Privacy 2.0: An Uncomfortable Compliance

If the GDPR formalized our natural rights to digital privacy, why does so much of the work around data seem so unnatural in regards to privacy?

This new state of discomfort is manifested in both consumer experience and corporations usage of data.  In a future where everything is data driven, companies have to move beyond compliance to solve this awkward state.

Privacy Policy 2.0 – An Awkward Customer Experience

Anyone tired of consent popups and emails asking for consent to receive an email?  How about being redirected to a Privacy Policy to be told how cookies really work?

Privacy Policies are now in clear and understandable language instead of legalese, but you can’t help feeling like it was inspired by a lawyer protecting the company instead of your rights.

Most privacy policies are not being read.  They weren’t being read in Privacy 1.0, and even with clear language, they are still not being read in Privacy 2.0.  So where is the value?  Is this really what was meant by transparent and informed choice?

Privacy Policy 2.0 – Transparency Alone Falls Short

In fairness, it is no easy task to balance the need to be understandable, transparent, and protect your company from being fined in a compelling and interesting manner.  My own Privacy Policy fell short of what I wanted to do, and I am not even collecting data for secondary usage.

It shouldn’t be this hard to respect privacy and use data appropriately.  So why is it?  What are we missing here?

It has been said that data is the new oil.

If data is the new oil, then Privacy is the new dollar

Companies are coming up short on Privacy Capital, and this uncomfortable compliance can’t pay the bill for the data they want to use.

Where Are We on the Path to Privacy?

We are at the necessary, but temporary state of Privacy 2.0 – Privacy as an Afterthought or Compliance.  The initial emphasis of GDPR enforcement of transparency(start@3:46) is resulting in an attempt to do the right thing the wrong way (patching up 1.0 systems not designed for privacy).  Again, it is necessary, but awkward and it is manifested in Privacy Policies 2.0.

We went from Privacy Policy 1.0 – No privacy “get over it” to hefty monetary penalty avoidance on May 25, 2018.  This change created a scramble to compliance illustrated below as Privacy version 2.0 where most companies tried to remediate 1.0 systems instead of redesigning their systems.

The volume of usage should go down from the Wild West days of Privacy 1.0, and this decrease is to be expected.  The goal, however, ought to be the increase in the legitimate use of data, and Privacy 2.0 won’t get us there.

Facebook’s Privacy Capital Deficit Only Grew with 2.0 Transparency

Facebook’s privacy impact stats show the usage effect of exposing Privacy 1.0 practices.  The Cambridge Analytica revelation resulted in ~25% of Facebook users removing the Facebook app from their phone.  GDPR rights giving Facebook users the ability to download the info collected on them resulted in 47% of those users removing the app from their phone.

Facebook has incurred a growing Privacy Capital deficit which has impacted their stock due to a decreased use of data, increased security costs, and as this stock analysis article cites, impending U.S. privacy regulation.

The breach of trust has to be repaired and privacy as an afterthought won’t do it.  Privacy 2.0 begs the question of how do we get to Privacy 3.0 – Privacy by Design?

Identify Self-Defeating Organizational Factors

What’s preventing you from moving to Privacy 3.0 today?  Your legal team could be too busy worrying about being fined instead of privacy that enables data usage.  Your business wants to hide anything which will reduce the amount of data they can collect and use.   IT has to redesign their end to end data flow with privacy as the default while dealing with unclear guidelines, competing interests, and the lack of will/priority to invest in privacy.  Most organizations have not aligned all three of these groups to rationalize how they use data.

Privacy 2.0 is at best a transition phase.  Trying to duct tape privacy as an afterthought may get you compliant on primary data (regardless if it is needed), but it won’t enable you to use data for secondary purposes.  On the contrary, the longer a company puts off Privacy 3.0, the less data they will have to use and the more likely they will be to have consent leakage.  Consent leakage is when a company unwittingly violates consent choices of their customer because they never designed for privacy.  This approach is Lawsuit by Design, and it is the inevitable result of Privacy 2.0 mindsets.

So what does Privacy 3.0 look like?

  1. It understands and respects data privacy.  This is basic Golden Rule stuff as Senator Durbin pointed out in the Facebook hearing –   Mr. Zuckerberg, “Would you be comfortable sharing with us the name of the hotel you stayed in last night?” –senator no.  Well, then, if you don’t want to be tracked, don’t track others.  If you do want to be tracked, fine, but give others the choice just like you have.
  2. When privacy is respected and there is a Golden Rule commitment not to use data for secondary purposes without explicit and narrow consent, then companies must build systems that are designed to respect privacy programmatically and procedurally – Privacy by Design.

Where to Start? Separate Primary Data from Secondary Data

Don’t ask for consent to cover your assets when you already have a legitimate reason to process the data.  I am sure your lawyers have you covered in the EULA and TOS for primary data usage (check with them).  This justification requires that you fully know your DEN and have established a legitimate/legal basis for all collection, processing, and usage of data.  Your documentation and justifications should be sufficient for an audit.

Where your business has tried to sneak in secondary purpose usage of the data, remove it from the EULA/TOS and properly, visibly, and transparently ask for explicit consent.  This removal includes sharing data with “third parties” that is not required to fulfil the primary service.  Be prepared to demonstrate how you value consumer’s privacy and what you have put in place to keep their data secure and private.

You will want to throw in some value in your secondary data usage opt-in program in exchange for people letting you use their data.  Remember that digital privacy means that consumers maintain control over their data, and consent can be removed at any time along with that data.

If your company’s business model doesn’t ever need to use secondary data, then maybe Privacy 2.0 is sufficient since you don’t need consent.  Compliance in security and privacy (CPNI, PII, SPI) may be sufficient in those cases.

Privacy Pays

It is time to re-imagine the Privacy Policy in a way that raises Privacy Capital instead of chasing people away.

Privacy Policy 3.0 could change this dead space into the most read and heaviest trafficked page on your site.  This page should be digital bedrock for the two way dynamic relationship companies will have when their audience has a reason to trust them with their data.   In this oil rush, it is privacy or bust.

Comments are disabled here to consolidate comments here on LinkedIn.