iQoncept - Fotolia
The California Consumer Privacy Act went into effect at the beginning of the year and enforcement will begin this summer. But certain Californians aren't waiting for the regulators to step in with fines.
CCPA allows individuals to sue companies that violate the law, and Salesforce and children's clothing company Hanna Andersson have already been hit with class action lawsuits related to data breaches.
And CCPA isn't the only privacy law. Europe's GDPR went into effect in the spring of 2018, and other states and jurisdictions are already in the process of developing their own data privacy laws.
All this is raising the stakes of data collection. Concerns are swirling about the ethical use of AI as news reports appear about AI-powered bias in recruitment, overzealous use of facial recognition for surveillance and other issues. Now more than ever, companies need to evaluate how they collect consumer data and whether they are doing so in a responsible and legal manner.
What are ethical data collection considerations?
Facebook, for example, just settled a biometric privacy class action lawsuit for $550 million, said Ana Tagvoryan, co-chair of the class action defense practice and head of the privacy class action team at Blank Rome LLP, a Philadelphia-based law firm.
That settlement will put more pressure on lawmakers to create more stringent regulations around handing biometric data, she said. In fact, Illinois has already done so, she added.
"With the rise of facial recognition technology, biometric privacy is becoming more and more of a hot privacy issue," she said. "Even retail stores using cameras for facial recognition to prevent theft and fraud are being sued for illegal biometric data collection."
In early February, 60 hospital chains joined electronic health record company Epic in opposing proposed rules to make it easier to share health data with apps. Google, Apple, Microsoft and other big tech companies -- as well as many patient advocates -- support the new data interoperability rules because it will give patients more control over their own data.
The issue at hand isn't whether to share the data, but how to share the data in an ethical and responsible way.
Epic CEO Judy Faulkner, for example, said she's worried that if patients' data is shared with third-party apps, information about those patients' family members will also be shared without the permission of those family members.
How to get ethical data collection right
Collecting and making smart use of customer data is important to many industry verticals. Retailers, for example, make heavy use of consumer data for marketing, sales and improving customer service.
"Every major retailer is in the midst of deploying chatbots and virtual agents," said Ray Wang, principal analyst and founder at Constellation Research Inc., a technology research firm in Silicon Valley. "I think the privacy regulations actually provide some guardrails on how you do this. Now, companies can work on following the privacy requirements -- CCPA, GDPR. Those regulations have made it easier because you now have some ground rules."
Data brokers muddy the data collection waters
What the regulations are doing is getting rid of the most unethical companies in the space, according to Dave Frankland, managing director at Winterberry Group, a New York-based management consultancy.
Ray WangPrincipal analyst and founder, Constellation Research Inc.
For example, after the GDPR went into effect, up to 60% of European third-party data vendors went out of business. These were mostly smaller firms, operating in the gray areas of consumer privacy, Frankland said.
Marketers need to be careful about how they use data sourced from the remaining brokers, said attorney Marc Mandel, co-founder and general counsel at CCPA Toll Free, a compliance startup firm. Marketers should ask data vendors whether they can list the publishers the data is collected from to ensure it was collected in accordance with privacy regulations.
"What notice did the consumer receive at the point of collection?" he said. "Can you show me a copy of the notice text? A screen capture of how the notice was presented? Was it an affirmative opt in? What intermediaries sit between the publisher and you as the data broker?"
The goal of ethical data collection and usage is to give brands enough room to be creative without being creepy, he said.
Ethical data gather is built on granular permission
There's a common misconception that a disclaimer provides carte blanche for a company to use collected information as it sees fit, said Roger Hale, CISO-in-residence at YL Ventures, a San Francisco-based venture capital firm.
Users opt in for a specific purpose, he said, to obtain information or services. "Such personal data is collected under particular, narrow circumstances and cannot be used or redistributed casually."
A related area is derived data, said Mike Bechtel, managing director in tech and innovation at Deloitte Consulting LLP. This is a gray area when it comes to compliance. Not asking for permission is an ethical mistake.
"For example, someone might grant access to their heart rate [data], but a company may perform analytics on that heart rate to determine secondary characteristics such as, say, heart rate variability," he said.
Another common issue is when companies create huge end-user license agreements, impossible for a user to read, that packs in everything a company might ever conceivably do with collected data.
"Companies might consider breaking their data asks into dramatically smaller a la carte requests prompted at time of need," he said.
Having a single catchall agreement might be easier to do -- and be legal. But allowing customers to make decisions as needed in smaller chunks, he said, is "dramatically more human."
How much data do you really need?
There's a lot of data that companies can collect about customers, potential customers or the general public. But that doesn't mean that they should.
Some companies do collect as much data as they can, said Pascal Ehrsam, chief marketing officer at Herow, a mobile location company.
At the end of 2019, Herow conducted a survey asking people when they would consider sharing information. Results showed that 59% base their decision on a company's brand reputation, while 53% said they base their decisions on compliance with privacy regulations.
But companies shouldn't view those relatively lax attitudes toward data sharing as a license to collect all the data that they can, Ehrsam said. He suggested a middle ground between collecting too much data and collecting no data at all and missing out on potential business opportunities.
The goals for the data collection should be clearly defined and the minimum amount of data collected to meet those goals. In addition, he recommends using only first-party data and having clear and active consent from the users about how the data will be used.
"To us, the line not to cross is very simple," he said. "The one the user gives you."
Branch Metrics, an online marketing company, is also taking a minimalist approach to data collection.
"We've made a number of deliberate decisions to not collect additional data and to keep that data for limited periods of time," said Alex Austin, co-founder and CEO at Branch Metrics.
It did so even though some of its corporate clients requested otherwise, he said.
"We do not collect or store information such as names, email addresses, physical addresses or SSNs," he said. "The personal data we do collect is then pseudonymized and purged from raw logs after seven days."
He said the company has made a commitment to never selling or licensing its user data to anyone else. "And our data protection officer conducts regular training to remind all R&D team members about these commitments and the importance of abiding by them."
Ethical enterprises go beyond the bare minimum
The main thrust of both CCPA and GDPR is to give consumers more control over their own data. So if a consumer asks, a company will need to share what information they've collected about them. And, if a consumer asks, a company will need to delete that information.
This can be tricky, Frankland said, because many enterprise systems aren't designed to handle these tasks. Businesses tend to collect consumer data in different data silos and business units, systems that aren't designed to play well together.
In the short term, it can be tempting to do the least amount of work necessary to comply with regulations. But that can be a mistake.
"I'm not counseling clients to just do the minimum to get by," said attorney Matthew Seror, shareholder at Buchalter Law Firm in Los Angeles.
For example, if a company decides to just offer the "right to be forgotten" to California users, there will be the logistical hassles of maintaining one system for California residents, and another system for everyone else.
"Consumers are expecting companies to treat their data and their personal information in an ethically responsible way," he said. "And there will be a backlash if they don't do that."
Companies that fail to understand this will lose the trust of their customers, and lose market share, he said.
Plus, other states and jurisdictions are likely to roll out similar laws, he said. Some states are already debating their own regulations, he said, and federal legislation is likely to come at some point as well.
"The trend is clearly going toward consumers having more control over their personal information," he said. "Businesses will be well suited to stay ahead of the curve."
Ethical data collection can be a long-term advantage
In the short term, companies that invest in data privacy and AI ethics will be better positioned to reduce reputational damage, fines and lawsuits.
In the long term, once the initial investment in privacy and ethics infrastructure is in place, the company will be able to look at ethics as a growth area.
"It can be a differentiator," Frankland said. "A way to develop trusted relationships with customers."
The key, he said, is not to think of data as something that helps the company but as something that helps the customer.
"A customer is going to be more willing to give permission to use their personal data if they benefit directly," he said.