Interesting, I had a discussion about the privacy implications with someone from the “funding for independent businesses” space yesterday.
This seems like an oddly unregulated space indeed, and there are more and more players joining the market of “solutions that aggregate your internal business data for analytics or projections” every month. I think there is definitely a risk of over-exposing information, as the APIs provided by services like Stripe and BareMetrics are not yet prepared to completely anonymize your data or give you fine-grained control over what is exposed: I think at this point, those APIs are meant to allow you to actually programmatically interact with the service instead of just exporting data for further analysis.
In my discussion yesterday, we found that there are two rather extreme positions to take here: either, you can be the optimist and see this as a great opportunity for startups (to get more insight and instructive guidance) and investors (to get more insight, choice, and decision-supporting information), OR you can be the pessimist and see this as a potential for malice (industrial espionage, sabotage, copycats) or negligence (company data leaks, customer PII exposure).
I think it’s somewhere between these two things, and regulation would definitely clarify this. What would also help would be an understanding shared by API providers to irreversibly anonymize data from APIs on a per-API-consumer level. Your server accesses the Stripe API? Give them the actual information. Your analytics provider fetches data? Give them hashed / pseudonymized PII and non-reversible IDs. Something like that. We can solve this on the technical level before the government needs to step in.