Research Industry Needs to Alter its Ways to Protect and Earn Consumer Trust
For an industry that depends on consumer cooperation, why do we treat them so poorly?
Research and data companies need to be doing more for consumers to protect their privacy and secure the data they provide, or else they risk extinction. Even in the wake of some of the most dangerous security breaches in history (Equifax, Facebook etc.) most research and data collectors have done little to adjust their business practices to secure consumers’ privacy. In fact, if anything, they continue to bite the hand that is feeding them. But, that hand is starting to turn into a fist with more consumers waking up to what’s really going on.
Companies are sticking their heads in the sand hoping that there will only be weak new legislation to get them to comply (as loosely as possible). But they are missing a change in consumer and legislative sentiment. With GDPR, the industry hit an inflection point on privacy. Research and data companies need to wake up. They need to be leading privacy and consumer consent reform – not following it.
Beyond GDPR, three somewhat under the radar actions have recently occurred—both by individual companies, AND the federal and state governments. Verizon and AT&T just agreed to stop sharing location data with third party aggregators. One article stated, “over 75 companies have been obtaining Verizon’s customer data from two little known California-based brokers – LocationSmart and Zumigo.” Why would they do that? Because the risk to their reputations and customer perceptions now outweigh the benefits. The Supreme Court also ruled that cell phone location data cannot be used by law enforcement with out a search warrant.
And on June 28th, California passed the first of several tough new privacy bills.
According to the release, under Assembly Bill 375, which establishes the California Consumer Privacy Act, Californians can hold companies accountable for potential abuse of their data. Members of the public could ask a business to delete information they have on them. Upon request, businesses that sell consumers’ information would have to disclose the categories of information they collect. Kids under 16 must opt in to consent to the sale of their data.”
As Alistair Mactaggart, the bill’s sponsor, said “I feel like it’s the first step, and the country’s going to follow, Everybody is finally waking up to the importance of digital privacy.”
Misconception of Consent
The first big area we need to improve on is really getting consumers’ CONSENT—not using tricks, trojans or falsehoods to swindle our way into free data from unsuspecting people. We need to clearly describe to consumers what data we’re using, how we’re using it, and periodically remind them that we’re doing so. We also need to provide a value exchange –answer the “what’s in it for me” question. This was the major mandate of GDPR.
Sounds simple enough, right? Then why do so many companies try to circumvent this standard?
Passive data collection is legally allowed by burying the phrases in a lengthy end user license agreement (EULA) that consumers frankly never read. “Consent” is simply not being applied reasonably here. It’s also inapplicable when consumers are unaware of what they are consenting to.
Data collectors think they are golden once the user “consent” hurdle is passed by being as vague as possible. They get consent once and never have to remind consumers about what they’re actually taking from them, sometimes for years. They get data for free, and keep, combine, and resell it all as a big secret—as if they own it. The trouble is that they don’t own it.
I was curious to see just how informed consumers were about their own “consent” in some real cases, specifically regarding Internet connected TVs. Ace Metrix surveyed over 36,000 people and the results were grim. In our study, only 13% of people being tracked actually knew they were being monitored AND recalled agreeing to the Terms of Service for their smart TV. Another 49% of people were unsure if their TV viewing habits were being monitored – yet 62% of them had TVs connected to the Internet.
Data companies, of course, are adamant that they receive viewers’ consent. But, 75% of the consumers in our survey had no idea how they “gave consent” in the first place, with it jumping to 88% among Gen Xers and 95% among Baby Boomers. This deliberately cloudy process works well for data collectors.
Take TV manufacturer Vizio. Most people would not assume that the default privacy setting on their new TV would allow almost limitless access to their behavior. Users quickly “accept” through a loose “consent” screen while they are desperately trying to get the new TV up and running. Little do they know, that from then on, every action – program, ad, website, stream – is being collected, monitored and shared with other data vendors. From there, integrating data companies, merge data based on IP address and cookies associated with it. This IP/cookie match gives marketers access to one’s gender, age, address, interests, and other offline data.
When asked if they knew whether their TV device collects data about their viewing habits, 61% of our survey respondents with Vizio TVs were not sure. Another 21% said they were not being monitored; 8% knew they were and remembered agreeing to the terms; 7% knew but didn’t remember agreeing to anything and 3% knew and disabled it.
An IP Address is the New SSN
After years of investment in the world’s best data scientists, a new personally identifiable “key” was needed to connect all these disparate data sources to an individual person or household. The solution is the IP address, which is now THE most powerful personalization key. It’s the starting point that links everything together in our digital lives.
With an IP address, one of these vendors, advertisers or other data clients can instantly access not only viewing data, but credit card data, offline purchasing, car ownership, email addresses, subscriptions, location, visit and GPS data and on and on and on. From there, they can use that information for all kinds of purposes, such as direct mail targeting, other ad targeting, and perhaps some other nefarious ID theft activities.
But is an IP Address Really Anonymous?
A prevalent practice in the data industry is called “identity resolution” which is a service, according to one data aggregator’s website, “that ties data back to real people and makes it possible to onboard that data for people-based marketing initiatives across digital channels.” From IP address to pixels and cookies, everyone knows everything about you. So even if they don’t know your name, but they know where you live, and everything you watch, buy and do, and everywhere you go, does that really matter?
What the Industry Can Do
I believe we need a privacy management system, similar to the do-not-call list, or “unsubscribe” from unwanted email spam, where a user can opt out across all collected data platforms, or select which ones they feel are ok, and which are not. Second, consumers need to be informed on a REGULAR basis what about them is being tracked. Finally, end users of the data, such as brands or agencies, need to be held accountable for using non-privacy compliant data.
While data companies will lose a significant portion of their cooperators by being honest, they still will have more than ample sample sizes for all their targeting and other marketing efforts. However in the long term, showing consumers that these efforts might actually benefit them will likely lead to more consumers opting in to trusted partners. The key is to stop blowing up that trust.
I’m hopeful the tide is turning on privacy awareness and action. It seems big brands are catching on, with the recent decision from Verizon and AT&T. And if that’s not telling enough, even the Supreme Court is starting to weigh in on so-called third party sharing. John Roberts wrote ominously, “The fact that such information is gathered by a third party does not make it less deserving of Fourth Amendment protection.” While the recent case investigated law enforcements use of cell phone location data, search or website or TV viewing are the same type of data and its reasonable to assume that these could be next to hit the Supreme Court docket.
Research and data vendors are often the worst offenders in violating even basic privacy standards. In an industry that depends on consumer information from willing participants, we need to be leaders in protecting these consumers, not the violators. But we’re playing with fire.
Now’s the time to decide…are you with consumers, or against them?
For more coverage, check out: