Forget Bitcoin. The most common and profitable “virtual currency” today is personal data.

It is no small paradox that social media users—and there are billions of them globally—are willing to share the most intimate details of their life online, yet balk at the suggestion that those details will likely be shared and sold. The economic reality, however, is that data collection and analytics is, in large part, how giant tech companies have continued to grow and prosper.

The regulatory-free ride of monetized data collection, however, may be coming to an end.

The shot across the bow was the May 2018 implementation of the European Union’s General Data Protection Regulation.

Designed to bring EU data protection laws into the digital age, GDPR harmonized existing rules among member states to enhance consumer protections. It allows consumers and others to know what data a business possesses on them, empowering them with the right to demand its deletion.

Although the expansive nature of GDPR makes it a de facto global standard, domestic legislation and regulation is increasingly likely in the United States. States are also jumping into the fray, notably California with the Consumer Privacy Act of 2018, legislation many view as “GDPR-lite.”

“I think there is a high chance that people realize that the days of the wild, wild West are over. There need to be some guardrails,” said Sen. Mark Warner (D-Va.) at a September Senate Intelligence Committee hearing on digital privacy.

“A national standard for privacy rules of the road is needed to protect consumers,” added Sen. John Thune (R-S.D.).The catalyst for legislative interest is hardly surprising. Decades of self-regulation is proving to be no longer tenable as data collection efforts become ubiquitous and more brazen.

There are nearly daily news headlines that underscore how things can go very wrong when it comes to securing personal data.

Target, back in 2012, drew fire when its data-driven marketing efforts accidently broke the news of a teenager’s pregnancy to her family. A 2017 Equifax data breach exposed the personal and financial information of 143 million Americans. In April, LGBT dating site Grindr was accused of sharing the personal information—including, allegedly, HIV status—of many of its approximately 3.6 million active daily users without their informed consent. 

“More legislators and business leaders are stepping forward to say the time for overarching, federal-level privacy legislation in the U.S. has come.”

Dr. Andrea Jelinek, Chair, European Data Protection Board

More recently, there were revelations that political intelligence firm Cambridge Analytica had illicitly acquired access to the personal data of millions of unwitting Facebook users.

Yet another Facebook breach, reported in September, saw the compromise of 30 million user accounts. Early November brought reports that hackers stole the private messages of more than 81,000 Facebook accounts, selling them for 10 cents per account on the “dark Web.” In October, it was revealed that Google waited six months before notifying the public of a data breach that exposed the private information of nearly 500,000 users of the Google+ social media network.

These incidents, although noteworthy, are far from isolated. Nearly 64 percent of Americans have experienced a “significant data breach” of their personal data, claims a recent survey by the Pew Research Centre.

“More legislators and business leaders are stepping forward to say the time for overarching, federal-level privacy legislation in the U.S. has come,” Dr. Andrea Jelinek, chair of the European Data Protection Board, told a Senate panel in October. “If we do not modify the rules of the data processing game with legislative initiatives, it will turn into a losing game for the economy, society, and for each individual.”

“Businesses have started coming around too, not just because they need to comply with the GDPR, but because they see that their clients and employees alike expect their personal data to be treated in a safe manner,” she added.

Breaches aside, legislators will also need to address what companies do with the data willfully placed in their care. Ongoing scrutiny hasn’t necessarily chastened tech companies, many of whom continue to push the boundaries of their collection efforts.

Google, for example, has a patent on using in-home devices to monitor refrigerator access to analyze household eating patterns and determine the emotional state of the home’s occupants based on voice and facial expressions, Alastair Mactaggart, chairman of Californians for Consumer Privacy, an architect of that state’s new data privacy law, told a recent Senate Commerce Committee panel. With the patent, Google also seeks to track whether alcohol is consumed; whether there is smoking; whether teeth are brushed; and if foul language is used.

Advertisers are also pioneering “geofences” that can track and send advertisements to smartphones crossing a selected area.

“As a result, through no overt action of a consumer, the companies know who is in rehab, who goes to AA, who just got an abortion, what your religion is, and whether you have a drug problem,” Mactaggart said. “That information can be sold, and resold, simply because you have a mobile phone.”

In the stories in this special report, we look at the data privacy rules, laws, and frameworks that are emerging—internationally and domestically—and what compliance challenges they pose.