Privacy Supply Chain

The Emerging Privacy Supply Chain

May 5, 2022

7 minutes

What The Rapidly Changing Privacy Landscape Really Means for B2B and Consumer Data

Business-to-business transactions are the fastest-growing segment of the U.S. economy according to a 2020 report published by the Federal Bureau of Economic Analysis. Roughly half of all U.S. Gross Domestic Product is now comprised of businesses selling goods and services to other businesses. 

All of this B2B economic activity, which powers so much of what we experience as consumers, is only made possible through the exchange of data between businesses. But while this critical data ecosystem is growing, so too are the regulatory requirements for consumer privacy.

Targeted solutions exist, but while many specific companies help to meet specific regulatory requirements like better data minimization, de-identification, or consumer request processing, for example, no single vendor or platform can ensure privacy across the data economy. That will take the cooperative efforts of thousands of businesses across an inevitable patchwork of laws and regulations. Doing that requires doing what we do in most other parts of our business, identifying first principles. In this case, the first principles of the emerging global Privacy Supply Chain of which consumers, businesses, and governments are all a part.

 As one example, in the United States, a privacy debate is emerging as states are constructing their own regulatory frameworks in the absence of federal law. While the desire for a single set of rules is understandable, no previous industry has been able to avoid this balkanized regulatory landscape and data will be no different. There will be, and already are, a patchwork of both federal and state laws before there is an overarching national policy. While a single US federal privacy regime may ride partially to our rescue, complexity will persist even then, with different things required of different actors in different locations.  

Take the finance industry for example. The existence of the federal Fair Credit Reporting Act (FCRA) has not prevented all 50 states from passing their consumer finance laws in addition to the FCRA. Each state has an independent regulator to enforce its finance laws - in addition to the Federal Trade Commission. California has just established a similar body to govern privacy and other states will soon follow suit. This will be the norm in privacy even as an overarching federal law supersedes some state laws. 

Also, most data companies are global, or at the very least operating in more than one country. This means that the wider landscape will include not only 50 state laws, and multiple national laws, but also multiple overlapping laws for non-US nations like the European Union’s GDPR, UK GDPR, and  Japan’s APPI. 

With all these intersecting and overlapping privacy regulations, the data must still flow for our economy to function. Our digital economy and the trillions of dollars in B2B commerce (estimated to reach $18.57 Trillion by 2026) literally depend on it every year. Business models will shift, practices will change, but privacy regulation will only guide data commerce, not stop it. This is, of course, the positive purpose of the regulations.

Against this backdrop, a singular reality is unfolding. One that encompasses all data controllers, processors, suppliers, regulators, and consumers. An inevitable and indisputable Privacy Supply Chain that wraps around the planet everywhere the data go. This Privacy Supply Chain is characterized by four principles we all share.

The Four Principles of the Privacy Supply Chain

1. Ultimate Consumer Ownership. While some may not remember, it was only six years ago that the ultimate ownership of consumer data was an open question. Did individual people really have the right to tell companies or governments what those organizations could do with their data? That question has now been settled (the answer is yes) in the USA, Europe, and many other nations as well.

2. Data Controller Interdependence -  Many of the new laws (e.g. CPRA) specify that companies who hold data on consumers and receive consumer requests (opt-out, delete, correction, etc.) are required to pass those expressed wishes on to their partners. Simply waiting for a customer to ask for that consumer’s data again and get “refreshed” data no longer cuts it. We are now specifically required to proactively provide those consumer expressions across our global data supply chain, thus further turning it into a Privacy Supply Chain.

3. Purpose Driven Processing - This is the “Business Models Matter” principle. The Wild West days of gathering data and figuring out what to do with it all after you have it are over (and should be). Any responsible, ethical, well-run company knows what problems it is solving, and what data it needs to solve those problems. For the Privacy Supply Chain, this means that not only does the company obtaining and processing data have an obligation to only gather and process the minimal data needed to achieve their purpose, the organization supplying data to other businesses shares responsibility for knowing the processing purpose to help protect consumers.  

4. All People Are Equal, All Data Are Not -  The emerging Privacy Supply Chain helps to manifest respect for consumers in three ways. First, Data Controller Interdependence allows companies to rapidly share consumer wishes on how they want to be treated in regards to advertising, whether they opt-in for sensitive data use or not, etc. Second, most privacy regimes make clear and beneficial distinctions between public-on-purpose contact data like a business email or public LinkedIn URL, and highly sensitive PII such as race, sexual orientation, or religion. Third, organizations must not differentially treat consumers based on their preferences or sensitive data. From these three, this principle recognizes that people are equal, but different data need to be treated differently in the Privacy Supply Chain.

Taken together, these four principles create a foundation for a Privacy Supply Chain that can bend and evolve with legislative changes, accommodate emerging business models and consistently reaffirm consumers' evolving wishes. Most importantly, it lays a foundation so that companies, especially B2B companies, can keep the trillions of dollars in economic activity moving while responding to changing privacy needs.

You can get started with our data today for free with our free API key or speak to one of our consultants to learn more!

Like what you read? Scroll down and subscribe to our newsletter to receive monthly updates with our latest content.

Call to Action
Steve Lappenbusch
Steve Lappenbusch

Dr. Steven Lappenbusch is the Head of Privacy at People Data Labs, leading the ongoing development and implementation of our privacy policy. Prior to joining People Data Labs he held senior roles at several Fortune 500 companies where he used identity analysis to create solutions that prevented millions in tax fraud, debt evasion, Medicaid fraud, and welfare fraud. Dr. Lappenbusch holds a Ph.D. in Human-Centered Design & Engineering from the University of Washington, College of Engineering. He has also been involved in user research at IBM and Microsoft and conducted independent research funded by the National Science Foundation.