(no title)

There's an interesting related issue here for brick & mortar businesses with CCPA and GDPR in effect: you can do some useful analytics, personalization, and fraud prevention work with probabilistic identity info, but if someone verifies they actually are Person X and wants to download or delete whatever data you have on them, what can you confidently say is actually their data?

Will companies be held to different standards based on how much money they've invested and success they've had in identity resolution, in which case this might be a factor dissuading them from doing more identification and personalization? Or if they haven't invested millions in trying to figure out who people are, but it's possible to do so, are they liable for some kind of misconduct if they don't produce all the data they have that could have been tied together for that person? Is the choice binary, i.e. either invest big in identity resolution and take it as far as possible (with parallel governance investment) or de-identify everything you can? A privacy advocate might think on first pass that it's as simple as choosing the latter, but that's mostly not possible due to requirements we face related to other regulation and business realities: fraud, anti-money laundering, age-related laws, shoplifting, intense competition in a razor thin margin industry, etc.

Data privacy is complicated.