This is why laws that regulate data collection are so necessary. The ethical considerations that apply to software are so nuanced that they are very easy to get lost or ignored in a typical SDLC.
It will be much easier for a developer (or an outsider) to throw up a red flag that is taken seriously if it’s a legal concern.
Totally agree. I think a lot of the "evil" that happens in business is done by well-intended people who make incremental decisions while trying to compete. Some of them probably make decisions they don't like, but because if they don't their competitors will eat their lunch, they have to.
In my experience, honest business folks don't mind honest regulations. It keeps the playing field level.
I think you can view money not as the end goal, but as the means to accomplish your goal. If I have a goal to help people become educated, I use business as a way to organize resources (including people) to accomplish the goal. Money is necessary to make that happen. Even for open-source projects, money is necessary.
I respectfully disagree with Milton Friedman's oft-quoted line, that the purpose of a business is to maximize value for its shareholders, at least if we set value = money.
There are laws that regulate data collection, it's just that companies who break them have every expectation that they'll never get caught at it.
For example, here's an HHS page that exists to brag about the effectiveness of HIPAA enforcement[1], and even by their statistics, about 0.3% of complaints result in reviews. Now imagine what percentage of violations never result in complaints.
GDPR is arguably more successful, insofar as they levied around $150M in fines last year, but most of that was from a couple big cases (Google chief among them) involving companies who are so big that even getting a $50M fine isn't going to change their underlying practices. It's the cost of doing business if hoarding private data is your business model.
Pretty much every website I've ever looked at that had a GDPR compliance notice was implementing it in violation of the actual regulation: they set cookies first and then notify you about them. That's not how it works, dude. If you consider that GDPR applies to any business that transacts with EU citizens, the number of non-compliant websites is so huge that $150M is nothing. The only effect of GDPR in practice has been to fill the world with meaningless banners, not to protect anybody's data.
And in a nutshell, that's how data collection and privacy regulation has worked out in the real world: a lot of meaningless compliance theater, while business goes on as usual.
GDPR is successful because they hand out fines but every website is in violation of it? I would think that a successful law results in compliance.
As someone who has worked with HIPAA data, I have personally seen the data treated with a great deal of thought around compliance. I think the numbers you cite are a result of that, not in spite of it. As your source points out, many of those complaints aren't eligible for enforcement. This isn't because HIPAA isn't enforced, it's because many of the people who are complaining don't know what HIPAA does.
But the US needs their own general privacy law too, GDPR is not enough, as it isn't applicable to a lot of software built in the US.
It will be much easier for a developer (or an outsider) to throw up a red flag that is taken seriously if it’s a legal concern.