How New Privacy Laws May Impact Apps Designed to Protect Your Privacy
By Graham Dufault and Madeline Zick
On an average day, how many calls do you get that are just spam? You hear your phone buzz, you take one look at the screen displaying the phone number—likely with your area code—and as you answer it you get a sinking feeling that you’re probably not going to hear a human voice on the other end of the line. You answer it anyway… Sure enough, it’s a robocall.
Feeling duped yet again, you swipe to Google Play or the App Store with the thought, surely there’s an app for this. You find ACT | The App Association member Call Control, which makes a call blocking app. You download the app and are thoroughly dazzled by your device’s newfound ability to stop these calls from assailing your eardrums again. And then one day, it stops working. The culprit? Privacy regulation.
The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020, and will provide data access and control rights to California residents, including the right to request the types of data that are collected about them; the processing activities of entities that collect their data; and a limited right to prohibit the sale of data about them or even to delete that data. Similarly, in Europe, the General Data Protection Regulation (GDPR) provides European data subjects with certain rights to access and control their own data; generally prohibits data processing unlesscertain lawful bases are stated; and imposes steep penalties of up to 4 percent of a company’s global revenue. GDPR applies to companies across the globe, including the United States, to the extent that they process data about a European “data subject.”
Complying with New Privacy Rules
Prior to GDPR going into effect in May 2018, companies of all sizes poured vast amounts of time and employee resources into complying with what they believe is the letter of the law. For example, in a September 2018 congressional hearing, Google’s chief privacy officer Keith Enright said the company spent “hundreds of years of human time” on compliance measures. Privacy policies were carefully combed through to ensure individual data was being processed in the manner prescribed.
When undertaken by companies like Google, compliance may seem like an achievable task, largely because they have resources—in terms of people, time, and money—to handle it. Even small changes in the law could produce major ripple effects in an enterprise as sprawling as Google’s. But for small companies in the app economy, meeting a new regulatory regime is a fundamentally different undertaking.
While Call Control does not sell any user data to third parties, there is a growing number of overlapping and often conflicting regulatory environments across state, national, and international jurisdictions. The cost of universal compliance is rising at an alarming rate and will squeeze independent developers to a decision to comply or say goodbye.
Call Control’s core functionality requires the app to collect and use the phone numbers of incoming callers. If it is made available to European data subjects, Call Control’s compliance obligations under GDPR would be substantial because they require the company to create 1) a process by which it can respond to verified customer requests for information about privacy practices; and 2) a detailed explanation of why each of its processing activities are nonetheless legal despite the presumption that they are illegalunder European law. To comply with CCPA, Call Control’s obligations are even less clear, but certainly, Call Control must develop or purchase a system where it can respond to verified requests from its customers. Depending on how other requirements are interpreted, Call Control may also have to share a copy of the information it has collected about a person (which includes any phone numbers from calls they receive). Although this sounds simple, it is not, because verifying a person’s identity requires a set of steps Call Control will have to invest significant resources into developing.
The Insourcing of Innovation
Although the direct costs of compliance on Call Control are substantial, they are achievable—and the chilling effects on the broader ecosystem should not be overlooked. CCPA’s restrictions on how companies share personal data with third parties may make platform companies less likely to enable independent call blocking apps to operate in the first place. Under CCPA, platforms may be considered under the law to be “disclosing” incoming call numbers “for a business purpose” with a call blocking app like Call Control. In turn, platform companies may be required to provide the app’s customers with a means to access the incoming call records the platform “disclosed” to the app. Again, providing access to data like incoming call numbers means setting up an infrastructure to support request verification; a substantial investment, even for a platform company. There are millions of apps on the major app stores. Would it really be worth the hassle for a platform company to assume the additional liability imposed by CCPA in cases where it can be said the platform is “disclosing” sensitive information to the app? Or would it be less risky and more profitable to simply make the app themselves and heighten the barriers for independent call blocking apps to operate on the platform?
All of this illustrates that when we regulate the big guys, we also regulate the little guy, sometimes in ways that advantage larger companies over small ones. Policymakers ought to keep in mind the symbiotic nature of platforms and apps. Privacy officers and lawyers will continue to sort out what GDPR, CCPA, and the highly public privacy debate mean for their organizations and clients. But policymakers at federal agencies and in Congress should take note of unintended consequences for small innovators, especially as policymakers work on a federal privacy framework. The effect is amplified when regulatory regimes inhibit the activities of small companies whose main purpose is to provide better privacy controls. The balancing act is difficult, but we must understand the observed consequences of these privacy laws to avoid their mistakes and build on their successes.