After the many headline-grabbing data breaches we’ve seen in the past decade, it’s clear: It’s no longer a matter of if a company will put your data at risk, but when. Simply put, the internet as we know it has not been designed to safeguard consumer data. Quite the opposite, in fact—personal data is the lifeblood of online advertising. Consumers have readily handed over their information (sharing it, on average, with 350 services, according to one study) and depend largely on the goodwill and efforts of private companies to protect their privacy—and companies across the board have been failing.
With recent regulations, governments are trying to shift the balance of power between companies and individuals. The most prominent regulations are the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA). Among other measures, both regulations empower consumers with “the right to be forgotten”.
In theory, having the right to be forgotten means you have the right to delete your data from corporate servers, thus reducing your exposure to improper use or theft. But these regulations haven’t meaningfully solved the problem of online privacy for consumers. Consumers are more empowered now to take charge of their data, but not actually equipped to do so. While you technically have the right to be forgotten, actually getting a company to forget you in the real world is incredibly difficult.
For example, as a frequent Marriott customer, I was recently notified that the company had suffered a data breach. I jumped through several complicated hoops to try to find out what data they had from me—my address? My credit card number? What else? Then I hit a roadblock: Marriott asked me to send them a scan of my passport to prove that I was who I said I was. Why would I give this company, who’s just proved it can’t be trusted to safeguard my data, even more of my personal information? It’s jaw-dropping.
Some companies offer tools to help consumers exercise their privacy rights. Mine* (a Battery portfolio company) gives consumers tools to find and delete their information across the web. Transcend and Ethyca create back-end tools for companies to delete user data more easily when requested to do so. Trace & BigID create data-management tools for companies that are designed with privacy in mind. Other companies create tools to help consumers use the internet more safely: DuckDuckGo offers a safer way to search, Brave is a privacy-first web browser, and Jumbo tightens up your social media privacy settings for you.
These tools are invaluable. But more still needs to be done to make privacy a meaningful right for consumers. Here are three ideas that would equip consumers with the tools they need to keep their personal data secure:
1. Entrepreneurs: Let’s create a trusted intermediary for data. The same way PayPal safeguards your payment information by acting as an intermediary for e-commerce transactions, a new company could become a trusted intermediary that handles all personal data during transactions. This intermediary would release data to other companies only on a need-to-know basis, and ensure that those companies delete this data once they no longer need it—for instance, once the return window has closed on the product you’ve bought.
Some precedents already exist for such a service. Password managers like Dashlane and 1Password offer a paid tier to consumers, enabling them to keep their passwords organized and secure. LifeLock empowers consumers to protect themselves against identity theft and data breaches. As consumers feel more pain around privacy and their awareness of how difficult protecting it grows, it creates market opportunity. Eventually, as these services catch on, consumers will second-guess purchases with any company that doesn’t partner with a privacy-protection service – much the way you might hesitate at purchasing from a brand-new merchant via Instagram if they don’t offer PayPal as a checkout option.
2. Companies: create a meaningful one-time checkout option. ‘Guest’ checkout is a fiction. Once you give a company your data, they have it, even if you’ve used a so-called ‘guest’ option. Every company that does business online (which, in 2020, is practically every company) should create a real one-time checkout option where customer data will automatically be deleted once it’s no longer needed. Say you’re planning to visit the Vatican and buy tickets online for a tour. The odds you’ll be a repeat customer are pretty low, so why should the Vatican store your data as if you’ll be back to see the Sistine Chapel again soon?
3. Governments: Create a CFPB for privacy rights. If you’re having a dispute with your mortgage company, you can file a complaint with the Consumer Financial Protection Bureau (CFPB) and get this watchdog agency to intervene on your behalf to make sure your rights are respected. But where should you direct your complaints if a company mishandles your data? Technically, you can submit a privacy complaint to the FTC, but privacy is only one of many types of complaints the FTC handles. In a world that runs on data, consumers need a regulator that’s laser-focused on protecting their right to privacy.
In today’s world, data is currency. Consumers urgently need better tools to safeguard their personal information. Recent privacy regulations are a good start, but there’s still a way to go before consumers have an actionable right to privacy, starting with their right to be forgotten. Consumers need tools that will help them easily exercise their rights, and they also need a clear authority who will defend their rights when companies fail to live up to their commitments.
This material is provided for informational purposes, and it is not, and may not be relied on in any manner as, legal, tax or investment advice or as an offer to sell or a solicitation of an offer to buy an interest in any fund or investment vehicle managed by Battery Ventures or any other Battery entity.
The information and data are as of the publication date unless otherwise noted.
Content obtained from third-party sources, although believed to be reliable, has not been independently verified as to its accuracy or completeness and cannot be guaranteed. Battery Ventures has no obligation to update, modify or amend the content of this post nor notify its readers in the event that any information, opinion, projection, forecast or estimate included, changes or subsequently becomes inaccurate.
The information above may contain projections or other forward-looking statements regarding future events or expectations. Predictions, opinions and other information discussed in this video are subject to change continually and without notice of any kind and may no longer be true after the date indicated. Battery Ventures assumes no duty to and does not undertake to update forward-looking statements.
*Denotes a Battery portfolio company. For a full list of all Battery investments, please click here.