Over the last year or so, I've been working on understanding the General Data Protection Regulation (GDPR) that is the data privacy law in Europe. This has been law for a couple years, but enforcement just started in May of 2018. Along the way, I spent time looking at other countries and the various types of data protection laws they've enacted or are preparing. The US was included in this research, though in a woeful, sad way.
The US hasn't had much in the way of data protection, at least not at the national level. Since the US is a large market, many of us wondered if their reluctance would influence the rest of the world to care less about data protections or even weaken the GDPR by attracting more business away from Europe. That would be disappointing, as I think the state of data security, protections for humans, and privacy rights are extremely poor in the US.
At the state level, New York introduced the SHIELD Act, though it hasn't been passed. Most other US states aren't working on anything, but California has actually passed a law, similar to the GDPR. I'm happy to see this, and my hope is that this pressures Congress to pass something that will apply to all 50 states. However, even if they don't, perhaps California will influence the rest of us. I suspect many companies will want to do business in the state, but not want separate rules for one state v others, so they'll just adopt CA standards.
The bill was a little rushed, in part to head off a ballot initiative. Whether this is good or bad remains to be seen, but plenty of the large technology companies don't like it. Google and Facebook for sure, but I'm sure many tech companies that make profits from collecting, analyzing, using, and selling data are going to be upset. This could cause issues with their business models, and my guess is they'll fight any fines and appeal court rulings for years.
Personally I understand there is business value in data, and there are plenty of good uses of data. What I don't like, or appreciate, is companies looking for new ways to gather data on me without limits, and certainly without my consent or understanding. We don't really know how valuable and potentially dangerous data is about each of us, and we ought to have some rights and control over it's use, storage, and retention.
Whether this will change our work as data professionals remains to be seen. My guess is we might finally get to treat data as not only an asset of the company, but as an asset of individuals that we need to safeguard and protect.