Next month something really big is going to happen and not a lot of people in the U.S. are talking about it. On May 25th, 2018 the General Data Protection Regulation (GDPR) goes into effect in the European Union. This is a sweeping set of rules governing the privacy and security of personal data. These rules include severe monetary consequences for non-compliance.
This law goes into effect at a time when we see the demand for data growing exponentially worldwide. It is estimated that due to the IoT explosion the digital universe is expected to be around 200 ZB by 2025. Further, China’s internet users generate more data than the rest of the world combined. Baidu, Alibaba & Tencent remain dominant players in this regard. Alibaba plans to surpass Amazon Web Services by 2019, according to The Economist.
Implications for past breaches at major firms such as Yahoo, Equifax, and Facebook would have been catastrophic for those and so many other companies were these regulations to have been in effect at the time. Facebook recently said that most of its 2 billion users had their data scraped without permission. They also said information from 87 million accounts may have been 'improperly shared' with an outside company. Those are staggering numbers. Let’s not forget, it is called the 'World Wide Web' (www) and data flows freely across the globe. The GDPR will impact any firm, regardless of your location, if:
- You monitor the behavior of data subjects who are located within the EU
- You are based outside the EU but provide services or goods to the EU (including free services)
- You have an 'establishment' in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside the EU for an EU-based company)
So, what does this mean for the future of customer engagement? What impact will GDPR have on the rest of the world?
PwC did a study during August and September 2017 of a nationally representative sample of 2,000 Americans over the age of 18 via an online survey and video interviews. The results are startling, to say the least:
- 69% of consumers believe companies are vulnerable to hacks and cyber-attacks.
- Only 25% of consumers believe that most companies handle their sensitive personal data responsibly.
- A shocking ten percent of consumers feel they have complete control of their personal information.
- Only 15% of consumers think that companies will use their data to improve their lives.
- 85% of consumers will not do business with a company if they have concerns about their security practices.
With this consumer sentiment, how can companies sustainably grow at the pace they have been for years? In 2017, Facebook’s revenue topped $40 billion, of which $39.9 billion was from advertising. That means their revenue is dependent on the same consumers who don’t trust that companies are doing enough to secure their personal information. The hashtags #DeleteFacebook, #BoycottFacebook and others like them represent a movement that is real and at a minimum is causing a renewed awareness and in some cases panic for both the companies and consumers. It is clear that change needs to happen sooner rather than later.
Will change in the US follow the path that the EU took and be legislated by the government? Will there be a mass exodus of online users from some of these platforms that will dent the economic landscape of online advertising for years? Or will the changes come from the technology titans themselves and take meaningful steps like the ones that Mark Zuckerberg outlined for Facebook recently? Or more likely, it will be impacted by all three.
The reality is that it is not that simple to pull yourself 'off the grid' in this day and age. How about the proud protester who deleted his Facebook account to punish Mark and his band of thieves only to move his online activity over to Instagram (which is owned by Facebook)! What we need is a Consumer 'Bill of Rights' that is embraced by the industry and enforced by any company doing business on the web.
For online businesses to earn back the trust of the online consumer and continue to be successful and grow, they will need to do six things consistently well.
1. Transparency – companies need to be transparent with how consumers data will be collected, stored, protected and used. Anything short of excellence will be unacceptable and companies will suffer the consequences.
3. Explicit Consent – Vague references to use of personal data buried in the Ts and Cs or prepopulated checked boxes will no longer be acceptable. Consumers will need to deliberately opt-in.
4. Opt-out – The 'Unsubscribe' button that never works or the message to the consumer that says, 'Your opt-out will take between 7-14 days,' and you find out you are still on their list won’t be the best way to generate trust and goodwill. Consumers will insist on a simple way to opt-out if they no longer want to be associated with a site, app or newsletter.
5. Impact of Changes – Consumers will need to be educated on changes that impact them and the data they have shared. Companies won’t get by with messages that say, 'Update Needed' with a description that says, 'bugs and performance.' What does that mean? Any updates that impact the storage or use of consumer data needs to be explicit.
6. Commensurate Value – Lastly, and most importantly, the consumer must believe they are receiving commensurate value for the right to use their data on their behalf.
Data is power, and power corrupts. It is time to implement changes that won’t stifle innovation but will encourage discipline and creative entrepreneurs to improve consumers lives responsibly and safely.