFPB) and get this watchdog agency to intervene on your behalf to make sure your rights are respected. But where should you direct your complaints if a company mishandles your data? Technically, you can submit a privacy complaint to the FTC, but privacy is only one of many types of complaints the FTC handles. In a world that runs on data, consumers need a regulator that’s laser-focused on protecting their right to privacy.
In today’s world, data is currency. Consumers urgently need better tools to safeguard their personal information. Recent privacy regulations are a good start, but there’s still a way to go before consumers have an actionable right to privacy, starting with their right to be forgotten. Consumers need tools that will help them easily exercise their rights, and they also need a clear authority who will defend their rights when companies fail to live up to their commitments.
Battery Ventures provides investment advisory services solely to privately offered funds. Battery Ventures neither solicits nor makes its services available to the public or other advisory clients. For more information about Battery Ventures’ potential financing capabilities for prospective portfolio companies, please refer to our website.
*Denotes a past or present Battery portfolio company. For a full list of all Battery investments, please click here. No assumptions should be made that any investments identified above were or will be profitable. It should not be assumed that recommendations in the future will be profitable or equal the performance of the companies identified above.
Content obtained from third-party sources, although believed to be reliable, has not been independently verified as to its accuracy or completeness and cannot be guaranteed. Battery Ventures has no obligation to update, modify or amend the content of this post nor notify its readers in the event that any information, opinion, projection, forecast or estimate included, changes or subsequently becomes inaccurate.