It’s easy to talk a good game about giving consumers control over their data and being committed to transparency beyond just compliance. But reality doesn’t always line up with the talk. According to new analysis from Consumer Reports, a US-based nonprofit consumer organization, companies may brand themselves as privacy champions but in reality, they don’t do much in practice to give consumers control over personal data and may well be circumventing data protection and privacy laws.
The wild west of data protection and privacy enforcement: Ignoring opt-outs
Consumer Reports in cooperation with Wesleyan University conducted research into how companies comply with opt-out requests sent by universal opt-out mechanisms. These opt-outs give consumers the ability to restrict targeting measures that supercharge the amount of information they can gather and use in retargeting. The research, at least on its surface, revealed that companies appear to be ignoring opt-outs. While there are limitations to the findings, the results do unveil considerable gaps in data privacy protections and a mismatch between what companies claim and actually do.
The Consumer Reports study looked at 40 different online retailers and found that approximately 30% of them appeared to be ignoring opt-out requests as per specific state privacy laws and were serving retargeted ads on other websites despite opt-out requests. The broader implication is that consumers’ personal data continues to be misused (in this case, shared and/or sold) without the consumer’s consent or knowledge even after they have actively opted out.
Similar findings emerged from a recent study from the Electronic Communications Office of Iceland, which revealed that cookie consent banners on most of the websites they surveilled were little more than cosmetic in nature.
And these are just two examples of what is undoubtedly a more complex and widespread problem.
Land of confusion: What am I agreeing to?
At the core of most data protection regulations is the tenet of informed consent and ensuring that consumers understand what exactly they are agreeing to when they share their data. Unfortunately, businesses frequently do not do enough to explain things like cookies and what consumers are opting into. What exactly are they agreeing to when they share their data? While all indications point to consumers caring more about privacy than ever, there remains a layer of consumer indifference, likely borne of not understanding the deeper implications of data sharing, that creates a disconnect. And this disconnect isn’t visible until an event like the recent bankruptcy of DNA genetic-testing company, 23andMe, occurs. Then consumers rightly start wondering what becomes of their sensitive data if the company is dissolved, and what kinds of protection are they and their data entitled to?
In most cases, the personal data collected and stored by 23andMe will be subject to the same data protection laws, such as GDPR, as any other personal data. There are more complex questions surrounding what could happen in the US because there is not a single legal approach to data privacy, and what protections do exist vary state by state, and federal legislative protection in the form of the Health and Insurance Portability Act (HIPAA) isn’t applicable because 23andMe is not classified as a healthcare organization.
General advice being given to consumers is to delete their 23andMe accounts and also be sure to withdraw their consent and request the deletion of both their individual-level and de-identified data.
It’s easy to be compliant with CookieHub
Sign up today and create a custom cookie banner for your website
- 30 day free trial
- No credit card required
Corralling data protection: Where to go from here?
The 23andMe situation coupled with the aforementioned cases about companies ignoring consumer requests and overarching regulations paint a picture of a wild west of data protection and management, in which individuals stand to suffer harm by at the hands of haphazard privacy and data management.
First and foremost, most legal scholars and even businesses agree that a harmonized approach to data protection and consumer privacy is needed in the US. Other countries and regions have adopted frameworks that, with some growing pains, have been very effective at regulating privacy. And, beyond putting regulatory frameworks in place, regulations need to have teeth. That is, laws are meaningless without a means for enforcement.
Secondly, all businesses have the power to adopt best practices for data collection and use, privacy handling and cookie and consent management. Regardless of whether a legal framework is in place in your business’s jurisdiction, if you do business in locations with robust, defined data protection and consent management requirements, you can align with these to ensure compliance on a more global scale and have readiness when and if specific local regulations come to your jurisdiction.
Are you compliant?
CookieHub automatically scans your website to detect cookies, ensuring all cookies are easily managed.