Your data is valuable; two senators want residents of the United States to understand how much.
On June 24th, U.S. Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill for “Designing Accounting Safeguards To Help Broaden Oversight and Regulations On Data”. Dubbed the Dashboard Act, the new legislation could put a premium on transparency from online services that generate profit from visitor data. The act opens up the floor to require organizations to publicly disclose the value of user data, and how it’s making profits.
Why a new bill? What is the Dashboard Act?
In the current economy, almost everyone is online. According to Pew Research, 81 percent of Americans own smartphones, allowing us to interact with online services wherever we go. Yet while most users accept some data harvesting happens in the background, few are aware of how much revenue their free participation brings into big tech. Digital specialist Tony Hymes estimates that for Facebook, the average revenue per user (ARPU) for North Americans is around nine dollars per month. That’s a lot of value for a company with over 220 million users in the United States alone.
As scandals like Cambridge Analytics point out, we’re not always aware of what happens when we hand over our data. Even when the company isn’t breached, privacy advocates argue the data can be subject to misuse. Dashboard attempts to change that by forcing companies to disclose what’s really going on. As Mariel Soto Reyes writes in Business Insider, the bill “could hold tech companies to a higher standard of responsibility when it comes to how they handle data.”
Pending approval and amendments, here’s what the bill brings to the table:
Who must follow the Dashboard Act? Commercial data operators and users
Uncertain if the Dashboard Act applies to you or your organization? Under the Act, there are two critical definitions: organizations that act as “commercial data operator(s)”, and the “users”, people who share their data online.
A commercial data operator (CDO) under Dashboard is an entity that acts as an online service provider or data broker. Notably, the Act applies if the CDO generates revenue from the “use, collection, processing, sale or sharing of user data” and typically has more than “100,000,000 unique monthly visitors” from the United States. This is no small statistic: in 2018, according to a press release by CNN, even top news sites rarely get beyond 90,000,000 unique monthly visitors. In short, for most online service providers and media agencies Dashboard won’t have much of an effect. In its current iteration, the bill is aimed squarely at the big players.
Under the act, a “user” is an individual who uses an online service for commercial use.
Information is “user data” if it:
- identifies,
- relates to,
- describes,
- is capable of being associated with, or could reasonably be linked with the user.
User data can be actively submitted by users, or derived from user activities. This points to data both acquired through direct input, and insights based on our online activities. If Google search activity can be used to describe or identify an otherwise nameless person, it’s user data.
Requirements of commercial data operators
If your organization does qualify as a CDO, Dashboard will mean significant investments. For starters, get a team of economists, actuaries and data scientists handy. Dashboard requires CDOs to routinely provide users with an assessment of their data’s economic value. You’ll need to inform users of this value at least once every 90 days. Inclusive will be information on what data the CDO collects, how it is obtained, and for what purpose. Notably, Dashboard insists users be aware if their data’s use “is not directly or exclusively related to the online service”. This means a company like Amazon must tell its customers if it uses their home addresses for more than shipping. CDOs that fail to do so will be held in violation for unfair and deceptive practices under the law. The Dashboard Act means users and government regulators have the right to know who has their data, and why.
The Dashboard Act also mandates data erasure. Section 3.a.2 includes a clause that requires users to be able to delete all of their data. Information should be removable via individual fields, or in aggregate form. Data deletion must be feasible via a single setting, or a clear mechanism; the easier the process, the better. Exemptions exist, but are limited. Data cannot be erased if the CDO is retaining it under legal obligations, the data is in use by legal claims, or is necessary for assisting in security operations. CDOs may not “retain any more user data than is necessary” for carrying out the activities they have previously specified.
Dashboard and the Exchange Act
Transparency for users isn’t the only objective for Dashboard. The Act intends to amend Section 13 of the Securities Exchange Act of 1934, also known as the Exchange Act, and section 229.306 of title 17, Code of Federal Regulations. Dashboard’s changes include adding the previously highlighted definitions and setting up new rules for disclosures.
Amendments in place, CDOs will need to annually divulge details over their data practices. These reports will include:
- quantitative and qualitative disclosures of the value of user data,
- technical measures protecting user data,
- legal measures protecting user data,
- an assessment of financial and legal risks, and
- sources of user data, including by sale and through relationships.
Dashboard also wants CDOs to be clearer on how much revenue they’re really bringing in. The amendments to the SE include disclosures for “discrete revenue generation that relies on user data,” if the company enters into third party collection contracts of more than $10,000,000 in value, and other financial transactions. If Twitter were to purchase significant shopping data from third-party retailers, the Dashboard act requires informing the Federal Trade Commission (FTC).
Questions worth asking
Thus far the Dashboard Act is in the early stages, and it shows: going over the act, there are a lot of questions. For example, will the Dashboard Act apply to app developers? After all, popular applications profit immensely from user data, however, apps are not measured by unique visitors. What about de-identified data? It’s worth mentioning that the act is completely silent on ‘anonymous’ data, personal information that cannot be linked to an individual. It’s an odd omission, and likely to be challenged: where does de-identified data fall under the law?
By removing common identifiers, such as user ID, name or email when they aggregate data, many organizations use anonymous data aggregation to minimize privacy concerns. Unfortunately, such attempts have been known to backfire: as Kalev Leetaru writes in “The Big Data Era of Mosaicked Deidentification: Can We Anonymize Data Anymore?” getting data truly de-identified is no small order. With enough data, does anonymity still exist? That’s an increasing discussion by experts, such as those at the 2018 “Future of Digital Transformation” by the Strelka Institute.
The definition of CDO is also problematic. The 100,000,000 unique visitor threshold means the bill has an extremely limited scope. For comparison purposes, that’s more than the entire population of California, which sits at just under 40 million according to the United States Census Bureau. Under Dashboard it takes a lot to qualify as a CDO under the law: many who profiteer off of user data will be able to continue without disruption.
Where do we go from here?
As of July 12th, the Dashboard Act is new to the game, and can still expect a lot of changes. For starters, as Simeon Beal writes for One World Identity, the bill has yet to face “the firing squad of legislative debate”. New provisions could be added in, definitions altered, or requirements amended. Still, with the clock ticking on California’s new privacy law, and other states looking to develop their own rules, calls for data transparency won’t go away. A new law for the digital domain may yet be on the horizon.