December 7, 2022
Almost 100% of Americans can be re-identified from masked datasets using just 15 data points, according to research published by Nature. That carries terrifying implications considering “the data broker industry has a data exchange protocol that allows for 1,557 different pieces of demographic information that can be collected and transacted about each of us,” says Vikram Venkatasubramanian, Founder and CEO, Nandi Security. The data harvesting story takes an even darker turn when companies maliciously use it to manipulate customer behavior. One nauseating example is detailed in an article in The Atlantic. Is it really a surprise that consumers are demanding that data privacy and transparency be a given in their customer experience?
“Privacy has become a competitive differentiator for many organizations, something that was not expected, even five years ago when it was purely a compliance exercise,” says Criss Bradbury, data & privacy market offering leader for Deloitte Advisory. “It is now a core component of how organizations build (or even lose) trust with their internal and external stakeholders -- which is highly important as trust is one of the key factors in driving high performance with customers and employees,” Bradbury explains. A recent Deloitte report found that “trustworthy organizations outperform those deemed untrustworthy by 2.5 times --and that 88% of customers would buy again from a brand they trust.”
Consumer demand is also the tide pushing data privacy regulations to every shore. But they’re not washing across the land with the same intensity of effect.
“US data privacy laws are primarily commercially focused with privacy as a backdrop, while the EU data privacy laws are mostly fundamental human rights-focused with commerciality as a backdrop,” explains Gary LaFever, co-CEO and general counsel of Anonos, a data privacy and compliance company.
Consenting to Be Tracked
Many organizations agree with expanding data privacy for everyone but fear a shrinking bottom line when consumers balk at granting permissions. That fear is not unfounded.
Take the example of Apple privacy reports, which tell users what data is being collected and how many times apps or browsers attempt to track them. Apple also requires apps to ask for a user opt-in before tracking can commence. “Since Apple instituted their privacy reports it is estimated that only 25% of Apple users worldwide have consented to be tracked,” says Lisa Loftis, SAS customer intelligence product manager.
But the either/or approach to data privacy may prove to be a false dichotomy.
“Commercial opportunities don’t have to be lost. ‘No’ doesn’t have to be the default answer. It’s possible to both protect and use enterprise data assets. Data privacy protectors and data users within the enterprise can better collaborate, control, and customize their approach to remove the traditional conflicts between them,” LaFever explains.
However, consumers know it is foolhardy not to push hard for data privacy controls of some kind.
“We have already seen radical implications of this from law enforcement being able to bypass the Fourth Amendment by purchasing data from data brokers to insurance companies being able to raise health insurance rates based on internet search histories of individuals to differential pricing on apps that predate on their users prime vulnerability moments,” says Venkatasubramanian.
“Let us not also forget that this data is available to anyone who asks -- hackers included, which in turn results in higher levels of cyberattacks and identity theft on homes and individuals,” he adds.
Privacy Is Not Dead
The demands for data privacy are growing and there is no turning back. But is it too late to make a real difference?
“We need to push back on the thinking that privacy is dead,” says Baber Amin, COO of Veridium, an integrated identity management platform provider. “It is not dead. In fact, more than ever, it needs to be nurtured and thought through in light of modern technology. A good example of not giving up is [the US Supreme Court case] Carpenter v United States.”
The question remaining in this discussion is: Are companies ready, willing, and able to provide data privacy protections? If you, like many other companies, answered “Why yes, of course, but how do you do that?” then you may find the following tips on building privacy by design into your customer experience programs helpful:
1. Consider using privacy-enhancing computation (PEC). In short, PEC enables different users to extract value from the data without actually sharing the data. Specifically, it is an emerging set of techniques and technologies under the one umbrella term.
“One of the most exciting aspects of PEC is that it enables users to maintain privacy while the data is computed, keeping the data behind a firewall. And take that one step further, there is now technology that keeps the algorithm that is computing on the data as private as the data itself,” explains Riddhiman Das, founder and CEO of TripleBlind, a data and algorithm privacy provider.
“So, if a user has a proprietary algorithm, they won’t lose their intellectual property while computing the data, and that data remains private. The data owner won’t have to worry about it being lost or stolen and the algorithm provider doesn’t have to worry about someone stealing their proprietary algorithm,” Das adds.
2. Develop better transparency policies and make them public. Go transparent as you can immediately, and then evolve your policies over time so that you address any changes promptly.
“The proper way to go forward is through transparent privacy policies that notify users about the data and information we collect,” says Apu Pavithran, CEO of Hexnode, a device management company. “Transparency is the key if you want to generate trust and build a more valuable connection with consumers. However, building trust via openness requires time and effort, but can help firms outperform their competitors in terms of sales, revenue, and marketing ROI.”
3. Improve your communication effectiveness. Don’t bury your data privacy protections in legalese. Be upfront and concise about what you’re doing for customers and why it matters.
“The US privacy laws to date have focused on notice and consent,” says Jeewon Serrato, Partner at BakerHostetler and co-lead of the firm’s US Consumer Privacy practice. “Data privacy in the future will be about how businesses can effectively communicate the value of the data collection that’s happening. That communication is not going to happen in a 30-page privacy notice or presented in a cookie consent popup.”
4. Consider data privacy beyond the user. Data privacy invasions will occur at the periphery and from casual and unintended observation. You need to be proactive in stopping that and/or protecting data privacy there, too.
“Users may continue to lose true control over opting in or out of data, especially when collected from increasingly popular MR/VR devices,” says Jarrett Webb, technology director at Argodesign, a product design firm. “Fortunately, most MR/VR experiences today are directed toward consumers, who have control over when and how they wear the device. Wearers can choose to let apps have access to their facial data, but if you’re not the one wearing the device, there is no way to opt out.”
5. Develop data privacy policies for employees and consumers. Employees are consumers, too. They also can help spread the word about how safe (or not) your company is in handling private data.
Webb provides this example, “Employers may require employees to wear MR/VR devices as part of their daily responsibilities. This makes personal privacy decisions more complex: Is your privacy more important than being employed? Is your employer liable for data breaches of a third-party app involving your facial data? This isn’t fearmongering but a reality we must reconcile as MR/VR experiences become more common. It is an eventuality we must accept because all MR/VR devices either are or will capture data from your face.”
6. Build privacy boundaries designed to curtail confusion. Enforce boundaries on data privacy, particularly where other boundaries muddy the issue. In other words, work to make sure your data privacy policies are transparent and currently compliant, but also understandable to customers.
Complying with regulations will likely become quite complex as device manufacturers and users cross over to sovereign boundaries. For example, “US citizens might use devices from Chinese vendors or European citizens to use US-based applications. Governments may also regulate where facial data is stored and how their citizens’ data is used,” says Webb.
7. Ensure your partners have data privacy protections in place, too. Don’t be timid with this as this requirement is already approaching norm status.
“Years ago, when I’d review customer contracts, they focused primarily on security-related requirements and very little on privacy requirements,” says Konrad Fellmann, CISO and VP of IT Infrastructure at Cubic Corporation. “Today, nearly every customer RFP includes very specific and defined privacy and data protection requirements.”
Fellmann says he believes this shows that organizations and many regions throughout the world are taking the privacy of their customers’ data more seriously, and that it is common practice today for organizations to have dedicated privacy programs in place. “This progress is great for the general population as consumers can feel more confident that their information is being better protected," Fellmann adds.
What to Read Next:
About the Author(s)
You May Also Like
The Forrester Wave™: Vulnerability Risk Management, Q3 2023
How to Develop an AI Governance Program
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Acceleration
Ultimate Guide to the CISSP
Top Six Recommendations to Improve User Productivity with a Hybrid Architecture