Americans highly value their right to privacy. While privacy is not mentioned explicitly in the Constitution, numerous Supreme Court decisions cite the personal protections listed in several Amendments as evidence of the implied right to privacy. Privacy is at the core of the American concepts of independence and individuality. Privacy is foundational to protect civil rights, free speech and free thought, intellectual property, reputations and personal finances.
When asked, the vast majority of Americans (+90%) are clear that they want to be in control of who can access information about them (Pew May 2020). They do not want anyone watching or listening to them without their permission, particularly when it involves coveted information about their finances and healthcare. However, despite these strong feelings about the importance and value of privacy, over the past twenty or so years, Americans seem to have given up on their privacy. There’s an overwhelming sense of resignation to the idea that it is impossible to avoid being tracked by companies or the government.
For decades we’ve enjoyed the benefits and convenience of the internet. Have we been blissfully ignoring and even justifying the decline of privacy? Has the juice of almost unlimited, lightning-fast access to information, goods and services been worth the squeeze of giving up a bit of our privacy? Before answering, we need to define a “bit”.
Eighty-three percent of Americans report receiving ads they believe are targeted specifically to them based on personal data that they had not knowingly shared (Pew Nov 2019). According to the Federal Trade Commission (FTC), 33% of Americans have been victims of some type of cyber-enabled identity theft. Statistica reports that in the first half of 2022, over 53 million Americans were affected by data compromises, including data breaches, data leakages and data exposure. It is clear that the personal and sensitive information being exploited without our consent is at a significant level and growing. A “bit” seems to be a lot; and folks are starting to have serious concerns.
Most Americans are not monitoring these types of statistics, and yet it appears we are starting to pay more attention to these privacy-related issues in the digital world. It feels like we are reaching some sort of tipping point. Why? Why now? And how will these changes in perception and expectation affect American companies?
Part of the explanation appears to be connected to COVID-19. As the pandemic necessitated much of the workforce and almost all K-12 students to work and learn virtually, Americans began to spend more time on their digital devices, initially without many of the cyber protections that the office and school provided. At the same time, there was a significant increase in malicious malware attacks and email scams as fraudsters took advantage of people’s pandemic-related fears, hopes and the general confusion from a sudden shift to working from home. Kids also increased their participation in social media to stay connected with friends (Statistica). With everyone stuck at home and spending more time online, the negative effects of most web sites and social media apps having little-to-no privacy controls became more apparent; and people, especially parents, were suddenly in a better position to observe this reality and its consequences.
Another reason people are paying more attention is that the breaches referenced above have become more frequent and are receiving increased media coverage. This also feeds the apathy, as the occurrence of breaches has become so frequent that it feels like a certainty, and many of us act resigned to this as a fact of modern life. Still, Americans are personally feeling the pain of such breeches, often years after identity or financial data is “collected” or stolen, when cyber criminals purchase this information off of dark web sites and use it to perpetrate fraud. We are caring more about poor data privacy and a lack of cybersecurity because it is resulting in financial loss, reputational harm and ruined credit.
In addition to the growing media coverage of breaches, people are seeing the class action lawsuits and other legal action being taken against large corporations to include hospitals and other healthcare organizations. Perhaps second only to personal financial data, folks are very sensitive to the idea that their health-related information is accessible to aggressive advertisers or to the highest bidder. Americans are also realizing that forceful and annoying marketing campaigns may only be the tip of the iceberg of how questionably collected or stolen personal data can do harm. There are many downstream consequences to peoples’ diagnoses, prognoses, prescriptions and other medical information being made available to data brokers and social media companies, and possibly altered. These consequences include targeted marketing, but can also result in faulty treatments, a breakdown in trust between patients and doctors, embarrassment, reputational harm, as well as potential identity theft and cyber-enabled financial crimes. While it is true that in many instances companies are unaware of the web of third-, fourth-, and Nth-party apps that lurk on their websites, most people assume they know or should know, and that they should be doing something about it.
Based on pressure from these lawsuits and regulations imposed by the Europe’s General Data Protection Regulation (GDPR) and state level U.S. laws such as the California Consumer Privacy Act (CCPA), Americans are starting to see more and more websites providing a choice in regards to the Cookies they are willing to allow to track their online activity. Early indicators are that Americans appreciate having a choice and the next logical step is that they will soon expect to have a choice in data privacy. That expectation could quickly become insistence. While Cookies (session or third party) are only a small segment of unscrupulous data collection techniques, most folks don’t understand or care about the difference between Cookies and pixels, fingerprinters, session recorders, and all the other entities that are tracking and sucking up their sensitive information for questionable purposes for which they have not given consent. They just want their information and online activity to remain secure and private.
So, the shortfalls and consequences of poor data privacy are becoming better understood by more Americans, as well as the necessity for meaningful change. The question is, what should that change look like? Certainly, part of the solution must be legislative in nature, both at the state and federal levels. While some states have passed good laws in this area, there are still more gaps than coverage. Members of Congress have introduced the bipartisan American Data Privacy and Protection Act towards the goal of creating a national standard for what data companies can collect and how they can use it, but it has gotten bogged down and seems unlikely to pass any time soon. There has been talk of significant executive action in this space but it does not appear to be imminent, and most experts believe meaningful change can only come with legislation. So, if Uncle Sam isn’t coming to the rescue any time soon, what can be done to address the problem?
Assuming that ditching all digital devices and moving to an off-the-grid commune is a non-starter for most of us, the answer is nuanced. There is little a person can do to entirely eliminate data privacy risk and other cyber threats, but much that can be done to mitigate them. This includes demonstrating good cyber hygiene protocols (e.g., using strong passwords and two-factor authentication, ensuring secure networks, accessing only secure sites, etc.); only providing consent for cookies that provide necessary functionality; awareness of the latest frauds, hacks and scams; deployment of good firewalls and anti-malware software; regularly backing up data; and reviewing online financial accounts and credit reports for suspicious activity.
However, while every American is encouraged to follow these guidelines, this alone will not address the collection of our data taking place on the hundreds of thousands of “legitimate” and “respectable” public-facing websites that we access through web-browsers and depend on every day. In many cases, the companies themselves are not aware of all the trackers, pixels and other data-grabbing apps that are on their own websites.
Until a comprehensive fix is mandated (legislated), part of the solution must be companies deliberately prioritizing the privacy of their customers. The technology and tools exist for companies to inexpensively upgrade their websites to ensure third party entities are not scooping up people’s private and sensitive information. Tools like Lokker’s Privacy Edge can be deployed to monitor and block threats on companies’ webpages and the browsers on which they are viewed. The companies that choose to deploy this type of protection will demonstrate true respect for their customers, earning the trust and loyalty that will naturally follow. While folks already want this type of protection, they will soon be demanding it. The winds of change are blowing hard. Those companies that take the lead in protecting their customers’ data by creating more secure business and commerce platforms will avoid costly lawsuits and fines associated with newly enacted and pending state level data privacy regulations. Their reputations will be enhanced and customer bases will grow.