Does Customer Data Privacy Actually Matter? It Should.
It’s only April and 2019 is already shaping up to be a banner year for the lack of data privacy. Not a day goes by where our mortgage information, our passwords, and even our old Hotmail emails aren’t wrapped up in some sort of security failure that flouts our digital privacy.
The cynic would suggest this is the new normal--that we have made a Faustian bargain with big tech to choose convenience over security and privacy. But while news reports highlights companies behaving badly, change may be on the horizon, both in terms of companies’ attitudes towards customer privacy and in the regulatory compliance landscape. While fines and further legal ramifications should be enough to drive businesses to take customer privacy seriously, customers have a seat at the table and can also push change.
The regulatory landscape
Everyone on the internet has heard of General Data Protection Regulation or GDPR, which is the European Union’s (EU) relatively recent privacy regulation. The GDPR arose as a holistic way to update existing, inconsistent and conflicting laws and regulations across the EU to strengthen the protection of individuals’ personal data. GDPR serves as the foundation for European consumers to take more control of their privacy and it’s just the first of many laws on the way.
The California Consumer Privacy Act (CCPA) came on the heels of the GDPR and offers similar protections for California consumers. The CCPA goes into effect on January 1, 2020. The regulation puts guidelines on personal information collection and usage by businesses, giving Californians significant visibility and access to what data is gathered, how it is shared and control over its deletion. Other states like Washington, Maryland, Massachusetts, Hawaii, New Mexico, and Rhode Island have also introduced legislation around privacy, opening the door for more potential statewide privacy compliance challenges for businesses.
These regulatory shifts on the international and state-wide level may prod action at the federal level, where a number of competing bills have been put forth, but progress has been limited.
While the private sector waits for potential federal legislative movement on privacy, it’s worth asking how businesses consider user privacy, and if there are any practical cues to take. Okta published its Digital Enterprise Report in early April -- a survey of 1,050 technology decision makers at organizations with $1 billion in revenue or greater -- and sought to understand more about how these organizations were thinking about privacy regulation and practices.
With such a rapidly-changing regulatory landscape, compliance is and will continue to be a substantial challenge for businesses of all sizes, so it’s no shock that over half of survey respondents said a federal privacy law would make compliance easier. The alternative? Organizations reckoning with the byzantine nuances of differing state laws.
Compliance and opportunity
The effect of regulation and the varying interpretations will have an impact on how organizations act with regard to privacy, but it’s not the only thing impacting actions. After a year filled with privacy breaches and scandals across the technology landscape, companies are recognizing the need to make privacy more of a focus and potentially a strategic differentiator. While nearly half of Digital Enterprise respondents said they give customers only limited control over what data they share with their organization, nearly half again said they expect to provide more control over data privacy in the coming year.
Perhaps surprisingly, topping the list are the industries who have historically collected customer data to sell goods and services: technology, retail, manufacturing and automotive. In the case of technology, these repeated breaches -- both accidental and purposeful -- have destroyed trust, created legal issues and hurt their bottom lines. According to the Edelman Trust Barometer -- a global survey of consumer trust done annually -- only 55 percent of respondents think technology is performing well on protecting consumer data.
All of this is to suggest that privacy is becoming a front and center issue for businesses and governments alike. But can it be a strategic advantage? According to TrustArc, 92 percent of US consumers worry about their privacy online, and more importantly, 89 percent say they avoid companies that do not protect their privacy. Handling privacy proactively and transparently offers significant upside to businesses of all sizes. This means understanding how to practically think about protecting customers’ data, and there are some broad, simple rules that make data privacy and transparency significantly easier for business builders:
Don’t collect unnecessary data. If you don’t collect it, you can’t leak it. It’s a prudent, responsible decision that reduces risk for companies, teams, and individual employees.
Don’t share unnecessary data. There are times when you must collect the data but that doesn’t require you to also share it. Data sharing needs to be scoped to a specific use case and dynamically shifted when necessary.
Recognize the need for continuous monitoring. Too many apps are built, launched, and then neglected without another thought given to what information those apps hold. Developing a baseline of “normal” and investigating anything beyond it is key to limiting unwanted exploitations of privacy and data.
Be transparent. Beyond taking proper steps to protect and limit sharing data, entrepreneurs should take steps to proactively engage with their customers around data privacy, creating privacy policies and statements on digital properties with clear language.
As is always the case, the devil is in the details. But proactively considering data privacy offers a business builder a chance to showcase commitment and transparency to customers in an age of waning trust, in addition to avoiding the regulatory headaches of an increasingly complex compliance environment.