Do U.S. Consumers Have Rights to Protect their Data?

VIJAY LAXMI, Senior IT Architect; Doctoral Candidate, Northeastern University, Boston, Mass.

DARIN DETWILER, Dean of Graduate Academic and Faculty Affairs, Northeastern University

When talking about the future of quality assurance and food safety, the implications of data protection and privacy rights must be considered. A group of major food companies, including Walmart and Unilever, has been testing blockchain in the U.S. and China to improve supply chain traceability. Blockchain is an openly distributed eLedger in which recorded transactions between two parties are verifiable and permanent — including that by the consumer. Some companies even boast of doing real data mining by using machine learning to find customer-usage patterns.

Additionally, social media platforms are bringing consumers and food providers closer. Food brands are using social media to find trends and respond to changing customer needs, as based on consumer-provided information. At the same time, more and more people are buying food online and providing online reviews, with the reviews and feedback creating a huge impact on food companies’ profits (as seen by Chipotle after its outbreaks of 2015-2017).

A recent Consumer Reports article looked at social media for reporting food poisoning or potential outbreaks, asking: “But can you trust these sources?”. It’s a fair question as consumers’ personal information, such as their names, locations, and email addresses, are being registered in companies’ systems. Many consumers took note of the headlines of cyberattacks in which hackers stole millions of people’s credit card and personal information from Target Stores in 2013 and Equifax in 2017. Through these data breaches, scores of people’s personal information were compromised and sold on the darknet.

WHO IS RESPONSIBLE? With all these digital transactions and communications, do consumers know how food manufacturers and service providers are using their data? What level of protection are companies providing for safeguarding consumer data? If an incident occurs, what leverage do consumers have? And ... who is responsible for protecting consumers’ information: companies, state government, or national government?

No one federal law exists that regulates the collection and use of personal data. Instead, the U.S. has a patchwork system of federal and state laws and regulations that can sometimes overlap or contradict each other. One example is that of the state-level Unfair and Deceptive Act and Practices (UDAP) statutes that serve as the primary lines of defense against deceptive, predatory, and unscrupulous business practices. However, the UDAP protection for consumers is weak, especially for multi-state companies like Target and Equifax. Under UDAP, dozens of states have provided exceptions to the industries where customers have no leverage.

Some states have put the explicit burden on the consumer to file a complaint. The 1914 Federal Trade Commission Act prohibits unfair and deceptive practices and has brought many enforcement actions against companies failing to comply with the rules. Senators from California, Oregon, Connecticut, Virginia, and Massachusetts are working to pass a data breach notification law at a national level.

U.S. export/import companies also need to prioritize data protection. A new European regulation, the Global Data Protection Regulation (GDPR) , which becomes effective May 25, 2018, focuses on privacy by protecting personal data. GDPR impacts companies doing business with European countries, requiring that they protect European citizens’ data and privacy rights. Failure to comply with GDPR can result in a penalty of 20 million euros ($24.6 million) or 4% of the annual revenue, whichever is higher. Controllers and processors must report the breach within 72 hours.

International data protection and privacy rights are being partially addressed through legal and policy channels as described, but the efforts do not stop there. Technology companies like IBM are already working to address data protection. In 2016, Walmart partnered with IBM to use blockchain to detect and remove recalled foods from the product list. Walmart also recently announced “Smart Package,” a tool to track package contents, environmental conditions, locations, and other details, including supply chain key addresses and personal information. The National Institute of Standards and Technology recently announced the unlinkable data challenge where personal data never leaves the source, and only linkage to the data travel from one side to the other.

Digitization and globalization are changing the landscape of interaction and communication between consumers and providers — for business-to-business, business-to-consumer, and consumer-to-consumer transactions. Social media platforms and technologies such as blockchain are influencing quality assurance and food safety before an outbreak happens. The challenge is for consumers to know their rights, providers to protect consumers’ rights, and government authorities to regulate private information at the local, state, national, and international levels.