Discussions of business use of consumer data often focus on legal issues, like risks and regulations. For good reason: the massive amount of personal information collected by governments and businesses can cause potential harm and huge fines if misused. So much so that newer privacy regulations like the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) limit uses of data and seek to give power back to the consumer.
Yet eye-catching articles featuring titles like “28 Ways Your Privacy is Invaded Every Day” or “What Your Fitness App Knows About You” might lead some people to believe that the collection and processing of personal data is downright unethical, even within legal confines.
The truth, however, is that businesses can still collect, process and use consumer data legally and ethically—even in the eyes of consumers.
Legal Data Use: Consent is Key
Consent is the legal key to regulatory compliance for both the GDPR and the CCPA. The GDPR requires that personal data be processed “lawfully, fairly and in a transparent manner in relation to the data subject” and explicitly states that processing is lawful if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
The CCPA, on the other hand, does not restrict many uses of personal information but does give consumers the right to prevent the sale of their personal information. California consumers older than 16 are allowed to opt-out of the sale of their personal information. Businesses are not allowed to knowingly collect personal information regarding minors without either parental consent (for minors less than 13 years old) or the minor’s consent (for minors 13 – 16 years old).
Both the GDPR and the CCPA do require data collectors to disclose information about the data they collect and the purposes of collection. CCPA, for example, requires that any organization must inform California consumers, at or before the point of collection, about what types of personal information will be collected and the purposes for which they shall be used.
The bottom line, though, is that both regulations allow businesses to use personal data with the consent of the data subject. Fortunately, research suggests that most consumers can be convinced to consent to reasonable uses of their data.
Consumer Perspective: Pragmatic Privacy
Research by privacy expert Alan Westin indicates that most people are pragmatic about privacy. Based on a number of surveys he conducted with Harris Research and Opinion Research Corporation, Westin concluded that Americans’ attitudes towards privacy tend to fall into one of three groups:
- Privacy Fundamentalists value privacy highly and favor restricting government and commercial use of private data. The German regulators that banned the sale of My Friend Cayla, an interactive doll, to protect the privacy of German children are a good example of Privacy Fundamentalist thinking.
- The Privacy Unconcerned tend to share personal information willingly, with little or no financial incentive. The American college students willing to give up their friends’ email addresses for a pizza appear to be among the Privacy Unconcerned.
- Privacy Pragmatists are willing to trade personal information to organizations they trust in return for valuable products or services. Anybody who uses grocery store loyalty cards for price discounts or free services like Gmail or Google Maps is acting like a Privacy Pragmatist.
According to Westin’s surveys, the percentages of people identifying with each category vary slightly over time. In a 2001 Congressional hearing summarizing his research, he estimated that 25% of the U.S. population were Privacy Fundamentalists, 12% were Privacy Unconcerned, and 63% were Privacy Pragmatists. The Centre for International Governance Innovation (CIGI) and Ipsos have conducted similar global surveys more recently. These results also vary slightly, both from year to year and from country to country, but they generally agree with Westin’s results. The 2019 survey reported that 31% of the global population is very concerned about online privacy, 47% is somewhat concerned, and 22% are not concerned.
The important point is that Privacy Fundamentalists are almost always a minority. The majority is composed of Privacy Pragmatists and the Privacy Unconcerned—the very people who may be willing to consent to reasonable, legal, ethical collection, processing and use of their personal information.
An Organization’s Responsibility: Benefit the User
The best way for an organization to convince consumers to consent to the collection and use of their personal data is to use that data to the consumers’ benefit. Any organization with customers or users is offering a valuable product or service; let consumers know what data you collect and how you use it in your product or service. In some cases, the value is fairly obvious. Users of mapping apps, for example, probably understand that those apps must track user locations in order to show their current location, update turn-by-turn directions or provide live traffic data. Most consumers agree the benefits of the live mapping information outweigh the risks of letting the apps track their movements.
In other cases, organizations may have to explain how their data use benefits consumers in order to obtain consent. Whether an organization uses the data to add value to their product, drive research and development, improve inventory control, or any other legitimate purpose, consumers are capable of evaluating the trade-offs and, in most cases, willing to allow the use of their data.
When businesses make consumers feel comfortable to consent, both parties win. The key to this, of course, is by earning the consumer’s trust—both in disclosure and behavior.
Preventing Misuse is Possible
In a nutshell, consumer trust requires that organizations make reasonable efforts to prevent misuse of personal information. Most cases of misuse fall into three categories: the organization collecting the data uses it in a way that alarms the data subjects; the organization shares the data with another party that misuses—or could misuse—it; or the organization suffers a data breach.
Avoid Alarming Consumers
No upstanding organization deliberately sets out to misuse their customers’ data, but it can happen unintentionally. For example, many consumers are quite happy to receive special coupons or discounts on items they are likely to want to buy, but if a store seems to know them too well, they may avoid it. The balance can be tricky to find, as Target learned in 2012 when a Minneapolis father realized that Target knew his teenage daughter was pregnant before he did. The subsequent publicity about Target’s data analysis focused on the value of the data to Target rather than to Target’s customers. To withstand that sort of scrutiny, any organization using consumer data must weigh the ethical implications of its use and only use it if the consumers see it as a benefit.
Provide Better Data Governance
Any organization sharing customer data must also take reasonable steps to ensure that the party receiving the data uses it appropriately. That basically means establishing an agreement on the purposes for which the recipient is allowed to use the data. Some regulations, like GDPR and CCPA, automatically establish requirements that must be met for organizations to transfer data.
As GDPR breach notifications rise, however, and the full impact of CCPA is yet to be seen, organizations are going to have to assure consumers that their data governance is sound, which includes their utilization of third-party tools. Once personally identifiable information (PII) or other sensitive data is sent to a marketing or analytics tool, for example, governance is handed over. Already, organizations who take data seriously are taking great care to keep data within their jurisdiction, on a private cloud.
Data breaches and the misuse of consumer data are understandably a major concern and consumers are right to be concerned about privacy. Yet for most consumers the benefits of data collection and analysis outweigh the risks, which is good news for conscientious organizations In spite of new privacy regulations and concerns, they will still be able to collect and use personal information, if they do so ethically, legally and carefully.
Are you a security-conscious organization ready to buckle down on your data governance? We should talk. Contact us anytime at firstname.lastname@example.org.