GDPR: Part 1: Do We Really Need More Regulation?

Privacy Taxes

Privacy is a hot topic. Big data breaches — big in number of users impacted *and* in the amount of data compromised — are everywhere you look.

The Cloud, which gave us such wonders as online commerce, instant messaging, and social media, also comes with costs (and not just dollars and cents).

Every time you go online, you choose to share your private data: I ask The Cloud for a service, and The Cloud collects its tax.

Taxes in general are often obvious — in Ireland for example, we pay 23% sales tax. You see it on every receipt:

Soda: $2.00
Sales tax: $0.46
Total: $2.46

You know you’re paying tax. You expect it.

Similarly, when you buy online, you have to provide your name and shipping address. That’s expected, too; that’s a privacy tax:

Action: buy online
Privacy Tax: name, address, browsing history

What about less obvious taxes?

Ireland is getting a sugar tax — 30c per litre (8c per gallon). It’s received a little publicity (not much!). It was a footnote in the government’s 2018 budget. In practice, most people won’t notice.

You can argue its merits — could reduce obesity, can be used to fund the health system, etc.

It’s still a stealth tax. You’re paying more tax and you don’t realise it.

This is how your receipt looks now:

Soda: $2.60 (with Stealth tax: $0.60)
Sales tax: $0.46
Total: $3.06

Your soda went up 60c. No one is telling you it’s a new tax. It may or may not be on the receipt. (It should be.) Still, it’s a little pernicious.

Other examples abound: we pay $6 in tax and import duty on a single bottle of wine; 54% of the cost of fuel we put in our cars goes to the government; €30/year for the privilege of owning a credit card.

The net effect? You’re paying more tax than you think.
And so it is with Privacy Taxes. 

A common privacy tax: you install a food delivery app. You have to sign up to use it. Without your consent, they subscribe you to their email list.

Action: order food through app
Privacy Tax: name, address, browsing history
Stealth Privacy Tax: mailing list subscription

Let’s go a little deeper: you’re browsing Amazon and you view a Valentine’s gift you plan to buy for your other half. You happen to be logged in to a social network in your browser.

A day later, while browsing the social network, you get a re-marketing ad for the item you were viewing.

Action: socialising and shopping online (not necessarily at the same time)
Privacy Tax: the eCommerce site gets your viewing history
Stealth Privacy Tax: the social networks also gets your eCommerce site viewing history

This makes many people uneasy. Where was the consent? It was in that terms & conditions checkbox. Who benefits? The eCommerce site and the social network. Who pays? You.

The Cloud Isn’t So Fluffy

We get lots of rain in Ireland. The upside: it’s a beautiful, green country. The downside: clouds. Every. Single. Day. And the thing about clouds is, there’s rarely just one.

There are many clouds. And there are different types; there are dark, heavy clouds, and light, fluffy ones; and they come in layers. Usually, the only layer you see is the one directly over your head.

When it comes to the Internet, The Cloud is not The Cloud. Like a gloomy winter’s day, there are more clouds than you can see or count.

An online store has a cloud. The social network has a cloud. Your email provider has a cloud. Everyone who provides a service has a cloud.

If the Internet were it cake, it would be a Mille Feuille:

Mille Feuille

Fig 1: layers upon layers. (credit: Wikipedia)

The cloud you see is the web site you’re using. Here are other clouds you’re interacting with:

  1. A database cloud (which holds your data) — an Amazon data centre in California, for example;
  2. The cloud that handles their visitor statistics — the Santa Claus of the Internet — sees you when you’re sleeping, etc. — Google Analytics
  3. The payment provider’s cloud — they take your card details and ask your bank if you can pay

There are lots of clouds you don’t see:

  1. The ad network’s cloud — follows you around the Internet and knows which ads you click on; it probably has a full profile of you based on “browser fingerprinting” (no consent or registration required!).
  2. The social network’s cloud — when you’re not using it, that’s the little cloud on the horizon you can’t even make out — it lives in the “like and share” widget in the corner. It gives the social network your viewing history.
  3. The review site’s cloud (“Revoo”, “Bazaarvoice”, “Google Trusted Stores”) — whether or not you write a review, they know your purchase history (via magical tracking pixels)
  4. YouTube’s cloud — browsing a page with a YouTube video and you’re logged into your Google account? That feeds into your YouTube viewing history — used for recommendations, ads, etc.

Believe it or not, these are only the legitimate clouds.

Some Clouds Have Holes

Putting aside not-so-legit clouds, it’s worth considering that all clouds are not made equal: some are more porous than others. A little prodding from a skilled hacker, and a cloud can easily burst, raining down private data.

It could be big and public cloud burst (a breach) — like the TK MaxxTarget, or Equifax breaches, or it could be completely silent and undetected.

Either way, the breach is the extreme case of your privacy taxes coming due.

To prevent breaches, online providers need to be held to a higher standard. Too often, breaches are completely inconsequential for those responsible.

A fine of a few million for leaking mountains of customer data is little more than a slap on the wrist for a multi-billion dollar company.

Consumers need to be made aware of the privacy taxes they’re paying, and they need to be given the choice not to pay them. Even if that means losing out on a useful service, it begets transparency.  And without transparency, we cannot have trust — an online currency whose value has been depleting rapidly.

That’s what better privacy regulation delivers: restoring trust by empowering users through consent-based privacy taxes; the opportunity to not pay privacy taxes, and even the chance to change your mind, and take back your data.

What’s more, it gives us cloud accountability. Where the cloud takes and fails to protect your data, there are real, substantial consequences.

That’s why we need The EU General Data Protection Regulation (GDPR).

Stay tuned for the rest of our GDPR series, where we talk about what it means for consumers, and why small businesses should stop worrying and learn to love GDPR.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

For spam filtering purposes, please copy the number 9022 to the field below: