Consumers in California are quickly getting familiar with this phrase: do not sell my personal information. It is one of the more noticeable effects of the CCPA; the right of consumers to opt-out of companies monetising their data. Companies that sell data are obliged to put a ‘do not sell’ link on their website.
The right to opt-out is not part of the GDPR, instead the GDPR requires organisations to have a legal ground for processing. One of those grounds is consent (which is strictly opt-in), which is generally recognised as the only legitimate ground for selling data. Monetising personal data has been made a lot more difficult under the GDPR rules.
An organisation that found that out the hard way is the Dutch Tennis Association (KNLTB), who incurred a hefty fine of € 525,000.- ($ 595,000.-) form the Dutch Data Protection Authority (AP) last week. The Tennis Association had sold names, phone numbers, email addresses and dates of birth of their 300,000 members to sponsors, who used this data to approach members with tennis related marketing. The trouble is, they did not obtain explicit consent from their members, relying on another legal ground instead; legitimate interest. When relying on this particular legal ground, you have to weigh the interests of your organisation with the privacy impact of the data subject. The KNLTB argues that they rely on this source of income for their activities and that the money benefits the same members who’s data they sell. The Authority states that generating income cannot be considered a legitimate ground on its own.
As the KNLTB is likely to continue this argument in court it remains to be seen how this will play out. I can think of many businesses who rely on personal data as a source of income, for whom the violation of privacy is even part of their business model. Could a company like Clearview rely on legitimate interest as a ground for using our photos in their facial recognition app, since this is a vital part of their income? Surely not. That would go against everything the GDPR is hoped to achieve. What about a non-profit like the KNLTB though? Should they be able to monetise the data of members, or should the individual members have a say in this? The CCPA applies to ‘businesses’ and does make this distinction explicitly, the GDPR does not.
Through the two legal frameworks work in different ways, at the heart of this matter runs the same question: who can profit from data that is essentially our own? And can we opt-in, opt-out or have someone else decide for us?