June 2015. In early June, Tim Cook, CEO of Apple made headlines by decrying the trade-off in the digital ecosystem – that free services are not worth the trade-off in loss of privacy as businesses mine consumers’ digital “breadcrumbs” for value. At the same time, a major Annenberg/U Penn study came out, proclaiming that most Americans are put off by data tracking and the vast amount of “private” information businesses maintain about consumers.
These headlines continue the long line of public opinion studies and public statements decrying the loss of privacy and the vast amount of “private” information that businesses – and the government – have on each of us. And yet, a May 2015 Bain & Co. study reached starkly different conclusions, stating that “more than half of consumers will share personal data willingly if asked and data use and protections are defined”. Well, which is it? And what do businesses need to do?
It seems to me that businesses need to be prepared for the possibility that Congress – or regulators – may be in the mood for action. Several FTC commissioners have spoken out regarding the sale of consumer data to data brokers, and recent FTC enforcement actions have suggested that the commissioners will take action even in the absence of financial harm.
While statutory change is difficult to predict, I do believe that regulators will be less forgiving about sloppy data governance practices and inaccurate privacy policies. And I think it is reasonable to expect that business owners may be held accountable for everything that happens with data on their sites and in their business, not just what the business explicitly does with data itself. The greatest business risks likely relate to activities a typical consumer might not anticipate by doing business with you: sale of data to third party aggregators; “following” users across too many sites; and mining digital information in ways that may be problematic under existing law, like the granting of credit or information relating to children.
In this environment of shifting sands, it is important that businesses review – and rethink — their data governance practices – and be sure that those governance practices apply to all the data a business maintains or relies on.
Data governance clearly includes the easy stuff – personally identifiable information like names, social security numbers and financial and health information.
But businesses must extend data governance practices to other data as well – data that might not have been considered PII a few years ago, but which is sensitive and valuable, and which would be “creepy” if it were made public — this can include anonymous and semi-anonymous information like tracking IDs, IP addresses, browser histories, geo location data, and other sorts of data that drives targeted marketing and ad tech.
By having clear data governance practices in place, and using technology like Mezzobit’s audience control module, a business can be sure that its privacy policies are accurate, it can manage and appropriately monetize the data it maintains, and it can respond quickly to any legal change that may one day come about.