A Data Privacy Startup

A Data Privacy Startup

The GDPR has created a lot of obligations for the proper handling of user data. This is an opportunity for individuals to take ownership of their data.

I describe an idea for a very profitable startup that helps with this process, and also allows you to make money from your private data in the process.

Business Strategy

In short:

We make money by selling user data. Users will deliberately give us this data because they benefit from it.

The longer version:

We provide a quick and easy way for users to use the GDPR in order to obtain data from other companies, such as Facebook and Google. We perform a Subject Access Request (SAR) on their behalf for as many major companies as possible. The user needs to do nothing but to give us permission, and we take care of the rest.

All of the data obtained through these SARs is stored and summarized by us. This allows us to get access to a lot of valuable data in an entirely legal way, and with the express permission of the data owner (the user).

Once enough data about enough people has been gathered, we offer the user the option to profit from it: Users can give us permission to sell their data to various interested companies. We make a profit from these sales, and a portion of that profit goes to the users.

We are 100% transparent about the way we use the data of our users. We never sell their data or give it away without their express permission, and we give our users a part of the profit from these sales. In this way, we will become maybe the only data trading company in the world that has a positive reputation with the people we gather data on. In fact, users are incentivized to ensure that our data on them is as comprehensive and as accurate as possible, as this increases their own profit.

Because we allow people to earn money from their data, without any work required on their part, people will deliberately want to sign up for our services. All they need to do is to give us permission to act on their behalf, and soon enough they will see money rolling in.

Many people who care a lot about data privacy will want to give us their data, because it is the easiest way for them to take control of their data again. After all, their data is already being used anyway, but our services allow them to profit from it.

We also allow our users to curate the data that we gather for them / about them. Many companies like Facebook and Google use statistical techniques to gather information about users. These techniques are not flawless. If those users took a look at the data that is gathered about them, they would be able to make corrections. We enable users to do just this, which improves the quality of the data, thereby increasing both our profit and the profit of the users.

Once we have enough users that our users see a respectable profit from the sales of their data, then people from non-european countries (where the GDPR does not apply) will also join in. Non-europeans may not have the ability to use an SAR to let us gain data automatically, but they can still fill out their profiles manually and gain money that way.

We use the GDPR as a stepstone to quickly get a lot of valuable data while also gaining a positive reputation with users. The long term profitability however does not depend on GDPR:

Our long term goal is simply to build a monopoly on reliable data about as many people as possible.

In the long run, we will become information brokers that buy data about people from companies, let those people curate that data, and then sell it again to other companies with the express permission of the data owners.

This long term goal is very profitable, and it would be exceedingly difficult for another company to beat us once we already have both a positive reputation and a critical mass of users.

Summary of benefits

  • Benefits for users

    • Take control of your data. Learn what companies know about you.

    • Correct mistakes in your data, which increases the quality of advertisements you see and otherwise reduces misunderstandings.

    • Control what companies are allowed to know what things about you.

    • Earn money from your data, without doing any work.

    • "Stick it to the man" (There are a lot of people who are very emotional about this topic and would likely join just for that reason alone.)

  • Benefits for other companies

    • Avoid getting sued by complying with us.

    • Gain a positive reputation by cooperating with us willingly.

    • Gain access to more accurate user data by buying it from us.

  • Benefits for us

    • Earn money by selling data

    • Gain a positive reputation while selling other people's data (this will probably be a first in history), since they benefit form it as well.

GDPR and getting companies to comply with it

This startup works because of the GDPR, which applies only in Europe. Europe is a large enough market that we can achieve a critical mass of users. This will allow us to expand into other countries later.

Some useful information about GDPR (see more details here):

  • GDPR allows you to request all personal data about yourself from any company.

  • The companies are not allowed to charge fees for this, except in special circumstances that do not apply to us. This means that all of our data gathering is entirely free, and it is the other companies that have to do all the work, not us.

  • GDPR uses a very liberal interpretation of what constitutes "personal data".

    A lawyer working together with a data scientist can make almost any data count as personal data. If it can be used to identify a person, it counts as personal data. Data Scientists are very good at identifying people based on data, so this applies to almost anything.

  • The fees for non-compliance with GDPR are enormous: up to 20 million euros or 4% annual global turnover.

    This means that our lawyers have a very big stick with which to bully other companies into giving us their data, so long as we act on behalf of the data owner (the user).

  • An SAR also allows you to get access to lots of additional information about the data, such as information about how the data was gathered and how it is being used. All of this is valuable information that is worth a lot of money to the right client.

  • Users have the 'right to erasure' according to GDPR: This means that our users can first request all data about themselves, then request deletion of the data, then use our services to sell that data right back to the company they gathered it from.

    (Honestly, this sounds so broken that I am not sure if I am interpreting the law correctly here, but it wouldn't be the first time that a politician fucked up and left an obvious loophole.)

All of this ensures that we can get a large amount of very useful data from companies using SARs.

It is possible for a company to comply with out SAR requests in a manner that is technically correct but deliberately unhelpful, either in order to intentionally sabotage us, or simply because they do not want to spend the time necessary to do it properly.

We can deal with this problem by assigning a rating of the data privacy compliance to each company we work with. After all, we are trying to establish ourselves as the preeminent representative of data privacy rights of the common man. It is only natural that we can also use this position and the reputation we build in order to rate other companies on their data privacy as well.

Companies that cooperate with us and provide their data in a useful and understandable format will therefore benefit from an increased reputation. Perhaps more importantly, we can also adjust the prices for which we sell our user data back to other companies based on how well they cooperate with us.

The GDPR gives us a lot of ways to screw over any company that refuses to cooperate. In many cases, other companies will likely prefer to cooperate rather than deal with the enormous headache that we can cause for them if they don't.

In an extreme case, we could even start a class action suit against offending companies on behalf of our users. Since such a class action lawsuit must be not-for-profit according to the GDPR, this could even be handled by a non-profit child company that qualifies as a charity and is tax-deductible. We would not profit from such a class action lawsuit, but the threat of it should be enough to cow most companies into compliance.

Short term vs long term goals

We will only be able to make money once we have enough a critical mass of users, so that there are enough of them that buying the data is worth it for other companies.

This is why we should focus on the non-monetary aspects to get users in the beginning: We make it very easy to get data from other companies using GDPR. We get people who care deeply about data privacy to use our service. Once enough people use it, we offer them the option to monetize their collected data.

In contrast, our long term goal is to become large enough that we can sustain ourselves even if GDPR is abolished. Politics moves slowly, so this will take years even in the worst case. By then (if it happens at all), we must have enough users that our data is valuable on its own, even without the influx through GDPR. If we can achieve such a critical mass, then new users will join us in droves, because we essentially provide a service that lets you earn money just by signing up.

Our long term goal is to build a monopoly on reliable data about as many people as possible.

Requirements and feasibility

  • We will require a team of very good lawyers to wrange non-compliant companies effectively.

  • We will need good programmers and AI/ML experts to collect all of the data and put it in a useful format.

  • Information security is critical: Our reputation as a company that values and protects data privacy is our most important asset. As such, all our data must be stored in an encrypted and distributed form and we must take care to protect against hacker attacks.

  • Precedence and competition:

    Similar companies already exist, but nothing quite like this. The GDPR is simply too new.

    Mostly there are companies that make applying GDPR easier, and there are companies that try to let users earn money by selling their data. The former have no way of earning money, and the latter do not have an effective way to achieve economies of scale.

    However, to my knowledge nobody has combined the two concepts yet, and we would have neither of the problems that these two types of companies have.

    Some relevant websites: This website allows you to make GDPR requests. This article researches existing companies that allow you to make money by selling your data.