Since June, when Salesforce CEO Marc Benioff authored a widely read opinion piece for Politico calling for a national privacy law for personal data — a stance that runs counter to that of many tech vendors — California passed data privacy legislation echoing the European Union’s groundbreaking GDPR.
Benioff, who had earlier backed a more radical data privacy ballot measure that tech giants like Facebook opposed, threw his clout behind the California bill, even though that measure is not quite as stringent as the GDPR (General Data Protection Regulation).
Amid boom times for data and the lack of U.S. regulation making it easier for companies to consume and monetize customer data, Benioff put the giant San Francisco-based CRM software vendor at the vanguard of the U.S. data privacy movement.
Meanwhile, the GDPR extended beyond the Atlantic and affected many U.S.-based companies that have international customers.
Between the regulatory changes around the world and consumer distrust of technology companies after recent episodes of breaches and data misuse, a national personal data privacy law such as the one Benioff envisions could be on the horizon.
But what that would look like in the U.S. is unclear, given Silicon Valley’s virtually unregulated reign and Congress’ apparent lack of appetite up to now for tech regulation.
And a big question for observers of the mercurial Benioff is whether it’s relatively easier for a company like Salesforce, which acts as a data processor and doesn’t monetize data directly, to call for stricter data privacy regulation.
‘Bit of a paradox’
Salesforce declined to make Benioff available for this story. But Lindsey Finch, senior vice president of global privacy at Salesforce, said in an interview with SearchSalesforce that the kind of corporate transparency Benioff calls for in the Politico piece can be hard to achieve.
In his article, Benioff beseeches companies to be clearer about how they use customers’ data and to make terms of service concise and comprehensible.
But, as a click on the Salesforce website shows, the company’s terms of service for using cookies on a browser comprises more than 5,000 words of legal terminology. It’s more concise than some competitors’ pages, but it’s doubtful the average consumer would take the time to read 16 pages of legalese.
“This is something the industry struggles with,” Finch, a lawyer and former privacy counsel for General Electric, said. “On one hand, privacy laws like GDPR require very detailed information be provided. On the other hand, consumers want something concise and understandable. There’s a bit of a paradox of what laws legally require and what consumers can reasonably digest.”
Finch also responded to the potential criticism that Salesforce’s position in favor of strict personal data privacy is somewhat convenient because even though the company acts as a data processor for thousands of organizations, its customers’ data doesn’t directly affect its bottom line.
“We are a data processor in delivering our services to our customers and processing data on their behalf, but we are also a data controller in terms of running our business,” Finch said. “While our core business is delivering services as a data processor, we also have a lot of responsibilities as a controller as well.”
Data controllers are the companies directly affected by GDPR regulation and have to maintain their personal data protections up to the EU standards.
With some 10,000 employees, Salesforce is the biggest employer in San Francisco.
Finch also elaborated on another key point in Benioff’s Politico piece — that a national personal data privacy law in the U.S., while using GDPR as a template, should be “tailored to our own traditions, values and rule of law.”
“We’re seeing this explosion of data and on the one hand you have individuals, either in a business or personal capacity, and what they want is a more personalized experience,” Finch said. “But at the same time they’re demanding that companies they do business with are more trustworthy than ever before.”
“We see an opportunity with something like GDPR,” she added. “What we’re advocating for in the U.S. is to look at how data is handled from the perspective of the end consumer and the types of things they’d reasonably expect or want to know about how their data is handled.”
The unregulated data landscape
Meanwhile, although the internet seems like a ubiquitous staple of everyday life, it’s still relatively new and matching regulation — which often gets drawn out through the political system — with the pace of innovation can be a difficult quandary.
“We’re seeing a backlash to this ‘Wild West’ approach to data and seeing the first signs of a more orderly digital economy,” said Steve Wilson, a data privacy expert and vice president and principal analyst at Constellation Research Inc. “You can’t have everyone for themselves when it comes to data.”
Steve Wilsonvice president and principal analyst, Constellation Research
Wilson argued that widespread data breaches and concerns about Facebook’s use of data are laying the groundwork for an eventual national personal data privacy law, but others in the data privacy field still see any significant regulation as years away — if it materializes in the U.S. at all.
Another privacy expert, Ted Claypoole, a partner at the North Carolina firm Womble Bond Dickinson and a veteran data and privacy lawyer, was less sanguine on a national privacy law’s chances here.
“I think [a national privacy law] is unlikely and if it comes it will be a while from now,” Claypoole said. “If citizens don’t push for this and go collectively to Congress and demand this be changed, it won’t be. In 10 or 15 years it’ll be too hard to do because businesses are built on using data.”
One of the main reasons for Claypoole’s pessimism is his view that U.S. citizens don’t care much about personal data privacy — or if they do, their actions contradict their sentiment.
“People say one thing then jump on Facebook or give away data for a 20% off Chipotle coupon,” he said, referring to the popular Mexican food chain.
Wilson agreed that the U.S. has lagged behind on setting national privacy standards, but said he’s bullish on the response to GDPR and the movement toward better data regulation in the U.S. — starting with California.
“America has taken 20 years to get nowhere on this, but I’m not cynical about this,” Wilson said. “I’m seeing respect for GDPR and movement on this. Businesses understand that GDPR is an opportunity to get your [stuff] together.”
Wilson also said Salesforce is in a better position than companies like Facebook or Google to take the moral high ground on data privacy because Salesforce doesn’t directly make money from personal data, but that the CRM vendor still owns an important stake in the issue.
“A cynic would say that Salesforce can separate itself from the hurly burly of data and that’s fine, but they do have an important role in the custodianship of data,” Wilson said.
Data is valuable
Whether a national privacy law is a realistic goal or an idealistic dream, the national conversation on data privacy is shifting.
The California law AB 375 is a significant first step and could be a substantial one, as it would make U.S. companies abide by the California regulation if they do any business in California — similar to how companies not based in the EU still need to adhere to GDPR if they have a customer based in the EU.
“It’s not really about privacy. It’s about data being an important commodity in the digital economy and we can’t have a ‘Wild West’ anymore,” Wilson said. “We need some restraint and control and enterprise modesty. We see this attitude toward data because it’s so valuable.”