Tricia Dunlap, Esq. & Ben Nelson
Ben Nelson is an experienced technologist at SingleStone Consulting who has provided custom application development and technical leadership for the public and private sectors. He is a writer, podcaster, and presenter.
~4 minute read
Be Smart(er) about Data Collection
In recent years, many businesses have come to perceive data as a commodity. In fact, some businesses collect data just because they can, even if they don’t need it to achieve their legitimate purposes. It seems that some business leaders think of data as a dollar bill lying on the sidewalk. Why not pick it up?
Because, thanks to an increasingly complex data privacy legal landscape, businesses that treat data or personal information (PI) as commodities are probably sowing the seeds of future liabilities. Data is a business asset, but like any asset, it can be toxic.
What does the consumer really know about data collection?
You might think we’re overreacting. After all, don’t consumers routinely give their consent to data collection practices? Yes, consumers do give their consent but, let’s be honest, that’s almost always a fig leaf. Most consumers do not understand that the privacy policy and terms of use they click approval of but rarely read often give a company legal ownership of their data in perpetuity. Or that, when the company they consented to is sold, their data is also sold to the new owner.
The consequences are that consumers do not know who will have control over their data in the future or what safeguards will be in place. Further, consumers often face a choice between surrendering their data or being locked out of society. That is not informed consent.
One result is a rising tide of consumer anger over how businesses collect, store, use, and share their data or PI.
A global response to data collection
In the European Union, rebellion against ubiquitous data collection resulted in the General Data Protection Regulation (2018) replicas of which have been adopted by numerous other countries. In California, it led to the California Consumer Privacy Act, effective January 1, 2020. Unsatisfied, Californians for Consumer Privacy got a data privacy rights referendum on the ballot for the November, 2020 election.
In 2019, the Illinois Supreme Court held that consumers aggrieved by violations of Illinois’ Biometric Information Privacy Act could prevail against defendants even if the consumer could not show they were harmed by the violation. In states across the U.S., waves of data privacy legislation and litigation are forcing change.
Method of Data Collection
What does this mean for businesses?
A 2019 survey of senior executives by Gartner showed that the acceleration of privacy regulation and related regulatory burdens is the top emerging risk faced by companies globally. In fact, 64% of executives identified it as a key risk, and 70% of executives from the banking, financial services, technology, telecommunications, and food, beverage and consumer goods sectors identified it as their top risk.
We are on the cusp of a new era, triggered by the growth of indiscriminate data mining and plagued by its unique legal, regulatory, reputational, and other risks. Now, every business should adopt the following six core principles to guide its data collection practices:
1. Data and PI are not commodities.
The idea that people we don’t know have access to our personal information makes us feel vulnerable and exposed. The “Big Brother” effect can impact one’s psyche. PI is not a commodity. If your customers feel that you are treating their PI as such, they’ll never trust you.
2. Establish a strong, voluntary internal compliance program.
Commit to understanding the current regulatory environment at the local, state, federal, and international levels. Continually track its rapid evolutions. Document your company’s current controls, identify risks arising from your current practices, and build an internal compliance program designed to mitigate those risks with appropriate oversight baked into your compliance model.
3. Collect only factually accurate information. Once data is no longer current or accurate, dispose, delete, or destroy it.
Consider how grateful your customers would be if they received a notification letting them know that the personal data you collected from them had been properly disposed, following the terms of use that they signed.
4. Minimize data collection. Take only what is strictly necessary for your legitimate business purposes. Hold it only as long as you need it.
We are past the “Data is cheap. So, let’s keep everything” days. Your data team wants to spend less time cleaning data and more time building innovative products designed to bring value to the people whose data you have legitimately collected.
5. Impose very strict limitations on data profiling.
Secure a data subject’s informed consent before using her data to make decisions that impact her, such as credit worthiness.
Data is biased. Bias can lead to incorrect conclusions that harms people. You must educate consumers about how their data can be inadvertently, or intentionally, used against them before people consent to have their data used in this way.
6. Everyone, regardless of their relationship to the company, must have access to their own data.
That includes the data, info, and intelligence that a company has about them. This access should be enabled by design, be user-friendly, and adapted and localized to different cultures/ languages/ contexts.
Your data is just that… your data. Companies create innovative products and services to use that data. But at the end of the day, we should all be able to access our own data, regardless of how or why it was collected. Companies that include their customers in the innovation journey will generate positive social impact. You can lift the lid on the black box of data collection.
Be smart(er) about data collection. Be transparent with your customers. Engage legal, compliance, and risk professionals to create an internal compliance system and culture grounded in these six principles. As a result, you will build trust with the people who use your products and services and ensure that innovation can continue to have a positive impact on our society.
If you have any questions about how we can help, please get in touch with Tricia at Dunlap Law PLC or Ben at SingleStone Consulting.
If you need help with handling a coronavirus lawsuit, I hope you’ll get in touch.
Make sure to subscribe to our YouTube channel so you can see new videos on coronavirus, data privacy, and other business law topics! Also, like us on Facebook and LinkedIn.