Privacy Issues and Trends ~ Part 1

1. Regulation, Regulation, and more Regulation: Privacy Reforms, Enforcement, and Stronger Standards

All these technologies require access to and create vast amounts of data. As technology advances and data is used in unprecedented ways, privacy laws and regulations are likely to become more stringent. Organizations will need to update their privacy programs and controls to reflect a new reality of privacy with increased regulatory oversight. Not complying will not be an option with organizations subject to financial, reputational or operational penalties.

Canada has already initiated steps to enhance its privacy framework. Last year, the federal government announced Canada’s Digital Charter, its digital strategy for fostering innovation, paving the way for privacy law reform. Its main goals are to: provide Canadians meaningful, effective and enforceable privacy rights as technologies advance; position innovation as a cornerstone of the Canadian economy; and ensure that privacy laws do not overlap or contradict other laws.

Interoperability with international laws and standards is another important goal of the Charter. Canada is focused on maintaining its ‘adequacy’ status with the European Union to ensure that data can continue to pass freely between the two jurisdictions. It will closely review how its privacy regime can become more aligned, or interoperable, with the General Data Protection Regulation (GDPR).

In 2020, we anticipate Canada’s Minister of Innovation to announce concrete proposed changes to the Personal Information Protection and Electronic Document Act (PIPEDA). This includes: increased transparency of how personal data is being used; compensating consumers for data breaches and providing them with data portability; and enhanced enforcement powers for the Privacy Commissioner of Canada.

Codes, standards and certification schemes are also likely to be formally recognized in the PIPEDA as a means of demonstrating due diligence. These tools will be given more regulatory prominence, although they will no longer be simple self-regulation tools without any oversight. Organizations that use them will need to demonstrate increased accountability and higher standards of care; and they will need to prove it to the regulators.

2. Less Consent, More Accountability

In his recent annual report, the Privacy Commissioner of Canada sounded the alarm on industry’s overreliance on consent which he describes as “a narrow view, and one which puts individuals at a distinct disadvantage”. Although the consent-based model upon which Canadian privacy law has long been defined will remain an important pillar of PIPEDA, it cannot solely offer the answer for all data uses.

Consent is an essential, but often impractical, means for driving every privacy decision or action: for one, consent is not meaningfully obtained in many data use cases; for another, many consumers continue to express frustration at being inundated with multiple consent notices for every single data use.

Canada’s long-standing accountability model may offer a compelling solution to this quandary. Accountability relates to organizations’ acceptance of responsibility for personal information protection by implementing appropriate policies and procedures that promote a robust privacy management program. It is a tool to demonstrate that the consumer data they collect and process is managed responsibly. 

Done properly, a strong accountability program promotes trust and confidence with consumers and regulators, and enhances competitive and reputational advantages for organizations. As Canada embarks on the journey to update PIPEDA, coming up with the right form of accountability will be key.

3. We Can Do It, but Should We? The Ethics of Privacy and Social Responsibility

Privacy is not just a compliance exercise. A strong privacy program includes many other considerations, among them not only data flow charts, data inventories and privacy notices, but also cybersecurity, vendor management and ethical considerations.

Organizations will increasingly need to give more importance to the ethical responsibilities that come with managing large streams of data. To do so, they will need to combine legal compliance, privacy-enhancing technologies and apply a social and ethical lens to everything they do.

As the opportunities and benefits that come with new and improved technologies and data uses proliferate, organizations will also need to consider how they can use the data they have for ‘social good’. While the negative or unintended consequences of data and technology should continuously be assessed, the enormous real and potential social benefits of data need to be recognized. They range from preventing crime, diagnosing cancer, and identifying victims of online sexual exploitation, to aiding disaster-relief efforts and strengthening democracy.

Yet, legal uncertainty, data accessibility, consumer consent and ethical considerations will pose constraints to the full realization of these social benefits. Conversations are currently taking place within a few forums, including the Information Accountability Foundation (IAF) and within government consultations, to better understand the challenges and promises of “using data for social good”. The outcomes will surely require a delicate balancing act of complying with relevant privacy laws and regulations while establishing and maintaining trust with consumers.

4. Consumer Trust: Transparency and the Value Exchange

Privacy concerns are at an all-time high. According to PwC’s 2019 Consumer Intelligence Series, 85% of consumers say cybersecurity and privacy risks are among the biggest of any issues facing society today. Companies need to listen - carefully. 

Despite privacy concerns, consumers are willing to share their data depending on a number of factors. A study published by the Canadian Marketing Association revealed that 86% of Canadians will share data to enable personalized experiences, so long as companies are transparent about how they use the data and give consumers control over it.

If you give individuals more transparency over what you are doing with their data and more control, they will give you more data, more accurate data and are more forgiving in the event of a breach”

Consumer trust is a critical crossroad: if organizations do not make real efforts to prove that they treat personal data with respect, trust will diminish, and consumers will closely guard their own data. If the pendulum swings this way, some envision a future of data ownership where consumers will manage and sell their own data to organizations. Several start-ups have already sprung up to deliver such services. While their success remains unknown, this development should serve as a wake-up call to organizations to give serious consideration to the value consumers receive in exchange for their data – financial or otherwise.

Consumers are not only increasingly more sensitive about how their data is being used and protected, but many also question the value they receive in return. Companies need to ask themselves: is the value produced by data to enhance products and provide better services being communicated and articulated to customers? As a follow-up, are these values in line with what customers expect? 

The value consumers place on their data depends on many factors, including relevance (e.g. receiving a seat sale for a trip to Vancouver is relevant to someone who travels there often), timeliness of an offer (e.g. offering a hotel room at the moment of booking a flight), and also quality of the loss of privacy (e.g. how much information does a consumer have to give away and how sensitive is that information?).

Companies need to articulate the value of data-enabled services and need to be transparent about their data practices. This helps consumers feel respected and enables companies to build loyalty. 

5. The Chief Marketing Officer and the Chief Privacy Officer: New Best Friends?

Organizations will profoundly be affected as privacy regulations become more stringent and consumer expectations evolve in response to heightened media coverage of data breaches and data misuse. Marketers are likely to be one of the most impacted groups as they will need to closely scrutinize whether they can pursue creative and innovative marketing campaigns. 

Chief Marketing Officers (CMOs) have a tendency to see privacy as a hurdle they need to clear before launching a new project. Now, they need to recognize it as an essential element of success.  

Privacy enables marketing. In fact, privacy no longer plays in its own sandbox. Traditionally, the Chief Privacy Officer (CPO) mainly focused on risk management and compliance with privacy laws and regulations. Nowadays, it is becoming a decisive player in business strategy across the organization. 

The CMO needs to bring the CPO to the decision making table. The CPO can bring additional marketing, sales and operations skills to the discussion and can provide options, ideas and solutions to support enhanced value creation and business opportunities within the regulatory framework. 

In the future, it will become more important than ever for brands to assess all marketing efforts through a privacy lens. This cannot happen without CMO and the CPO forming a collaborative relationship.