Striving for a New High Water Mark in U.S. Data Privacy Policy: Part 2

In a continuation of my first post around privacy and the rising tide of global data regulation, I explore why “leaning in to consent” is the best way for U.S. companies to ensure smooth sailing with their customers amid the murky waters of data policy innovation.

Come on in – the water’s fine

Enforced as of this past May, the General Data Protection Regulation (GDPR) has given EU residents unprecedented access and control over their personal information. But as businesses increasingly align their data frameworks to the tenets of GDPR and other government-regulated data policies, debates have sparked around the potential drawbacks of giving customers this level of control.

For example, I recently attended a forum on health services research. One person shared that proactively giving research participants the option to consent to how their information was used – versus using the data in a legal, albeit “unconsented” fashion – could possibly reduce the availability of data by more than half. The point being: Abiding by the letter of the law can affect bottom lines, and may make companies less willing to proactively offer data consent options to consumers.  

To this, we say: Lean in to consent anyway. The long-term business benefits of building trusted digital relationships with consumers by offering them data protection, transparency, and control outweigh the risks. If you aim for compliance alone, you’re performing a user-hostile act, and are liable to lose their loyalty over time. Rather, proactively offer consent as part of your digital customer identity framework to build trust, as well as enhance your compliance stance.

Some evidence of the consumer demand for privacy and consent:
  • An Economist Intelligence Unit survey commissioned by ForgeRock showed that 86% of respondents want the ability to manage their personal information proactively. The survey also found that of five key privacy rights associated with the GDPR, respondents ranked the right to erasure (“right to be forgotten”) most important. In short – this is the “breakup clause” between customers and businesses, when you don’t give them a better way to fine-tune your mutual data sharing relationship.

  • When the Mobile Ecosystem Forum Consumer Trust Report asked consumers what companies could provide in exchange for personal data, “...consumers consider privacy-protection and access to their data more important than financial and other rewards.” Further, the top reason respondents identified for why they didn’t use more mobile apps and services was “I don’t want to share personal information” – meaning that these privacy-sensitive users may have “gone dark” on you before you even knew about the problem.

  • When DNA testing companies such as Ancestry and 23andMe started to worry about the impact on their businesses of DNA comparisons used in the Golden State Killer investigation, they banded together to form voluntary industry guidelines to ask consumers for “separate express consent” when sharing DNA data with businesses such as insurers, and to provide new transparency around law enforcement disclosures.

How to stay afloat

With the importance of consent established, the question now becomes: How can regulations stay in tune with new market innovations? The push for innovative thinking in the corporate world is often at odds with the nature of regulation, which is difficult to future-proof because of how it is created and maintained. Comparing GDPR guidance on “opt-in” consent with new innovations in the API and IoT economies and increased consumer demand for both privacy and value, it seems this gap will only widen.

For businesses, this gap will make it harder to deliver compliant yet delightful and consent-driven experiences, where people are actually motivated to share data in a controlled fashion. The current model is most friendly to people who are passive data subjects, while the evidence is showing us that most consumers want to be empowered resource owners. At ForgeRock, we see such scenarios come up most frequently in sectors such as automotive, financial services and healthcare.

While there’s not yet a clear answer on how to close this gap, a recent article from Forbes provides some helpful insights to get started. Recommendation #5 seems especially apt: “Educate lawmakers and establish relationships to take away the fear of the unknown.” The future may be uncertain, but there’s no time like the present to begin educating policymakers on the importance of dynamic, human-centric data security policies.