Privacy Experience – Build trust by going beyond compliance
The current state of digital privacy is unnecessarily combative. Companies are recording every action people take and an increasing amount of the general public are opposed to this. An entire market exists that aims to facilitate both the advancement and prevention of this kind of tracking, and new laws to regulate it are popping up all over the world.
The way companies are implementing these laws is a major contributor to the lack of trust that now exists and a wasted opportunity to use privacy as a competitive advantage. Companies can build trust and increase people's willingness to share data by going beyond compliance to create what I call a positive Privacy Experience. Read on for more...
Data can be both "The New Oil"1 that can drive growth as well as "toxic waste"2 that can cost a company significant fines or compromise the personal safety of their customers. Until recently, ordinary consumers not in the business of collecting, processing or deriving value from data had virtually no idea of its potential promise or peril. Any suspicion of bad behaviour or neglect has been, and continues to be, confirmed. The exponential growth of data collection and processing, in unison with almost daily data breaches, has called into question the trustworthiness of companies and earned the Tech industry the media's infamous "Big" label, joining the ranks of Big Oil, Big Pharma, and Big Agra.
81% of Americans think the potential risks of data collection by companies about them outweigh the benefits.
As a result, most web browsers now take measures to limit or entirely block this data collection, by default3, and the number of countries and states introducing privacy regulations is constantly increasing. Gartner predicts that by 2023, 65% of the world’s population will have its personal data covered under privacy regulations4.
All of this has created a Privacy Paradox for companies: the desire to collect, process, and profit from data juxtaposed with the legal obligation to comply with laws that require consent for, and limit or prevent, such activities. However, regulations are not the problem, the implementation is. Current implementations result in a negative Privacy Experience of decreased trust and willingness to share data.
The primary purpose of privacy laws is to protect people. However, when companies comply with these laws they are acting to mitigate their liability and decrease their risk of being fined. Nowhere is this more obvious than in the verbatim interpretation of the articles of the laws that are customer-facing. Opaque policies and confusing consent management options that are presented to people appear to have been created solely by legal teams. The outcome is the same as what happens when business needs are communicated directly to those that can implement rather than to teams that filter those needs through human-centric processes; business needs are interpreted as instructions and implemented verbatim.
Every app and website that is in compliance with any privacy regulation today all consist of at least three user-facing components that could be interchanged between any company without anyone ever knowing the difference:
- A cookie banner with almost no context or choice
- Consent management that offers the bare minimum of control the law mandates
They have all been cut, chapter and article, using the same cookie cutter: the official legal text. The low priority and level of thought given to these customer-facing privacy measures result in awkward and out-of-place moments for people that cause distrust, confusion, and doubt about what a company does with the data about them; a negative Privacy Experience.
81% of respondents feel as if they have little or no control over the data collected
Compliance alone does not automatically result in customers trusting a company any more than the mere existence of their product results in new customers magically showing up with their wallets open. Unless a customer can see evidence of, make sense of, and interact with it, a company's compliance with privacy regulations is invisible to its customers.
While compliance decreases risk, a positive Privacy Experience increases trust.
A personal example: Microsoft complies with the General Data Protection Regulation (GDPR) no matter what country their customers and users reside in. That is great but I still do not trust them because while I am enough of a privacy nerd to actively seek evidence of this, I can not make sense of how they comply or interact with them and the data they have about me in any meaningful way. IKEA also complies with GDPR and I trust them because I can interact with them and the data they have about me in a meaningful way. My willing propensity to share data with these companies, or whether I actively prevent them from taking it, is entirely dependent upon my trust in them. My Privacy Experience is negative with Microsoft and positive with IKEA.
"Today, 82% of customers say trust in companies matters more than it did a year ago, up from 73% in the previous year. ...Nearly 48% of customers have stopped buying from companies because of privacy concerns."
The core principles of a positive Privacy Experience are as follows:
- User-centricity - the user must be at the centre of all decisions
- Transparency - be willing to show every data point you collect
- Clarity - clearly explain in human-understandable terms what you collect and how you process it
- Control - offer a high level of control without overwhelming people
To create the best Privacy Experience, the following is required:
- A firmly held value of privacy - it is the foundation everything is built upon
- Strong data governance - you can not explain or afford control of that which you do not understand
- Collaboration between legal, product, and marketing - others can and should be involved but remove any of these three and the experience will suffer
To create an experience that goes above and beyond anything else in existence:
- Demonstrate the value in allowing collection
- Provide a way to verify that your policies are enforced as written
For companies that are already compliant with GDPR, a lot of the foundations are already in place. Thus, creating a positive Privacy Experience is mostly a design and communication challenge.
If you are already collecting and benefiting from data, this approach may appear to be more difficult than breaking an addiction to heroin. There will be some data loss but data accuracy is not the same as data inconsistency - if you can account for data not being there, it is accurate. How much you lose will depend on how well you design the experience, what data you are asking for, why you are asking for it, and the value you offer in return.
The experience of Privacy can not be the implicit by-product of compliance that it is now. It must be explicitly designed with an intention to build trust. Compliance must be leveraged by having legal, product, and marketing teams collaborate to weave privacy into the entire customer lifecycle. Privacy then becomes a competitive advantage.
97% of companies recognized they were realizing benefits such as competitive advantage or investor appeal from their privacy investments
If we do not start to see better implementations of regulations and the kind of proactive self-regulation that creates positive Privacy Experiences, we will likely see more aggressive regulations and defensive options for people to guard against data collection. The issue of privacy and the interplay between companies, customers, regulators, and the technology to help them all does not need to be as combative as it is today.
I am committed to helping software companies define this new future.
If you lead Product or Marketing at a software company, drop your email address in the form below to hear more from me on this topic. You may also be interested in my Customer Data template which helps you collect data with care and intent, and my collection of Privacy Experience Resources.