Evolving business models: cultivating trust

 Following the Facebook–Cambridge Analytica scandal, companies must now gain—or regain—and cultivate consumers’ trust. Does your company engage consumers directly? The protection of personal information and privacy is more important than ever in gaining an edge over your competition.

The debate around the privacy paradox is not a new one. Indeed, specialists have been considering the question for more than a decade, but the debate has certainly come to the forefront in the last several months. Consumers say they are concerned about the protection of their personal information, but their behaviour online does not always reflect this worry. In an article published on Engadget.com, technology reporter Chris Ip points out somewhat ironically: “When polled, people say they care deeply about privacy, but in reality, they will give up their data or even the email addresses of their friends in exchange for something as trivial as a pizza.” Things are just as contradictory on the business side: “They’re caught [businesses] between using data to provide better consumer experiences and violating consumer privacy,” concludes Rani Molla, data editor at Recode, after reading the latest Internet Trends Report by Mary Meeker.

The Facebook–Cambridge Analytica scandal uncovered by The Guardian and The New York Times in March 2018 undeniably placed the privacy paradox back at the forefront of public debate.

It is reported that nearly 90 million Facebook users had their personal data improperly collected for electoral profiling purposes during the 2016 American presidential election.

In the spring of 2018, we learned that Facebook had shared data on its users with Apple, Samsung and dozens of other device manufacturers. The platform had also approached American hospitals with a view to obtaining medical data. A few months later, in September, Facebook was the victim of a cyberattack that exposed the data of 29 million of its users.

If last year was difficult for Facebook, it was also for many other companies, including Google and its YouTube video platform, Yahoo, Twitter, and Grindr—all caught up in controversies related to the dubious and even illegal use of personal information. Furthermore, an April 2018 University of California, Berkeley report showed that more than half of the Android apps targeted at children under 13 years old may be in contravention of COPPA in the United States (the Children’s Online Privacy Protection Act) due to the improper practice of collecting and sharing data.

Consumers’ perspective in the era of customization

Consumers are certainly becoming increasingly cautious. An October 2018 survey by GlobalWebIndex revealed that 65% of North American respondents (62% among Canadians) are worried about the way businesses use their personal information.

In 2018, only 34% of Canadians said they trusted Facebook, according to data published by Proof Inc. This represents a drop of 17 percentage points compared to the previous year. Nevertheless, 84% of respondents in Canada are still active users of the platform. “While we may have grave concerns about how Facebook behaves as an organization, we still use it, because it delivers the things we expect of it,” explains Josh Cobden, executive vice president of Proof Inc.

The sharing of personal information is therefore not an obstacle to the use of a platform, as long it responds to the needs of its users and offers them a customized and relevant experience.

A May 2018 CROP poll showed that 53% of Canadians would agree to sharing their personal information in return for products and services adapted to their needs. This proportion climbs to 67% among 25-34-year-olds and to 79% within 18–24-yearold group. “Young people are more consumption-oriented and therefore eager to share their data to enhance their consumption experience,” explains the market research firm.

How can consumer-oriented businesses succeed in distinguishing themselves from their competition? By guaranteeing their customers that they will make responsible use of their personal information and respect their right to privacy.

“Company reputations hinge on their trust and transparency credentials over personal data.” — Chase Buckle, analyst at GlobalWebIndex, 2018

This trend is by no means new. For example, in 2015, Microsoft France’s Regards sur le numérique (“Digital Perspectives”) observed that the protection of personal data was destined to become an “element of competitive differentiation.” However, the necessity for sound data management is now more urgent due to a marked shift in legislation.

How businesses are reacting to the GDPR

More than any other legislative measure to date, the European Union’s (EU) General Data Protection Regulation (GDPR) is driving companies to better manage and protect their clients’ personal information. In development since 2012, the GDPR came into effect in May 2018, only a few weeks after the Facebook–Cambridge Analytica scandal broke.

Among other measures, the GDPR introduced a requirement for explicit consumer consent for the collection of personal data, the right for EU internet users to request the erasure of their data, tougher penalties for companies found to be in default, and a requirement for foreign companies to conform to legislative measures.

“Now, EU consumers will have the freedom to opt in [to personal data collection], rather than have the burden of opting out. That emphasis on consent creates a financial reward to building consumer trust.” — Nitasha Tiku, journalist for Wired, 2018

Silicon Valley’s tech giants are catching up quickly. Facebook has put together a new team tasked with developing personal data management tools, which include a feature that allows users to erase their browsing history. For its part, Google improved deletion controls on all of its platforms in the fall.

Apple has started requiring that apps housed in its App Store contain a personal information and privacy policy. Moreover, CEO Tim Cook praised the GDPR last October, congratulating the EU on its initiative and inviting the United States to improve its own legislative measures related to privacy rights. “Apple’s devices and software—and the company’s ethos—are now steeped in user privacy protections that other tech companies would never dream of embracing,” points out journalist Michael Grothaus.

This is exactly what worries some observers. Over time, will tighter management of personal data benefit only a handful of the biggest tech companies— like Google, Apple, Facebook and Amazon—to the detriment of smaller companies who have less financial and technological resources at their disposal? In the United States, major media outlets like The Los Angeles Times and the Chicago Tribune have been forced to block access to their web sites by European internet users, because they were unable to guarantee conformity with GDPR requirements. Another measure under consideration in Europe, the draft ePrivacy Regulation, is currently arousing fierce controversy within the EU. No fewer than 50 European media companies came out against it publicly last March: “The media companies claim the current ePrivacy proposals, which require that all businesses must get explicit consumer consent to use cookies, would give still more power to Google, Facebook and Amazon, reported Digiday’s, Jessica Davis.

What impact will these legislative initiatives have on the European market over the long term? What influence might they have on regulations and business practices elsewhere in the world? The measures adopted by the EU have certainly influenced the legislative discourse in Canada. In February 2018, the Standing Committee on Access to Information, Privacy and Ethics recommended an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA), with a view to introducing or improving measures already in place related to the consent to collect, de-indexation, erasure, and purging of personal data. Moreover, the committee invited the Canadian government to ensure that the PIPEDA maintain its “adequacy” with respect to the GDPR.

The Minister of Innovation, Science and Economic Development reacted favourably to these recommendations. However, he insisted on the need to examine them further— notably in the context of a round of public consultations started in June 2018—and to achieve a reasonable level of alignment with the GDPR. “Recognizing the importance of interoperability between diverse privacy regimes, the EU has adopted a concept of substantial rather than outright equivalence […] In that regard, it is not clear that PIPEDA requirements must reflect all of the protection rights and measures found in the GDPR in order to retain the adequacy of the Act.”

In this context of legislative uncertainty, businesses can at least be assured of two things: the use of massive amounts of data, or Big Data, will continue to be a determining factor for success in the digital economy and today’s increasingly savvy consumers are likely to be more attuned to issues affecting their right to privacy.

Media businesses have everything to gain from adopting a more proactive and more preventative approach. Dr. Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario and pioneer of an approach to systems engineering developed in the late 1990s known as Privacy by Design, points out:

“The future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation. ”

 

 

PRIVACY TOOLS FOR CANADIAN BUSINESSES

According to the latest survey on cybersecurity by The Canadian Internet Registration Authority (CIRA), 59% of corporate respondents said that they retain their customers’ personal data, but 39% admitted to not being familiar with the requirements set forth in the PIPEDA.

So, what are your responsibilities under the PIPEDA? Do provincial laws also apply to you? Innovation, Science and Economic Development Canada offers a toolkit that will help you to better understand your responsibilities with regard to the protection of personal information. Also, the Office of the Privacy Commissioner of Canada has developed a list of recommendations on how to write up a privacy policy: “A good privacy policy explains, for example—clearly and in plain language—why an organization is collecting personal information, what they will do with it, how it will be protected and who they will share it with.”