This post about data collection is co-authored By Tricia Dunlap (Esq., CIPP/US) of Dunlap Law PLC and Ben Nelson, tech lead at SingleStone.
In recent years, many businesses have come to perceive data as a commodity. In fact, some businesses collect data just because they can, even if they don’t need it to achieve their legitimate purposes. Some business leaders think of data as a dollar bill lying on the sidewalk— why not pick it up?
Thanks to an increasingly complex data privacy legal landscape, businesses that treat data or personal information (PI) as commodities are probably sowing the seeds of future liabilities. Data is a business asset, but like any asset, it can be toxic.
Data Audiences
What does the consumer really know about data collection?
You might think we’re overreacting. After all, don’t consumers routinely give their consent to data collection practices? Yes, consumers do give their consent but, let’s be honest, that’s almost always a fig leaf. Most consumers do not understand that the privacy policy and terms of use they click approval for gives a company legal ownership of their data in perpetuity. Or that, when the company they consented to is sold, their data is also sold to the new owner.
The consequences are that consumers do not know who will have control over their data in the future or what safeguards will be in place. Further, consumers often face a choice between surrendering their data or being locked out of society. That is not informed consent, and consumers are starting to put their foot down. The world is responding with a rising tide of anger over how businesses collect, store, use, and share their data or PI.
A global response to data collection
In the EU, rebellion against ubiquitous data collection resulted in the General Data Protection Regulation, replicas of which have been adopted by numerous other countries. In California, it led to the California Consumer Privacy Act, effective January 1, 2020. Unsatisfied, Californians for Consumer Privacy got a data privacy rights referendum on the ballot for the November 2020 election. In 2019, the Illinois Supreme Court held that consumers aggrieved by violations of Illinois Biometric Information Privacy Act could prevail against defendants even if the consumer could not show they were harmed by the violation. In states across the U.S., waves of data privacy legislation and litigation are forcing change.
What does this mean for businesses?
A 2019 survey of senior executives by Gartner showed that the acceleration of privacy regulation and related regulatory burdens is the top emerging risk faced by companies globally. In fact, 64% of executives identified it as a key risk, and 70% of executives from the banking, financial services, technology, telecommunications, and food, beverage and consumer goods sectors identified it as their top risk.
We are on the cusp of a new era, triggered by the growth of indiscriminate data mining and plagued by its unique legal, regulatory, reputational, and other risks. How can you as business leaders prepare yourself for this new, transparent future? We’ve outlined six core principles every business should adopt as a guide to its data collection practices
1. Data and PI are not commodities.
The idea that people we don’t know have access to our personal information makes us feel vulnerable and exposed. The “Big Brother” effect can impact one’s psyche. PI is not a commodity. If your customers feel that you are treating their PI as such, they’ll never trust you.
2. Establish a strong, voluntary internal compliance program.
Commit to understanding the current regulatory environment at the local, state, federal, and international levels. Continually track its rapid evolutions. Document your company’s current controls, identify risks arising from your current practices, and build an internal compliance program designed to mitigate those risks with appropriate oversight baked into your compliance model.
3. Collect only factually accurate information.
Once data is no longer current or accurate, dispose, delete, or destroy it. Consider how grateful your customers would be if they received a notification letting them know that the personal data you collected from them had been properly disposed, following the terms of use that they signed.
4. Minimize data collection.
Take only what is strictly necessary for your legitimate business purposes. Hold it only as long as you need it. We are past the “Data is cheap. So, let’s keep everything” days. Your data team wants to spend less time cleaning data and more time building innovative products designed to bring value to the people whose data you have legitimately collected.
5. Impose very strict limitations on data profiling.
Secure a data subject’s informed consent before using her data to make decisions that impact her, such as credit worthiness.
Data is biased. Bias can lead to incorrect conclusions that harms people. You must educate consumers about how their data can be inadvertently, or intentionally, used against them before people consent to have their data used in this way.
6. Everyone, regardless of their relationship to the company, must have access.
This means access to the data, info, and intelligence that a company has about them. This access should be enabled by design, be user-friendly, and adapted and localized to different cultures/ languages/ contexts.
Your data is just that…your data. Companies create innovative products and services to use that data. But at the end of the day, we should all be able to access our own data, regardless of how or why it was collected. Companies that include their customers in the innovation journey will generate positive social impact. You can lift the lid on the black box of data collection.
Be smart(er) about data collection. Be transparent with your customers. Engage legal, compliance, and risk professionals to create an internal compliance system and culture grounded in these six principles. As a result, you will build trust with the people who use your products and services and ensure that innovation can continue to have a positive impact on our society.
We’ve helped our clients with everything from data architecture, security and pipelines to machine learning. We can help you too. Please get in touch with Tricia at Dunlap Law PLC or Ben at SingleStone Consulting.