With more and more data being obtained by organisations from consumers and users, the issue of user privacy has become more prominent. Even with the presence of regulation such as GDPR and CCPA, companies must not get complacent when it comes to retaining customer trust. With this in mind, we take a look at the best ways in which organisations can ensure the privacy of users.
Transparency and empowerment
Firstly, it’s vital that companies, through their websites, make their intentions regarding usage of data as clear as possible. If consumers don’t trust the site, access to their behavioural data is likely to be denied.
“Transparency is key when it comes to companies respecting user privacy,” said Ben Murphy, UK managing director at Quantcast. “Greater education and empowerment is paramount in keeping the open internet functioning and the ecosystem that drives it – funded largely by advertising – alive.
“Denial of data usage could spell disaster for publishers and content creators reliant on advertising as brands are hampered in their ability to accurately reach audiences or measure the impact of their spending. The open internet and the free access to diverse information, content, and news we enjoy through it is at risk.
“This follows growing consumer expectations and pressure on governments around the world to create and enforce privacy legislation. These include GDPR in Europe, which is enjoying its third anniversary this month, and CCPA in California, with other countries and states (e.g. PDPA in Singapore and CDPA in Virginia, USA) set to enact their own regulations in the near future. The requirement for transparency and privacy-by-design technology is here to stay.
“With third-party cookies set to be deprecated in 2022, the industry has an opportunity for a reset when it comes to how online consumer behaviour is understood. The frothy selection of alternatives to third-party cookies currently emerging will, unfortunately, mean things will get more complicated before they get simpler. In order to navigate that complexity and prepare for the future, organisations should be seeking partners with strong track records in applying AI and machine learning to identify patterns among complex and diverse signals, and a deep understanding of and respect for consumer data privacy.”
Three years down the track – is GDPR enough to protect our data?
Leading on from the use of AI to find behavioural patterns, Steven Chung, president, worldwide field operations at Delphix, explained how AI, along with other automation capabilities, can improve compliance while allowing organisations to continue innovating.
“Speed to market is a key success factor in every business,” said Chung. “However, when it comes to organisations that have to manage copious amounts of data, including sensitive, regulated data, driving speed at the expense of data privacy creates untenable risk. Regulations such as GDPR, HIPAA, CCPA, Open Banking, and others have put yet another “tax” on enterprises by adding additional overhead for data management, application development, security, and customer service. The good news is that we have some new technologies and methods that support rapid innovation, whilst ensuring compliance with data privacy mandates.
“For example, we have systems enabling CI/CD workflows which can automate software releases at unprecedented levels, sometimes even hundreds of releases per day, while masking, protecting, and backing up massive amounts of sensitive data, such as personal information or health records.
“Advanced technologies – like machine learning and artificial intelligence – can also be used to fill the gaps that humans miss, when it comes to data privacy. For example, companies can use AI/ML to sift out inappropriate language or detect parties that might be trying to access unauthorised data. IT automation can drive consistency across the organisation, bringing disparate systems together and freeing up tech resources to focus on new data issues.
“To be a sustainable business, organisations must learn to manage sensitive data at scale that meets data privacy requirements, while still supporting efficient, rapid innovation.”
Meaningful, standardised consent
According to Eve Maler, CTO of ForgeRock, the permission that’s often given by users when that message appears on a website asking about data usage preferences doesn’t carry enough weight to be truly protective.
She explained: “Online consent is broken and needs a fundamental rethink. The General Data Protection Regulation (GDPR) was meant to put users back in control of their data by ensuring that consent is high-quality, freely given, specific, informed and unambiguous. Instead, it revealed many consent processes’ continuing shortcomings.
“It’s true that most businesses are no longer simply helping themselves to end-users’ data, instead using opt-in cookies. But cookies, whose awareness has been popularised by the GDPR, often fall far below the bar of meaningful consent. All too often, businesses are taking advantage of their powerful position over users. They know that almost none of their users have really read their cookie notices.
“Meanwhile, others actively coerce and manipulate users into consenting online using ‘dark patterns’ – manipulative website and app designs to nudge consumers into a course of action against their own interest. Meanwhile, more than ever, consumers want control over their personal data and online experiences, and are willing to take action to get it. 70% of consumers say preventing their data from being resold to third parties is a top priority when considering app features.
“The direction of regulatory travel is clear, and it means that services should put a priority on building and maintaining trusted digital relationships with consumers rather than scraping data from them at the first opportunity. It’s possible by using digital identity systems to take small first steps that require as little information as possible, and deepen the relationship with more consented information sharing when the user is ready.”
Business Customer Identity – the next stage in identity management
The role of decentralised identity
Maler went on to cite decentralised identity technology as an emerging tool for improving user privacy across multiple sectors. However, she also believes that blockchain and other decentralised capabilities face their own questions to be answered.
“Distributed technologies promise revolutions in a range of sectors, from art and sports to finance,” said Maler. “The premise of this technology – the lack of a central authority which processes, validates or handles data – can be applied to the digital sphere and to the field of digital identity in particular to help consumers reclaim ownership of their data and ensure greater user ‘privacy’.
“Some of the standards upon which modern identity is based, like Security Assertion Markup Language (SAML), are not designed with user consent in mind. Decentralised or blockchain identity technology aims to remedy this, by making users and their devices the sole authoritative sources of personal information by using digital identity wallets. Similar to a physical payment wallet, a digital identity wallet would empower a user to share as much (or as little) personal data on request as they see fit, in ways which protect the privacy of the user.
“As with so many other nascent technologies, the open source and standards communities have stepped in to develop new work to kickstart innovation in this area. We are now seeing decentralised identity pilots in sectors like healthcare and higher education. As it tries to build complex new ecosystems, it faces interesting challenges related to identity verification, business trust, and user experience. Most importantly, decentralised identity faces a question of whether it satisfies real needs to build digital relationships.
“In whatever form, blockchain or otherwise, the future of data privacy is (consumer) data control.”