Progress on Privacy: Business Incentives and the GDPR
Last year, a journalist asked me, “Why is respecting customer data privacy sound business policy?”
My answer at the time: This is a matter of increasingly intense debate. Some claim that, in principle, more data means better services/improved customer experience. They argue that since consumers ultimately (or, what amounts to the same thing, superficially) judge providers on the basis of the experience (rather than what went into making it possible) then providers that collect and effectively deploy more (or the most) data will win. Thus Ben Thompson (of stratechery.com and the Exponent podcast) thinks that Tim Cook’s recent speech about privacy – in which Apple is the good guy that respects privacy versus “others” (Google! Facebook!) who pillage with abandon – is silly. At minimum, says Thompson, this will simply lead to Apple producing a poorer experience: “[T]o collect less data is to, in the long run, deliver a worse product — and that would be antithetical to Apple’s mission.”
Others argue that we (as a society of users) are reaching a critical tipping point, that the laissez-faire, willful ignorance attitude toward giving up (personal) data is waning, and that people will soon, or eventually, find not just data abuse but most forms of data collection objectionable if not sinful. Thus Horace Dediu (of asymco.com and the Critical Path podcast) argues that “in the future,” harvesting data for the purpose of targeting, “will become taboo . . .toxic . . . the most distasteful, hateful thing.”
In other words, this debate isn’t about why respecting data privacy is sound business policy but whether it is. The answer to why it ought to be sound business policy is inscribed in Dediu’s position. But the emphasis here is really on business. Respecting privacy might be a grand and morally upstanding thing to do, but does it make sense for business? The answer, in fact, (and kind of sadly), is that it is a sound business policy only if and when and as long as . . . it’s demonstrably better for business.
Also you have to ask what “respecting privacy” means. Tim Cook would have us believe that the “others” harvest data and sell it. But as Ben Thompson points out, Google, Facebook, and Amazon have zero incentive to sell your data. Harboring the customer profiles and keeping it for their own is precisely the basis of their business model.
The positions in this debate – data-for-service vs. right to privacy – are still prominent today, and seem to pose an intractable, zero sum exchange. Leave it to the faceless bureaucrats of the European Union to intervene in this debate with what the Interactive Advertising Bureau (IAB) calls a “draconian,” “blunt instrument” approach to data protection.
The new General Data Protection Regulation (GDPR) regulates the collection and use of personal data for any company anywhere in the world that has anything to do with any EU resident.
(Specifically, the GDPR regulates any organization that “offers goods and services” to EU residents or “monitors” their behavior.)
And, faceless or not, the bureaucrats are following and enforcing, in effect, a constitutional obligation: The EU’s Charter of Fundamental Rights guarantees the “right to respect for private life and the right to protection of personal data.” These rights cannot be abrogated simply because the internet’s predominant business model is based on the exchange of personal data for services. (In fact, the GDPR specifically states that a service may not be withheld contingent on consent to access personal data. Which means, in my view, that Google will be obligated to offer tracking-free search services no later than May 25, 2018.)
As Steve Kenny has noted, the GDPR effectively “places an incendiary into the plumbing of the most advanced and ubiquitous monetization architecture of today—Internet advertising.” Indeed, it directly undermines and sanctions the predominant digital marketing and customer experience strategies of most companies (and their vendors), which are based on what I call “data maximization” – collect as much data as possible, from any source possible, then figure out later what to do with it.
In contrast, the GDPR legally requires data minimization – which means that an organization has to be able to demonstrate – upon request, or in some cases in advance – that they have designed a data processing system that:
· Acquired consent from the consumer to collect personal data for a specific purpose
· Uses the smallest possible amount of personal data
· For the shortest possible period of time
· And deletes the data as quickly as possible after the “processing” (for that particular purpose) is completed.
In short, the GDPR is the trump card in the debate about data-for-services and more broadly about wide-scale data collection for marketing purposes. Given its global reach, the GDPR truly is the end of digital marketing as we know it. (For more information see our recent webinar.)
Speaking of incentives? The GDPR stipulates fines of up to 20 million euros or 4% of a global turnover. For Google, that’s about 3 billion dollars.
With the GDPR, last year’s business value calculus has taken on a whole new dimension. Contact us to learn more, or to schedule a workshop for your firm on the GDPR.