Internet privacy rules have just been overturned in the U.S. by Congress and the Administration, and at the same time, struggles over banking privacy are taking place. There are striking similarities as well as crucial differences. As a consumer protection advocate, I am struck by how the narrative about these kinds of conflicts primarily centers on where competitive advantage lies, and which company or industry is made the winner or loser, rather than about the rights of consumers.
The internet case pits telecoms and cable companies, like AT&T, Verizon and Comcast, against internet companies, like Google and Facebook. The Obama-era rules that were just overturned required broadband providers to ask customer permission before tracking, sharing and/or selling their data. These companies complain that the rules disadvantage them relative to internet-based companies, which can collect data without such rules.
The banking case, as reported in The New York Times, pits major banks against fintechs and data aggregators. The question is whether banks will transfer consumer data – at the consumer’s request – to companies that provide personal financial management tools, like Mint, Betterment, and Digit (or to data aggregators that facilitate the transfer – like Plaid and Yodlee). Without this data the financial management apps cannot build the complete portrait of a person’s financial life they need to provide analysis and advice. But banks are reluctant, even after specific consumer requests. You might think this reluctance is to protect their customers or because of data privacy rules for banking, but actually, according to The Times, it’s because the customer data reveals details about banks’ own business models – like pricing and products. The banks fear, probably correctly, that the personal financial management companies will use the information to undercut bank products with their own offerings.
These two examples reveal the importance of data in business today and the urgency of getting data privacy right. But what hits me between the eyes is that both cases play out primarily over competitive advantage between an older generation of companies and newer companies rather than as consumer rights issues. Companies fight it out and appeal to government regulators to side with them. In both cases, traditional companies argue that newer generation companies gain a competitive advantage by having freer rein with consumer data. The regulatory considerations appear to be focused on leveling the playing field between competing commercial interests. Consumers sit by like civilians in a war zone hoping peace arrives before they become collateral damage.
In both examples, an astonishing range of data types are involved: personal identification data, including passwords and account numbers; financial account balances and transactions; internet browsing history; phone and text meta-data; location history; social media profile, posts and contacts. In defining policy, each of these types of data could and should be treated differently, depending on how private it is deemed it to be and whether in the wrong hands it could harm consumers. Traditionally, financial information held in banks has been especially protected, and this makes sense as the potential for harm from internet data is not as great, or at least not as obvious. Data involved in financial account security would be heavily protected, as misuse could facilitate theft, an obviously serious harm. The same level of protection would not be afforded to social media information which is inherently public, to some degree. Discussions about privacy protection for internet users often appear to assume that the harm in question is simply the advertisements and sales pitches they enable. Unwelcome, and annoying, but generally not actually harmful. That’s why some regulations distinguish between ‘personal information’ and ‘sensitive personal data and information’. The latter must be guarded more closely, but where is the line between the two? And how should a lender like Kabbage be treated? Its CEO recently boasted that the company hoards every scrap of information about its customers, because those scraps could turn out to be valuable for marketing or credit underwriting.
Can law or regulation help by clarifying consumer ‘ownership’? The Times points out that the Dodd-Frank requirements give consumers the right to access their data, but leave many questions unanswered. By contrast, the European Union’s General Data Protection Regulation (GDPR) defines ownership rights more fully, as including the right to access, the right to be forgotten and data portability (the consumer’s ability to request that data be provided to a third party, exactly what’s at issue with Mint and Betterment). A complicating factor is that in the U.S. – as possibly in many other countries – there are conflicting jurisdictions. In the internet case, the Federal Communications Commission regulates broadband providers, while it’s the Federal Trade Commission that has responsibility for consumer protection. The banking side is also complicated. Given the Trump Administration’s approach – directing regulators broadly to lighten up on business but not specifying how – the U.S. may be living with confusion for some time.
Should data that has been stripped of personal identification still be subject to restrictions? Data aggregators make money from selling huge swaths of anonymized data for those who want to analyze it to discern consumer trends. If identifying information is not included, would consumers care whether their data is analyzed by hedge fund managers or marketing gurus? It’s a little like the story of Henrietta Lacks, whose cancer cells were cultured, multiplied and used by medical researchers around the world. Her family argued that they should receive some compensation, given the millions of dollars made from medicines developed with her cells. The analogous argument for customer data is a stretch, in my view, but what if a savvy data cruncher could combine anonymized data with other data to identify individuals? Is that just the stuff of conspiracy theory, or is it a significant risk?
Incidentally-collected third-party information creates knotty problems. The U.S. news this month has asked whether the Obama Administration surveilled Trump campaign officials’ contact with Russian officials intentionally or merely collected information incidentally while observing other targets. Banks claim that fintech companies will, as a by-product, obtain the details of their banking models from the data customers provide. There are undoubtedly many other examples: any data on one person that involves interaction with another party also conveys information about the second party.
Agreements between companies can reduce or solve such problems, through, for example, limitations on data handling, use or pricing. The consumer voice in such agreements may be hard to hear, however.
Data privacy policy calls out for thoughtful analysis with a consumer interest lens, but too often the voices on behalf of consumers are shrill. For a cool-headed and well-organized look at data privacy in India and beyond, I recommend this IFMR blog post.
Have you read?
Addressing Customer Needs? Off to the Data Mines
Financial Inclusion Data: Taking Stock