The California Consumer Privacy Act went into effect at the beginning of the year and enforcement will begin this summer. But some Californians aren't waiting for the state's regulators to step in with fines against businesses for not complying with CCPA's requirements.
CCPA allows individuals to sue companies over alleged violations of the law, and children's clothing company Hanna Andersson and software vendor Salesforce have already been jointly hit with a class action lawsuit related to a data breach.
And CCPA isn't the only new data privacy law that organizations need to comply with. The European Union's GDPR took effect in the spring of 2018, and other states and jurisdictions are in the process of developing their own privacy laws.
All this is raising the stakes of data collection for customer analytics and other applications. Concerns are also swirling about the ethical use of AI as news reports appear about AI-powered bias in recruitment, overzealous use of facial recognition for surveillance and other issues. Now more than ever, as part of their data management strategies, companies need to evaluate how they collect consumer data and whether they are doing so in a responsible and legal manner.
This article is part of
What are ethical data collection considerations?
Facebook, for example, just settled a biometric privacy class action lawsuit for $550 million, said Ana Tagvoryan, co-chair of the class action defense practice and head of the privacy class action team at Blank Rome LLP, a Philadelphia-based law firm.
That settlement will put more pressure on lawmakers to create more stringent regulations around handling biometric data, Tagvoryan said. In fact, Illinois has already done so, she added.
"With the rise of facial recognition technology, biometric privacy is becoming more and more of a hot privacy issue," she said. "Even retail stores using cameras for facial recognition to prevent theft and fraud are being sued for illegal biometric data collection."
In early February, 60 hospital chains joined electronic health record company Epic in opposing proposed rules to make it easier to share health data with apps. Google, Apple, Microsoft and other big tech companies -- as well as many patient advocates -- support the new data interoperability rules because they'll give patients more control over their own data.
The issue at hand isn't whether to share the data, but how to do so in an ethical and responsible way. Epic CEO Judy Faulkner, for example, said she's worried that if patient data is shared with third-party apps, information about family members will also be shared without their permission.
How to get ethical data collection right
Collecting and using customer data is important to many industry verticals. Retailers, for example, make heavy use of consumer data to improve marketing, sales and customer service.
Ray WangPrincipal analyst and founder, Constellation Research Inc.
"Every major retailer is in the midst of deploying chatbots and virtual agents," said Ray Wang, principal analyst and founder at Constellation Research Inc. "I think the privacy regulations actually provide some guardrails on how you do this. Now, companies can work on following the privacy requirements -- CCPA, GDPR. Those regulations have made it easier because you now have some ground rules."
What the regulations are doing is getting rid of the most unethical companies in the space, according to Dave Frankland, managing director at Winterberry Group, a New York-based management consultancy.
For example, after GDPR went into effect, up to 60% of European third-party data vendors went out of business. These were mostly smaller firms, operating in the gray areas of consumer privacy, Frankland said.
Marketers need to be careful about how they use data sourced from the remaining brokers, said attorney Marc Mandel, co-founder and general counsel at CCPA Toll Free, a compliance services provider based in Claymont, Del. He recommended asking data vendors whether they can list the publishers the data is collected from to ensure it was collected in accordance with privacy regulations, plus these additional questions:
"What notice did the consumer receive at the point of collection? Can you show me a copy of the notice text? A screen capture of how the notice was presented? Was it an affirmative opt in? What intermediaries sit between the publisher and you as the data broker?"
The goal of ethical data collection and usage is to give brands enough room to be creative on analytics without being creepy, Mandel said.
Ethical data gathering is built on granular permissions
There's a common misconception that a disclaimer provides carte blanche for a company to use collected personal information as it sees fit, said Roger Hale, CISO-in-residence at YL Ventures, a venture capital firm based in Mill Valley, Calif.
Users opt in for a specific purpose, to obtain information or services, he said. "Such personal data is collected under particular, narrow circumstances and cannot be used or redistributed casually."
A related area is the use of derived data drawn from a data set, said Mike Bechtel, managing director for new and experimental technologies at Deloitte Consulting LLP. This is a gray area when it comes to regulatory compliance, according to Bechtel, who warned that not asking for permission to collect it is an ethical mistake in mining data.
"For example, someone might grant access to their heart rate [data], but a company may perform analytics on that heart rate to determine secondary characteristics such as, say, heart rate variability," he said.
Another common issue is when companies create lengthy end-user license agreements that pack in everything they might ever conceivably do with collected data and are essentially impossible for people to read. "Companies might consider breaking their data asks into dramatically smaller a la carte requests prompted at time of need," he said.
Having a single catchall agreement might be easier to do -- and be legal. But allowing customers to make decisions about their data in smaller chunks as needed is "dramatically more human," Bechtel said.
How much data do you really need?
There's a lot of data that companies can collect about customers, potential customers or the general public. But that doesn't mean they should.
At the end of 2019, Herow, a mobile location intelligence software vendor based in Paris, conducted a survey that asked people when they would consider sharing information. Results showed that 59% said they base data-sharing decisions on a company's brand reputation, while 53% base the decisions on compliance with privacy regulations.
Pascal EhrsamChief marketing officer, Herow
But companies shouldn't view those relatively lax attitudes toward data sharing as a license to collect all the data they can, said Pascal Ehrsam, chief marketing officer at Herow. He suggested a middle ground between collecting too much data and collecting no data at all and missing out on potential business opportunities.
The goals of the data collection process should be clearly defined, and the minimum amount of data collected to meet those goals, Ehrsam said. In addition, he recommended using only first-party data and having clear and active consent from customers about how the data will be used. "To us," he said, "the line not to cross is very simple: the one the user gives you."
Branch Metrics, a mobile marketing platform vendor based in Redwood City, Calif., is also taking a minimalist approach to data collection.
"We've made a number of deliberate decisions to not collect additional data and to keep that data for limited periods of time," said Alex Austin, the company's co-founder and CEO. "We don't collect or store information such as names, email addresses, physical addresses or SSNs. The personal data we do collect is then pseudonymized and purged from raw logs after seven days."
Branch Metrics adopted those practices even though some of its corporate clients requested otherwise, Austin said. It also has committed to never sell or license customer data to anyone else, he added. "And our data protection officer conducts regular training to remind all R&D team members about these commitments and the importance of abiding by them."
Ethical enterprises go beyond the bare minimum
The main thrust of both CCPA and GDPR is to give consumers more control over their own data. Upon request, a company will need to share what personal information it has collected about individuals -- and then delete that information if a customer asks.
Doing so can be tricky, Frankland said, because many enterprise systems aren't designed to handle these tasks. Businesses tend to collect consumer data in different data silos created by separate business units -- systems that often aren't able to play well together.
It can be tempting to do the least amount of work necessary to comply with the regulations. But that's a mistake, cautioned Matthew Seror, an attorney and shareholder at Buchalter PC, a law firm based in Los Angeles. "I'm not counseling clients to just do the minimum to get by," he said.
For example, if a company decides to offer the right to be forgotten just to California residents under CCPA, it will face the hassles of maintaining one system for them and another for everyone else. Seror said it's smoother -- and less risky -- to apply the privacy protections more broadly.
"Consumers are expecting companies to treat their data and their personal information in an ethically responsible way," he said. "And there will be a backlash if they don't do that."
Companies that fail to understand this may lose the trust of customers, which ultimately could result in a loss of market share to organizations with better data practices, he warned.
Plus, other states and jurisdictions are likely to roll out similar laws, according to Seror. Some states are already debating their own regulations, and he thinks federal legislation is likely to come at some point. "The trend is clearly going toward consumers having more control over their personal information," he said. "Businesses will be well suited to stay ahead of the curve."
Ethical data collection can be a long-term advantage
In the short term, companies that invest in data collection best practices, effective privacy protections and guidelines on analytics and AI ethics will be better positioned to reduce reputational damage, fines and lawsuits. In the long term, with a solid data privacy infrastructure in place, ethical data collection is a potential business driver, Frankland said.
"It can be a differentiator -- a way to develop trusted relationships with customers," he said.
The key is not to think of data as something that helps the company itself but as something that helps the customer, he advised. "A customer is going to be more willing to give permission to use their personal data if they benefit directly."