Consumer data and privacy is one of the most important issues facing us today. In an era where our data and personal details are held by numerous apps and social media sites, regulators around the world have come to realise the importance of putting in place tougher restrictions around how our data is handled. However, recent events, such as Whatsapp’s infamous privacy changes and the misuse of user data by apps, highlights further that the laws in place still fall short.
The controversy and mass exodus of users abandoning Whatsapp after the company’s unpopular decision to update its Terms of Service reveal the limited control users have over their data. The new terms would allow the messaging app to share the data of its users with its parent company, Facebook. The new data that is shared will enable Whatsapp to share payment and transaction data, allowing sites to accurately target users with ads and boost ecommerce, and also allowing online vendors to contact customers to store their chats on Facebook’s servers and share this data with the company. Users must agree to these new terms, or delete their account and lose access to Whatsapp. Due to the controversy over this change, which saw users turn to rivals such as Signal and Telegram as safer alternatives, Whatsapp has delayed these changes to 15th May, in a bid to target misinformation and confusion over what its new privacy terms entail. The app has been quick to spell out that conversations over Whatsapp remain safe and the new privacy features only relate to business features. However, given Facebook’s actions over the last few years, such as its role in the Cambridge Analytica scandal, users are right to be concerned about what their data will be used for. Furthermore, those who have been using the app for years, have been given little choice in the matter and limited information about the true effects of this policy change. Additionally, targeted advertising is not always demanded by users and it can result in harmful consequences. An individual’s thoughts and opinions can be swayed when they are fed selective information, as seen in the Netflix documentary ‘The Social Dilemma.’ In order to target ads to users, companies require an extensive amount of data on individuals to build up a user profile and strategically place ads in front of a user.
Apart from apps changing their privacy policies in a way that leaves users hands tied into either begrudgingly accepting new terms or deleting an app, there are also many instances where apps have shared user data with third parties. Some examples include Flo, an app which collects the data of women to track their period and fertility, and popular fitness and diet tracking app, MyFitnessPal. Flo leaked this data to outside parties, which include Facebook and Google’s analytics divisions, in contravention with its privacy policy. This promised that information would remain confidential and not be shared with third parties without consent, according to the Federal Trade Commission (FTC). In 2018, Under Armour, which owns MyFitnessPal reported that usernames, email addresses and hashed passwords had been compromised. The data of 150million user accounts had been accessed by a third party. MyFitnessPal worked quickly with security organisations to investigate this issue, and informed and assisted users who had been affected. Flo, on the other hand, was ordered to obtain an independent review of its privacy policy and obtain user consent before sharing sensitive information. It has also been ordered to notify affected users about the disclosure of their personal information and instruct third parties that hold this information to destroy it. However, these measures seem to be too little too late, as the damage has been done and the consequences seem minimal compared to the fact that personal details about women’s health and bodies have been shared without their consent. Flo dismissed any wrongdoing and does not face financial consequences.
In 2018, the General Data Protection Regulations (GDPR) Act was passed in the EU, which introduced changes to laws surrounding consumer data. These extended previous laws around data protection and introduced more significant fines for companies that breached the law. These are fines of upto 10m euros or 10% of a company’s annual turnover (Article 83(4)) or fines of utp 20m euros or 4% of the company’s annual turnover (Article 83(5)). Although these rules have been put into effect to protect consumers, there is a valid argument that the GDPR places a higher burden on startups and SME’s, whilst not going far enough to hold larger businesses to account for misuse of consumer data and privacy. Most start ups operate with lean margins and cannot afford a breach which will result in such onerous fines, that can effectively cripple a business. However, the GDPR only applies to startups if they process large amounts of data, which is unusual for such businesses. In the event that they do, this regulation can actually be advantageous to small businesses. Where startups do need to store large amounts of data, they are able to shift gears faster than large organisations and in many cases are in the early stages of development. Thus they can make changes quickly and efficiently in order to be GDPR compliant, which can also give smaller businesses a headstart over their more established counterparts.
Given recent developments around Whatsapp and privacy concerns raised by users and watchdogs over the last few years, it is clear that, although regulation and enforcement has moved ahead, there is still a lot to be done to fully protect users and ensure that apps are not misusing data. Additionally, greater protections are required for small businesses, who do not have the resources to pay fines incurred and gain legal protection.