Recently Mary Meeker's Internet Trends report was published listing in great detail current usage, pros and cons, of the internet. Discussion of the technology advances of the internet cannot go without pondering the privacy and security implications. One theme of interest noted in Fieldfisher's review of is the report is "To personalise you need data: This is the eternal consumer paradigm. Whereas users are not particularly happy to provide data, they want (and expect) services to be personalised."
Nowadays, consumers willingly live life online/virtually and in a very tailored way through technology that is advancing by the nanosecond but, quite paradoxically, these same user-consumers have grave concerns about it. The ICO, the UK's data protection regulator, recently released the results of its 2016 Annual Track survey it conducted to understand issues such as individuals' awareness of privacy rights, how businesses handle the personal information individuals provide them via online services and to measure the importance of specific matters relating to personal information. The results were consistent with the Trends report. The ICO report found that:
- Only 1 in 4 UK adults trust businesses with their personal information. High street banks are the most trusted, internet brands the least.
- UK adults try to hide data from businesses but would share it if their privacy was guaranteed
- UK adults are taking a variety of online and offline measures to protect their personal data, such as checking banking apps and statements regularly and limiting the amount of personal information they share on social media.
With these kinds of findings, how is it that one lives online through social media, shopping sites, banking applications, even using the internet to meet a future partner for life while having such concerns? The contrast is stark. Is giving up one's privacy a natural price to pay for the accelerated, instantly gratified existence the online lifestyle provides? Should it be? Or is there something else we should be concerned about? Perhaps security issues are really the concern – or perhaps it's simply impossible to discuss privacy without discussing security as well.
The internet is a vast, somewhat scary place. "Big brother is watching", is a phrase uttered all too often when personalised internet content comes to light in front of our eyes as if by magic. Consumers are asking where a business or advertiser got their data, how did I opt in to advertising, why is my PC or smart phone smarter than me, and so on. Perhaps the answer to these questions is that the phone is only as smart as the savvy user-consumer allows it to be by controlling the data it is given to process.
Online "anything" requires input of data, in large part personal data, at the interface point. Who inputs that data? The consumer does. The personalised experience starts with the individual, putting in their details into their banking app or social media site of choice - such as Facebook- so that they can access the seemingly endless and exciting possibilities of the Internet at their fingertips. It makes for convenience and efficiency in a very busy world. True, searching is becoming easier and search engines are becoming even more sophisticated – so who or what exactly is behind all of the brilliance and wonder of the worldwide web? Who is big brother?
Part of the advanced technology is cookies. These little, delicious morsels of information collect and retain information that the consumer puts into them – the cookies' ingredients as it were. How do "they" know you were just researching cameras so camera ads on Amazon pop up on your right hand side of your Facebook screen? You, the consumer, told them just by coming up with exactly the right search terms for that camera. But again, in contrast, most UK adults, according to the ICO report and the Internet Trends report, are worried about their data being collected, sold and used for marketing purposes, which is exactly what cookies support. What consumers need to remind themselves of is that, by providing information, they are adding those ingredients to the cookies and thereby "the web". This means that the consumer is actively creating the cookies that the internet and all of its users – virtual shopkeepers with best intentions and fraudsters alike – feed on. In a way, the consumer himself/herself is enabling Big Brother.
So how aware is the consumer of what they are doing? Cookie notices explain the whole deal, so users "should" know and have control of their data. After all, that's what the privacy regulations are for, to give data subjects control of their data. Interestingly, however, another finding in the ICO report is that out of the variety of online and offline measures to protect their personal data, only 29%, well less than half, delete cookies from their web-browser and only 18% take the opportunity to control cookies on their browser settings, i.e., using a "do not track" setting. But how often do users take the internet up on the offer and read the information they are provided before handing over their data? Rarely. Does regulation work if the measures people take to protect their data are not the sorts of things privacy law provides for (i.e., the "cookies" law requiring information about cookies and how to control them) but are other "best security practices" sort of measures, such as obsessively checking bank statements and changing innumerable passwords every month? Conversely, are users fully capable of taking a moment to read the information and adjusting their actions accordingly? These are questions that online businesses and privacy professionals alike revisit every other day.
Consent is the data subject's alone to give, in an informed and thoughtful way. The GDPR and shortly the revised e-Privacy regulations governing cookies and e-marketing have made it clear that these notices have to be clear, understandable and in plain language; something a child can understand where applicable. Consent also figures heavily in how third parties can use the subject's data. Still, users in general tend not to absorb the notices and in many cases don't bother reading them, simply clicking through to the all-important content. If users are engaging in "consensual" internet usage, the community of privacy watchdogs and professionals have little to worry about… right?
The fundamental message of the revised EU privacy regulations in the form of GDPR has been touted as giving the data subject more control over his or her personal data. The key is in the wording. The user-consumer is the data controller of his/her own data. Businesses gleaning personal data from the wealth of information the internet fosters have to be responsible with the great power they are handed. With great power comes great responsibility. But businesses are not the only ones with that burden. Consumers have power as well, and need to be thoughtful about what data they give and share as well as take responsibility for educating themselves about what data they provide.
So is it really that consumers are not happy to provide data? Is it really a privacy issue or is it about security? Consumers' concern about providing data could simply be fear of the unknown, something that users of the internet can take responsibility for. Perhaps what consumers think is a privacy concern is really more about who is keeping that data safe once it is handed over.
At present, the trade-off is the personalised service. However, is it possible that users can enjoy both the instant glory of the internet and its unique experience in the safety of an equally personalised, electively secure and private environment?
Without a doubt, the data subject to a large extent is the data controller of his or her own data. The difficulty of containing personal data occurs when a user, for example, signs up for Facebook without reading and/or understanding the privacy settings information; logs into financial accounts and walks away without locking the screen for security; turns a blind eye to the cookies warnings which enable him/her to adjust their internet settings so that the usage and behaviour is not consistently tracked, and a very long etcetera. With great power comes great responsibility. As users turn more and more to the internet to run their lives, how willing/able are they to take responsibility as the controller of their own data before any company receives it and utilises it for advertising, marketing and profiling? Up and coming online technology services like Blockchain may be part of the solution. It processes data, personal and otherwise, according to the commands it's given and when a transaction is complete, Blockchain secures the final product immutably and in an auditable format for all time. The thinking and even the actions around data privacy and security are done for the user; no muss, no waiting.
In our view, users can take more control of their data and businesses can adopt best practices to determine how they use data.
The underlying issue is that even if business have a clear understanding of regulatory guidance for the jurisdictions they are present in regarding transparent, easy to understand notices to users about collection, use and sharing of their data; put together a playbook for handling user queries and complaints so everyone in the business is clear on who to go to and how to quickly respond to a user enquiry or access request; and are accountable for the data they processes, know where it goes and whether it is necessary to keep it; the consumer will still believe "big brother is watching" if they do not take an active role in understanding and taking informed decisions regarding their online interactions.
Some concluding thoughts… Arguably, to strike the right balance between consumer and business accountability for a peaceful online co-existence, there needs to be an understanding that while businesses are in the business of making money, free access to services and the online technology that allows for it must be fuelled by personal data for the consumer to truly benefit from it. Assume for a moment that businesses aren't necessarily providing technology to take advantage of the consumer; on the contrary, this is an incredibly exciting time in technology, and providing free online services enables among other things an easier, more agile and much more convenient consumer experience. For instance, gone are the days when any of us had to set foot in a bank. So what is the price of freedom? The business gets to tell us about new services that might enhance our lives and of course their profits, which they can re-invest in better online services as well as the economy as a whole. It's a win-win. A bit of spam never hurt anyone, and if the security ball is unceremoniously dropped, there are watchdogs and regulators at the ready to defend us. To this end, new privacy, security and marketing legislation will support the better partnering of the consumer and online business. All in all, noble efforts undertaken to make living our online lives a bit more personal and peaceful.