Is Information about Me, Mine?

You get an email from a company but don’t remember signing up. You read about a new data breach that probably affected you, but aren’t sure what to do. Sound familiar?

We are living in the digital age, and data are all around us. Information powers the technology that we increasingly rely on. It also puts us at risk for anything from embarrassment, to discrimination, to identity theft.

We hear the growing, but still open question: Is there any space left where we are alone? Without someone, or something, watching, recording, analyzing, and nudging?

It’s easy to shrug off concerns with so many other things going on in our lives. We’re inundated with privacy notices and “accept” buttons, with no clear implications of what happens if we do, or don’t, agree. It feels like our information is already out there anyway. What can we actually do about it?

We feel it, too.

Today, vast amounts of data are collected, moved, and analyzed in a complex system of technology and business relationships. But this complexity is partially because the system of data generation and movement was not built for people to navigate. It was built for information to flow through and around us, giving us new tools and creating the current technology industry.

All of this brings up the question: What role should individuals have in deciding what data are collected and used?

Partnering with FinRegLab, a nonprofit innovation center that tests new technologies and data, we invited experts to discuss the role of consumers in the data ecosystem.

More than 130 consumer advocates and representatives from regulatory bodies, technology companies, banks, and academia joined our November Data Symposium. The goal of the event was to explore inherent tradeoffs of harnessing the benefits of data while mitigating risk. We also wanted to start creating a shared understanding of what it means for consumers to “own,” “control,” and “access” information about them.

While there were no easy answers, there were fascinating insights that can impact this discussion in the United States.

• Data protection, or privacy, is different from data rights. Protection is the security and conduct many individuals, and regulators, expect from companies. That is, businesses have safeguards in place to protect data and keep bad things from happening. Data rights are additional legal structures directed towards us. They enable individuals to take an active role such as asking to move data to a new company, or for it to be deleted. Currently, individuals in the U.S. don’t have comprehensive data protection or data rights.
• The idea of individuals “owning” data raises a lot of challenging questions. Which parts of information are owned by whom? When? Why? Concerns were raised that “owning” data would have widespread, uneven impacts, and a system of allocating “ownership” over intangible, information would be exceptionally complicated to enforce. Regardless of ownership, consumers should be protected and have rights.
• It may be time to reconsider how individuals give consent to digital tools. Information about how data are being collected and used is not clear or accessible today in company terms and conditions or privacy policies. We are expected to decide whether we are willing to accept the risks of company data practices, but we have no way of understanding potential consequences. It should not be an individual’s responsibility to read every line of terms and conditions and privacy policies to make sure they stay safe.

The Federal Reserve Bank of San Francisco and FinRegLab will release a joint report in February 2020 further analyzing the content and conversation from The Role of Consumers in the Data Ecosystem. Stay tuned.

Kaitlin Asrow is a fintech policy advisor at the San Francisco Fed.