In a familiar twist, I landed on a web page that featured a message occupying the bottom quarter of my screen, inviting me to accept cookies. If I didn’t oblige, this irritating block that’s now doing my head in would stay there. The other option was even more insensible: manage options. It begs the question: Am I to manage cookie settings individually for every last site I visit? These options, unattractive as they are, perfectly sum up the reality of navigating privacy online.
It wasn’t always like this. I remember the early days of consumer internet. A mobile service featuring 200 megabytes (not gigabytes) of data for the month was top of the range. It really wasn’t that long ago. Those were simple days when having internet at home was still a luxury. We only peeked online when we felt curious. And then we’d return to our normal lives when that itch was satisfied. Tracking existed back then, but it wasn’t a fully-fledged industry.
Things are different now. According to my iPhone, I’ve been online for a daily average of 5 hours and 11 minutes this week. In my defence, the screentime utility combines desktop and iPhone usage. It still dwarfs any amount of time I would have spent online not too long ago. The web has evolved from a place I visit occasionally, to one I inhabit. I don’t recall ever making that choice. It’s just the way things are. My work, network, communication tools, the information I consume, and many more necessities of my daily life all plug into the online ecosystem. I’m sure you can relate. But the digital migration wave is not without its shortcomings.
Some Privacy Please
I recently made an online purchase, a pair of running shoes. It should have ended there. But over the coming days, I would receive targeted ads of the same product on every site I visited. I’ve heard stories of people receiving targeted ads on a topic they conversed about. If this ever happened to me, I missed it. But these realities highlight where we are with the online privacy topic. The fact that we now live much of our lives online accentuates the need for privacy. This deeply personal issue raises several thorny questions: How much personal information is a reasonable trade-off for the online services I receive?; If anything, what can I do to protect myself in the event of a data leak?; Will my information will be removed from a site after I discontinue its service? All these questions are rooted in legitimate fears that stem from real-world events. We find ourselves in this precariously vulnerable position. We practically live online but lack the agency to control our personal information, and we don’t exactly trust corporations to handle it with due care.
There are ongoing efforts to address this issue. Easily the most concerted is the EU’s GDPR.
What is GDPR?
In a bid to arrest the chaos around personal information online, the EU parliament enacted the General Data Protection Regulation (GDPR) which came into effect in 2018. The headline feature of this act has been the steep penalties for non-compliance – up to €20 million or 4% of global turnover, whichever is higher. It’s not all talk, there have been substantial reckonings here. The regulation applies both to EU institutions and non-EU entities that store personal data on EU subjects. That’s to say it’s far-reaching.
The regulation sets out provisions for collecting, storing, using, and disposing of data. It also sets out provisions that enable the user to engage with institutions by affording them certain rights. Such as:
- Right of access to their data
- Right to rectification
- Right to be forgotten
- Right to object to intended use, and more
The goal here is not to turn everyone into crusaders, but articulating these rights and responsibilities helps establish core tenets on personal online data. In essence, institutions and humans can now speak the same language on the subject.
This is by no means a perfect solution. Its provisions are arguably prohibitive for small businesses and better suited to multinationals who, owing to their outsized customer base, pose the greatest risk to personal online data. And so as rules tend to, the GDPR has attracted its fair share of criticism. But it’s the best we have yet.
It does have another deficiency. Like most regulations, it doesn’t incentivise right thinking but deters wrongdoing. For the undeterred organisation, it’s an invitation to seek out and exploit grey areas in the regulation. Here’s an example of a grey area. Cookies are used in conjunction with other non-personal information to uniquely identify online users. The data is aggregated to yield detailed insights for highly targeted ads, but because it’s not tied to a name or email address it’s near impossible for an individual to exercise their rights on this mountain of data.
So there’s a case for a more conceptually robust approach to online privacy. There’s also no shortage of ideas. One is particularly noteworthy.
New Thinking
Pitching to a panel on a popular entrepreneur TV show, Dragons Den (UK), Sam Jones shared a novel business idea for solving the privacy problem.
Premised on the notion that individuals deserve an opportunity to share in the financial benefits from monetising their data, this new web browser gives users clear choices: Privacy mode and Earning mode.
As he spoke to the panel of dragons, their faces showed curious interest and then outright optimism. The validation came at the end when almost all the dragons said yes to the pitch – the dragon that said no praised the idea, acknowledging that it’s not her skill area. To sweeten the deal, one dragon even threw in free office space and accommodation for six to eight staff for a year. The reason why this outcome is truly remarkable is that dragons are there as sceptics primarily. They stress test the model to assess its viability and expose flaws. That’s the show. So it was astounding to see how quickly this pitch turned would-be critics into competing converts.
That’s what happens when a compelling idea takes flight.
In Summary
There’s still tension between the need for online privacy and the commercial interests that erode it. As always, regulation helps identify shared priorities when approaching issues. But it often falls short, sometimes spectacularly so, when applied to the real world. Hence the need for constant revision. But regulation is not the only solution, and the online privacy issue continues to attract audacious and novel solutions that are more in sync with the needs on the ground.