GDPR Changes The Data Resale Landscape: What Does This Mean For Users?

Author: Christine Ferrusi

Most companies who have stopped working with European companies have done so because of compliance issues — they either can’t, or don’t want to, bother with the new requirements for capturing, processing and storing customer data. However, there are others like Klout, who have decided to actually shut their businesses down because they can’t operate user-data-marketplaces in the GDPR environment.

Klout made a business of scraping together a reputation score based on someone’s social media presence. The users did opt-in, giving Klout access to each social media platform a user frequented. However, there were many links to third parties, etc. And Klout’s parent company Ltihium decided to close the business rather than try to comply. The company’s tweet stated that GDPR was just a last push in a direction they were already heading in shutting down Klout.

What about other companies that resell your data in one way or another? Facebook, which shares data with partners and others, is facing criticism for “forced consent.” Essentially, the site has an all-or-nothing policy that users must accept or they won’t be allowed to access the site at all. GDPR’s guidance is that customers must be allowed to give consent independently for different aspects — for example, consent separately for a company to use data for its own purposes and then for that company to share data with business partners.

This begs the question of “what now?” Europeans obviously can choose not to use Facebook, but it doesn’t address the bigger question: what happens now that traditional vendors of user data have to operate differently?

It opens up several possibilities. The first is that companies like Facebook sell less data, and only with users’ active consent. This requires them to change how they collect and store data, plus being more open about how their partners will use that data. Users could benefit from this because these companies will be forced to provide more direct value to users if they in turn want users to consent. So it’s a win for users because they can indirectly monetize their data by getting more value for their active participation and consent.

Another strong possibility on the other end of the spectrum is that users take a more direct route to monetization, participating in data marketplaces where they can find buyers for their data, combine with other similar users to sell as a group, and sell based on their personal preferences. They can choose which companies or causes to sell to, they can choose which pieces of their data they’d like to see, and then how much the data are worth.

There are of course multiple options along that spectrum, where hybrid models can occur. But each one requires a strong identity protection and validation platform as the foundation. Users and companies would be smart to start with identity solutions and build up from there, instead of trying to start with the marketplace and work backward toward implementing identity solutions. Starting with identity is the best way to ensure that business goals and GDPR compliance can happily co-exist.

FYI, here’s an article about Klout’s decision to shut down:

https://slate.com/technology/2018/05/klout-is-dead-just-in-time-of-europes-gdpr-privacy-law-thats-not-a-coincidence.html

And one on complaints about Facebook’s “forced consent:”

http://money.cnn.com/2018/05/25/technology/gdpr-compliance-facebook-google/index.html