> If I pay I want: No ads, no tracking, full access to my own data in sane export formats, schemas, no data mining, no data selling, no "sharing data with our partners", encryption options, no dumb hoops, no dark patterns, the ability to point a product at an API endpoint of my choosing, backup options that default to my infrastructure first and so on.
GDPR's right to data portability provides much of the export functionality you're after. It must be structured, in a format that is commonly-used and machine-readable. The ICO's guidance suggests that CSV, XML and JSON best meet this requirement.
Tracking is something else that GDPR helps with. Tracking of personal information via e.g. cookies require active consent. Silence is not consent.
"sharing data with our partners" requires a lawful basis when dealing with EU data subjects. This will normally be consent where data is sold to third-parties for e.g. marketing, so data subjects will be able to make an informed decision and opt out of this. Again, silence is not consent - and burying data sharing in an unreadable legal document is not informed consent.
> the ability to point a product at an API endpoint of my choosing
The right to data portability includes this:
> Individuals have the right to ask you to transmit their personal data directly to another controller without hindrance. If it is technically feasible, you should do this.
> Actually let's add more: The data generated by my use of my data in the product.
This is in scope for a Subject Access Request.
> Non-canned support responses that don't ask for information I literally put in the ticket three weeks ago
This is difficult to solve with regulation but I think it's an entirely reasonable thing to expect for your money. GDPR does not help here
Hopefully if there are multiple competitors in the space, customer support is something that providers can compete on.
> Prominent indication of where (geographically and legally) data is stored and used
Privacy information already must contain a transparent list of data processors:
> This includes anyone that processes the personal data on your behalf, as well all other organisations.
What we really need is for other countries to start taking data protection regulation seriously.
GDPR's right to data portability provides much of the export functionality you're after. It must be structured, in a format that is commonly-used and machine-readable. The ICO's guidance suggests that CSV, XML and JSON best meet this requirement.
Tracking is something else that GDPR helps with. Tracking of personal information via e.g. cookies require active consent. Silence is not consent.
"sharing data with our partners" requires a lawful basis when dealing with EU data subjects. This will normally be consent where data is sold to third-parties for e.g. marketing, so data subjects will be able to make an informed decision and opt out of this. Again, silence is not consent - and burying data sharing in an unreadable legal document is not informed consent.
> the ability to point a product at an API endpoint of my choosing
The right to data portability includes this:
> Individuals have the right to ask you to transmit their personal data directly to another controller without hindrance. If it is technically feasible, you should do this.
> Actually let's add more: The data generated by my use of my data in the product.
This is in scope for a Subject Access Request.
> Non-canned support responses that don't ask for information I literally put in the ticket three weeks ago
This is difficult to solve with regulation but I think it's an entirely reasonable thing to expect for your money. GDPR does not help here
Hopefully if there are multiple competitors in the space, customer support is something that providers can compete on.
> Prominent indication of where (geographically and legally) data is stored and used
Privacy information already must contain a transparent list of data processors:
> This includes anyone that processes the personal data on your behalf, as well all other organisations.
What we really need is for other countries to start taking data protection regulation seriously.