“Everyone makes mistakes. That’s why pencils have erasers.”
It’s a pretty common saying, and while it’s not wrong, it leaves out one important fact.
Erasers are much smaller than pencils. Only so many errors can be rubbed away before the second chances run out.
When it comes to data privacy, trust is like an eraser. It gets smaller and smaller after every mistake.
And thanks to new digital privacy laws and an increased expectation among consumers that companies will be able to protect their data, erasers for privacy breaches are smaller than ever.
Eraser, er, privacy laws
For decades, businesses in our modern economy have relied heavily on consumers’ personal data to guide their marketing decisions and management processes for products and services.
As digital technology advanced, it became the norm for companies to have unwieldy data collection programs. These programs gathered far more personal information than needed from their customers, usually without user knowledge or consent. User data was then manipulated and shared in a myriad of ways, often recklessly and (again) without individual knowledge or consent.
The Facebook/Cambridge Analytica scandal and a series of massive data breaches at some of the world’s largest corporations finally gave consumer privacy advocates the leverage they needed to successfully push governments into passing aggressive data privacy laws.
After the European Union passed the General Data Protection Regulation (GDPR) in 2016, the data governance game changed forever. Suddenly, any business that operated in or collected information from residents of the EU was, among other things, legally required to:
- Minimize data collection to limited, clearly defined purposes
- Notify customers as to when and what type of information is being collected
- Provide reasonable measures to keep data secure
- Give consumers control over data and allow them to choose how their personal information is collected, used, and shared
- Limit the length of time consumer data is stored
The GDPR was the first major digital data privacy regulation of its kind and is considered the gold standard of privacy laws, but it definitely wasn’t the last. Since 2018, similar laws have been enacted by governments around the world.
Privacy law in the United States
Unlike the EU with its omnibus GDPR, the US doesn’t have a federal data privacy law. Instead, the US has thus far opted for a sectoral approach. This has led to industry-specific regulations at the federal level, such as those listed below, and state-specific privacy regulations at the—you guessed it—state level:
- Industry-specific examples include:
- Health: Health Insurance Portability and Accountability Act of 1996
- Email: Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM)
- Finance: Gramm-Leach-Bliley Act (GLBA)
- Text and phone: Telephone Consumer Protection Act of 1991
- Comprehensive state-specific include:
It’s not clear yet if this fractured approach will stand the test of time, but the reality today is that US businesses have to operate in a patchwork, hodge-podge privacy landscape that’s constantly changing.
And that landscape can be pretty confusing.
And with laws increasingly holding companies liable (sometimes even criminally liable) when customer data is exposed, organizations that build their data collection and management program around best practices instead of specific regulations are less likely to need that eraser we talked about earlier.
Those privacy best practices are all founded on building digital trust.
Why digital trust from consumers matters more than ever
Despite these new privacy laws and dramatic improvements in cybersecurity technology, consumers are more worried about their online activities being monitored than ever before.
Need some stats to convince you? A recent Cisco survey found that:
- 86% of consumers responded that they care about privacy and want more control over their data
- 79% said their privacy impacted their purchasing either through not making a purchase, paying more for privacy, or spending money to protect their data
To sharpen the knife even more, more than half of consumers will stop using a service if a breach is reported, according to Kapersky.
That’s over 50% of consumers who won’t even give a company a chance to use their eraser.
There are hundreds of similar statistics proving how critical digital trust is to successful business operations, especially since the COVID-19 pandemic made apps and websites enabling remote work and healthcare delivery a core part of our daily lives.
A strong cybersecurity program alone isn’t enough to build digital trust. Successfully increasing consumers’ digital trust will only happen if data privacy is part of company culture, not just compliance processes.
Privacy by design and default
There are two ways to approach integrating privacy best practices into every process and procedure: privacy by design and privacy by default. The most effective privacy programs combine both approaches.
Privacy by design means that all internal systems, networks, and policies are created (or retrofitted if needed) in accordance with privacy best practices.
In practice, privacy by design might look like:
- Include privacy conversations into product planning or marketing initiatives
- Easy-to-understand privacy policies that are short, simple, and free of legal jargon
- Databases that operate on the principle of privilege, meaning employees or processes can only access the minimum amount of data needed to complete the assigned task
- Frequently updated data inventories or data maps
- Regular privacy training for employees across every organizational function
- Preferences center that allows users to select what personal information is collected as well as how and how often they’re contacted
Privacy by design should happen before consumers even enter the picture.
Privacy by default, on the other hand, privacy by default is the consumer-facing part of privacy by design. Privacy by default means that all personal data is automatically processed under the strictest privacy controls.
Most US laws are opt-out based as of this writing, meaning users have to specifically ask that their personal data not be collected, shared, or sold. This usually happens when consumers uncheck a box that says something like, “Yes! I want to hear more about special offers and events from XYZ Company and their partners!”
(But it won’t be this way forever—newer state laws coming in 2023 will require opt-in consent in some situations. In turn, this shift will require companies to get familiar with their data and how they’re using it. The solution? Start your internal privacy conversations sooner rather than later.)
While this opt-out methodology is technically both privacy by design and privacy-compliant (at least in the US), it isn’t a privacy by default system. Not using the strictest privacy setting in every instance automatically increases the risk of data exposure—even for responsible organizations that take privacy seriously.
Better privacy programs = bigger erasers
As our economy becomes increasingly reliant on digital technologies, balancing the science of big data, the importance of digital trust and the demands of privacy legislation isn’t just a matter of revenue development—it’s critical to national security.
Businesses have an obligation to take the lead on establishing new norms for personal privacy protections, but that obligation also brings a tremendous opportunity to increase brand loyalty.
Transparent and user-friendly privacy polices. Exhaustive vendor risk management. Proactive compliance programs. Privacy-first frameworks. These practices take commitment, but through commitment comes consumer trust.
Consumers are far more likely to let businesses with a proven track record of proactive privacy management use their “eraser” after a hack than they are a company that plays fast and loose with their information.
If you want to build digital trust with your customers, let the experts at Red Clover Advisors use their privacy pencils to help you write an eraser-proof plan. Call us today to schedule a free consultation.