Privacy 2.0: An Uncomfortable Compliance

If the GDPR formalized our natural rights to digital privacy, why does so much of the work around data seem so unnatural in regards to privacy?

This new state of discomfort is manifested in both consumer experience and corporations usage of data.  In a future where everything is data driven, companies have to move beyond compliance to solve this awkward state.

Privacy Policy 2.0 – An Awkward Customer Experience

Anyone tired of consent popups and emails asking for consent to receive an email?  How about being redirected to a Privacy Policy to be told how cookies really work?

Privacy Policies are now in clear and understandable language instead of legalese, but you can’t help feeling like it was inspired by a lawyer protecting the company instead of your rights.

Most privacy policies are not being read.  They weren’t being read in Privacy 1.0, and even with clear language, they are still not being read in Privacy 2.0.  So where is the value?  Is this really what was meant by transparent and informed choice?

Privacy Policy 2.0 – Transparency Alone Falls Short

In fairness, it is no easy task to balance the need to be understandable, transparent, and protect your company from being fined in a compelling and interesting manner.  My own Privacy Policy fell short of what I wanted to do, and I am not even collecting data for secondary usage.

It shouldn’t be this hard to respect privacy and use data appropriately.  So why is it?  What are we missing here?

It has been said that data is the new oil.

If data is the new oil, then Privacy is the new dollar

Companies are coming up short on Privacy Capital, and this uncomfortable compliance can’t pay the bill for the data they want to use.

Where Are We on the Path to Privacy?

We are at the necessary, but temporary state of Privacy 2.0 – Privacy as an Afterthought or Compliance.  The initial emphasis of GDPR enforcement of transparency(start@3:46) is resulting in an attempt to do the right thing the wrong way (patching up 1.0 systems not designed for privacy).  Again, it is necessary, but awkward and it is manifested in Privacy Policies 2.0.

We went from Privacy Policy 1.0 – No privacy “get over it” to hefty monetary penalty avoidance on May 25, 2018.  This change created a scramble to compliance illustrated below as Privacy version 2.0 where most companies tried to remediate 1.0 systems instead of redesigning their systems.

The volume of usage should go down from the Wild West days of Privacy 1.0, and this decrease is to be expected.  The goal, however, ought to be the increase in the legitimate use of data, and Privacy 2.0 won’t get us there.

Facebook’s Privacy Capital Deficit Only Grew with 2.0 Transparency

Facebook’s privacy impact stats show the usage effect of exposing Privacy 1.0 practices.  The Cambridge Analytica revelation resulted in ~25% of Facebook users removing the Facebook app from their phone.  GDPR rights giving Facebook users the ability to download the info collected on them resulted in 47% of those users removing the app from their phone.

Facebook has incurred a growing Privacy Capital deficit which has impacted their stock due to a decreased use of data, increased security costs, and as this stock analysis article cites, impending U.S. privacy regulation.

The breach of trust has to be repaired and privacy as an afterthought won’t do it.  Privacy 2.0 begs the question of how do we get to Privacy 3.0 – Privacy by Design?

Identify Self-Defeating Organizational Factors

What’s preventing you from moving to Privacy 3.0 today?  Your legal team could be too busy worrying about being fined instead of privacy that enables data usage.  Your business wants to hide anything which will reduce the amount of data they can collect and use.   IT has to redesign their end to end data flow with privacy as the default while dealing with unclear guidelines, competing interests, and the lack of will/priority to invest in privacy.  Most organizations have not aligned all three of these groups to rationalize how they use data.

Privacy 2.0 is at best a transition phase.  Trying to duct tape privacy as an afterthought may get you compliant on primary data (regardless if it is needed), but it won’t enable you to use data for secondary purposes.  On the contrary, the longer a company puts off Privacy 3.0, the less data they will have to use and the more likely they will be to have consent leakage.  Consent leakage is when a company unwittingly violates consent choices of their customer because they never designed for privacy.  This approach is Lawsuit by Design, and it is the inevitable result of Privacy 2.0 mindsets.

So what does Privacy 3.0 look like?

  1. It understands and respects data privacy.  This is basic Golden Rule stuff as Senator Durbin pointed out in the Facebook hearing –   Mr. Zuckerberg, “Would you be comfortable sharing with us the name of the hotel you stayed in last night?” –senator no.  Well, then, if you don’t want to be tracked, don’t track others.  If you do want to be tracked, fine, but give others the choice just like you have.
  2. When privacy is respected and there is a Golden Rule commitment not to use data for secondary purposes without explicit and narrow consent, then companies must build systems that are designed to respect privacy programmatically and procedurally – Privacy by Design.

Where to Start? Separate Primary Data from Secondary Data

Don’t ask for consent to cover your assets when you already have a legitimate reason to process the data.  I am sure your lawyers have you covered in the EULA and TOS for primary data usage (check with them).  This justification requires that you fully know your DEN and have established a legitimate/legal basis for all collection, processing, and usage of data.  Your documentation and justifications should be sufficient for an audit.

Where your business has tried to sneak in secondary purpose usage of the data, remove it from the EULA/TOS and properly, visibly, and transparently ask for explicit consent.  This removal includes sharing data with “third parties” that is not required to fulfil the primary service.  Be prepared to demonstrate how you value consumer’s privacy and what you have put in place to keep their data secure and private.

You will want to throw in some value in your secondary data usage opt-in program in exchange for people letting you use their data.  Remember that digital privacy means that consumers maintain control over their data, and consent can be removed at any time along with that data.

If your company’s business model doesn’t ever need to use secondary data, then maybe Privacy 2.0 is sufficient since you don’t need consent.  Compliance in security and privacy (CPNI, PII, SPI) may be sufficient in those cases.

Privacy Pays

It is time to re-imagine the Privacy Policy in a way that raises Privacy Capital instead of chasing people away.

Privacy Policy 3.0 could change this dead space into the most read and heaviest trafficked page on your site.  This page should be digital bedrock for the two way dynamic relationship companies will have when their audience has a reason to trust them with their data.   In this oil rush, it is privacy or bust.

Comments are disabled here to consolidate comments here on LinkedIn.

Real World Consent Translated to Digital

Tsvi Lev recently commented about the Facebook data violations and the impending regulation by saying,

“This is NOT the end of analytics – it is the dawn of properly used analytics.”

New regulations requiring explicit consent have the potential to significantly change business models in advertising.  Consent may disrupt or consolidate many of the Ad Tech players in the market today who can’t or fail to change their business operations.  It is no secret that since the dawn of the internet cookies, Ad Tech hasn’t really been concerned about privacy.  For those companies, new regulation may be a day of reckoning, but it doesn’t have to be.

Back to the Future

We need to look back at the door to door salesman to understand what digital advertising has ignored as it assembled your shadow digital profile.   In a lot of ways, those salesmen were like internet opportunities.  When the salesman approached a potential customer they had seconds to connect with a customer before the door was shut in their face just like the 10s limit users will give you before moving on to another site.

The movie Secondhand Lions (SHL) nails the process of the door to door salesman getting consent before making a pitch and ultimately winning the sale.  Think about this guy’s sales approach as a parallel model for digital advertising as we walk through the wrong and right approach in three acts.

Act 1 – The Wrong Approach

The SHL scene opens on a rural Texas farm with a long drive that ends in front of a dilapidated wrap around porch.  Two old bachelors are sitting on the porch with their soon to be adopted nephew drinking ice tea.  Word has spread through the small town that these two have more money than they can spend which puts them in the demographic salesmen only dream about.

Each salesman drives on the brother’s private property, gets out of the car and immediately begins to pitch their goods.  Shortly after getting out of the car and beginning to speak, each salesman is greeted with multiple gunshots being fired over their heads as a warning.  The old bachelors are defending their private property from uninvited solicitations, and no sales are made.

The pitch was uninvited, initiated as a trespass on private property, and showed no respect for the two brothers.  The brothers responded by enforcing their privacy rights.

Act 2 – Personalization Done the Right Way

The next sales scene opens with the brothers and nephew on the porch again drinking tea with their shotguns when one brave salesmen comes out for a second attempt at approaching them.  He has a completely new approach.  Now he has a respect for their privacy rights and comes out waving a white flag and asking them not to shoot.  The reaction of Michael Cain’s character is “He’s been here before, this is no ordinary salesman, this guy is good”.

He addresses them by name and asks if they can talk (respect for their privacy and asking for consent).  Now instead of shots being fired, a two way discussion begins to take place.

The conditions for the continued conversation are laid down.  Robert Duvall’s character, Hub, tells the salesman to come out where we can see you (transparency).   The salesman asks them to put their guns down so he can show them what he has brought for their consideration (clear intent).  The salesman tells them to trust him (he treated them like people not demographics and showed respect for their privacy).  Hub agrees to hear what he has to show them, but then says “afterwards we’ll shoot him” (consent is not permanent and can be withdrawn at any time).

The salesman’s opening pitch is a changed approach.  He then goes on to say “due to the unsettling nature of our previous encounter, I searched the world over for the perfect item that would be just right for two exuberant sportsman such as yourself.”  Wow-quite a change, let’s look at what he did:

  1. He admitted that his first approach was wrong
  2. He searched for an item that would be of personal value to them
  3. He segments them into a group, exuberant sportsman, that they want to identify with (more appealing than rich guys with money to burn).

The salesman then shows them something that they didn’t know existed – a sporting clay launcher that even a kid can operate.  He brought them something he knew they would want.  This guy put some thought into analyzing the brothers as people and not customers to be fleeced.  His pitch starts with the statement that until now, only the heads of state could have such a product, and I am bringing to you the most powerful model at a reasonable price.  Needless to say, they buy the product.

This is personalization done right.  The salesman asked permission to speak to them.  He has come with something he knows they will want because he analyzed their first encounter.  He democratizes something previously out of reach to the common person.  He gives them quality at a fair price.  They didn’t even have to leave their house or exert much effort to have it.

Act 3 – The Final Sale

The movie ends with the nephew returning to the house after the brothers have died.  Anchored in small pond in the front of their property is a massive yacht barely floating in the shallow water.  When asked about the yacht in the ridiculously small pond, the nephew responds by saying “There was this traveling salesman…”

This one salesman succeeded where others failed by following a new model of sales that we should imitate in the digital world.  He demonstrated 7 key factors that serve as a template for digital interactions by:

  1. Respecting privacy
  2. Being transparent
  3. Asking for consent, realizing that consent can be withdrawn at any time
  4. Being clear about what he was asking consent for
  5. Earning trust
  6. Offering value – consent and trust got the brother’s “off the porch” and value determined further interaction
  7. Personalizing value and tailoring convenience

So, by asking for consent in a way that gave the potential customer control, choice, and transparency, the salesman gained trust.  He was then able to present them something that was of personal value to them.

These 7 key factors should be translated into the digital advertising world so that the door to personalization is opened by consent.  What was really gained was more than a customer.  These factors started a two way relationship that lasted a lifetime and exponentially multiplied the investment that was made in securing consent by trust and value.

Where does the Digital Advertising world need to go from here?

How do Facebook and digital advertisers move forward in the face of impending regulation?  A good start would be to admit to the public like our salesman “due to the unsettling nature of our previous encounter,” I will respect your privacy, be transparent with how we collect, process, and use your data, ask you if I can use your data, and provide you with something you value.

Each new data breach exposes to the general public how their privacy is being violated, and armed with that knowledge, they are starting to fire warning shots.  When companies realize that privacy by design is a requirement, this change will be “the dawn of properly used analytics” as Tsvi Lev stated.

Let the right personalization begin.

Comments can be posted as replies on Linkedin.

For Your Entertainment

Here are the links below to the Secondhand Lions scenes referenced in this blog.  You will probably find additional advertising insights of your own and a good laugh.

The wrong approach:

The right approach:


By clicking on the YouTube links, you will leave the DataEDEN blog site.  The Ad Tech world will be sending your personal viewing information back to Google to serve you relevant ads at some point in your digital journey.

I found Secondhand Lions to be entertaining and funny with some mild language.  It illustrates enforcing consent choices with an intersection of  the 2nd Amendment being used to enforce the 4th Amendment which some might find offensive.  I do not endorse certain implied philosophic assertions concerning the foundations of belief, the importance of history, and the nature of truth contained in the movie.