As revelations about Cambridge Analytica’s use of Facebook to potentially impact elections came out earlier this year, cries to #deleteFacebook swept social media. However, if you look at the rates at which people searched for “delete Facebook” (using Google Trends), it took less than two weeks after the peak of outrage for people’s interest to halve, and less than one month for the interest to return to the baseline. It is this short attention span and general indifference that causes us to overlook the ways we can take control of our data privacy.
The Global Data Protection Regulation (GDPR) is an important part of the story. The GDPR is a new regulation from the European Union (EU) that aims to give some control over data back into the hands of users. One of the biggest provisions is a requirement for users to have the ability to view, export, and delete most of the data a company has about them. Because this is an EU law, this doesn’t apply to everyone. However, numerous companies have chosen to provide some or even all of the GDPR protections to all users rather than fragmenting their systems.
However, I doubt that most people are aware of this change, or that many people now feel that they better understand how companies use their data than they did before the GDPR went into effect. I also tried to find numbers about how many people have started taking advantage of these controls, but that information has not been easy to find. (Leave me a comment if you do find any of that information). The ability to use these is well documented, with varying levels of usefulness. For example, Facebook’s view information option is very accessible and helps you understand what data they have. It’s also available to all users – not just those covered by the GDPR. But several of these controls also lack any real value to users – for example, to delete the information Facebook has on you, the website recommends that you delete your entire account.
Regulations like the GDPR are intended to give some control back into the hands of users, but unless users actually care enough to use the tools provided by regulation, the provisions become meaningless. These tools give us the means to actually learn more about what is happening with our data, and demand more control. They provide an opening for us to say that some of the data we see stored by the company should not be for sale, or that we want to periodically delete stored data, or that we want to be able to track who our data was shared with and not just what data was stored.
We keep looking to companies collecting data to have an altruistic streak and suddenly safeguard our data the way we’d like to, or to regulators to create the perfect bill that guarantees our data will be handled with care and discretion. But companies need to know that we want that change, genuinely want it and not just for the one month fad of #deleteFacebook. It will take sustained interest for companies to prioritize that against the other features we are always demanding. And regulators can only close so many loopholes before they also rely on us to drive the business models we want to see.
Facebook is actually an interesting case – though the delete Facebook trend died, they have faced continued pressure and criticism around their data handling privacy more broadly, even being asked to testify in front of lawmakers globally. As this has continued, their controls and transparency around data handling has dramatically improved. Visit Facebook’s “Your Information”, to see what Facebook has inferred about you, and try exploring some of the options. For example, you can actually delete the majority of categories associated with your account that get used for ad targeting (without deleting your account). While we typically use Facebook as the example of a company with large amounts of personal data, Google has similar information. You can check that out on the Google Ad Setting page. These two are definitely not the only ones.
Now imagine if a majority of users went to these pages to remove labels and data. Revenue models for ad-based companies would have to change, allowing the model to shift away from having user data as the currency, or at least changing what data can be shared and the level user consent. Privacy-centered models would likely be taken more seriously as a way to bring users to opt into some data sharing. Then the control of data would truly have shifted more towards the hands of users. Through the changes of the past year we already have what we need to start bringing this conversation forward. It’s time to start using these tools, but also look at privacy and data beyond the social media – to advertisers, credit companies (think Equifax), public sector, etc. – and start driving conversations there too.
If we want data to be treated differently and change the way data is handled, we need to make that known and join the conversation. We need to use the tools we are given to show companies that we care and that we require better care of our information. By doing so, we can change the entire conversation around data sharing and come to the table as owners of our own data.
TechLawLogy: The Art and Science of Technology Policy 