Organisations must rethink privacy. Why? Because brands must focus on the value of trust and earn consent; more so following Data Protection Authorities (DPAs) recent clarifications of the regulation and now that enforcement has begun against a number of the 89% of websites that are non-compliant.
As Emma Grey, Chief Data Officer of ANZ bank, has said “There's no morality in just complying with the law to protect our own interests. We want to set the bar higher, and we are doing this because it's the right thing for our customers and not because we are driven purely by compliance. In that transparency we'll gain more customer trust and from that they'll give us more information so they'll get even better products and services, it's really a compounding thing.”
Privacy can then become a competitive advantage.
A recent Deloitte article, The value of a better privacy experience online argues that “creating true transparency and control will make a difference when establishing consumer trust. Making the privacy experience online more customer-centric and user-friendly is a critical step in that direction”. The article goes on to say that “new tooling already makes it easier to automate privacy processes, which is efficient for creating new opportunities in branding and customisation. Privacy can then become a competitive advantage” – more about new tooling later.
Are software vendors partly to blame?
Many applaud Emma Grey's sentiment (above) but are they merely paying lip-service? It's incredible static that 89% of websites are in the breach of the recently clarified cookies regulations. The study, titled Dark Patterns after the GDPR saw researchers from MIT, UCL and Aarhus University trawl through 10,000 UK websites.
The research found that just 11.8% of these websites met “the minimal requirements ... based on European law”.
The reports goes on to say “11.8% is an extraordinarily low number for seemingly market-leading Consent Management Platform (CMP) vendors and suggests an urgent role for data protection authorities to take action to ensure only correct configurations are permitted”. Ironically, it would appear that the Consent Management Platform vendors (Cookiebot, Crownpeak, OneTrust, Quantcast and TrustArc) – the very people that are supposed to be helping organisations comply with the regulations – are badly letting their customers down.
The MIT, UCL and Aarhus research goes on to say “The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to – or worse, incentivising – clearly illegal configurations of their systems”.
Organisations must rethink how they engage with software vendors; with new levels of accountability front of mind.
So how can this situation of wide-spread non-compliance have come about? It could be argued that it's born out of a lack of clarity in the regulation and that the majority of CMPs were built and deployed prior to the clarification. Perhaps CMPs have been deployed with half an eye on pacifying the marketing department and less so to satisfy compliance?
Deloitte article suggests that new tooling is available to automate privacy processes but in relation to cookies specifically, the market-leading CPMs are clearly outdated and not making the most of automation. Probably time to start exploring alternatives that do – innovation and automation is out there in this space!
Regulations have been clarified and enforcement has begun.
Either way, there are troubles ahead for organisations that do not get their act together. The Information Commissioner's Office (ICO) published clarity around the regulation in July 2019 with many other Data Protection Authorities' (DPAs) across Europe following suit. What has followed has seen the Court of Justice of the European Union's ruling in the Planet49 case, supporting the DPAs' clarification and the DPAs beginning to issue fines for breach of the regulation. With many more complaints being received and a clear appetite amongst DPAs to ensure regulatory compliance, we can expect to see an increase in the number and severity of fines being issued moving forward.
The importance of privacy & trust in the digital economy.
As a report by the ICAEW argues, “trust is an essential feature of any economy and society. It enables businesses and individuals to carry out economic transactions and social interactions in the belief that other parties will behave in a non-harmful way. Building trust that other parties will secure and use digital information in acceptable ways is therefore an important element of addressing concerns about, and building confidence in, a digital economy”.
So why rethink privacy? In the short-term it could help you avoid a hefty fine but in the long-term: because the winners in the digital economy recognise that trust is a major factor for organisations and a central component in their ability to compete.