Among the best things about our technology-enabled lives is that companies can use data to learn more about us, and use it to improve a user experience. But as recent breaches and headlines have proven, one of the worst things about our technology-enabled lives is that companies can use data to learn more about us. How can businesses find the balance?
“Beyond the formal legal compliance angles, the standard principle from which we at P&G make privacy decisions is, ‘How would the everyday consumer respond?’ Can we look them straight in the eye without blushing?” – Susan Shook, P&G’s Global Privacy Officer
Companies often collect data that benefits us as consumers. Everyone appreciates accurate product recommendations (“People who liked this item also liked…”), personalized updates (“It’s time to replace the supplies”), and human connections (“Your friend is nearby”). But any collected dataset is a potential data breach. People are cynical that any company has their best interests at heart. How do you reassure them?
Susan Shook, P&G’s Global Privacy Officer, spends a lot of time thinking about this issue. At CES, she’ll be part of a panel discussion discussing P&G’s perspective on consumer privacy trends, along with Rebecca Slaughter, a commissioner on the U.S. Federal Trade Commission, Erin Egan, VP, Public Policy and Chief Privacy Officer for Policy at Facebook, and Jane Horvath, Senior Director, Global Privacy at Apple.
“Beyond the formal legal compliance angles, the standard principle from which we at P&G make privacy decisions is, ‘How would the everyday consumer respond?’” says Shook. “Can we look them straight in the eye without blushing? If it seems highly questionable, we don’t want to go there.” We shouldn’t treat consumers’ trust in the company as an automatic given, she advises; it’s better to thoroughly investigate a data-driven opportunity than to risk damaging the company’s reputation.
Consumer trust is hard to gain and easy to lose, as data breach examples and privacy missteps have taught us all. While legal risks certainly matter in regard to consumer privacy, the reputational risk is at least as important.
Explain what’s done with the data
In every case, Shook explains, consumers should feel that they get value from whatever data they give P&G, and they should never be surprised. Transparency is important: “Say what you want to do with the data, and then do what you say,” she stresses.
For example, consumers who want to engage with P&G may sign up on the website for email updates or a product newsletter. Part of that signup process is a short summary or bulleted list of what the company does with their data. That’s the simple case.
Sometimes, P&G has gone beyond legal requirements at the time. It’s best to err on the side of privacy sensitivity. For example, the U.S. law for email communications says that “opt out” is fine. That is, a company legally can add someone to an email distribution list (such as a newsletter) by setting a default opt-out approach. “But in the United States we have been primarily ‘opt in’ from the get go, with a few exceptions,” Shook says, “as it’s been part of our meaningful one-on-one engagement with consumers.”
That attitude extends to data that P&G wants to share across its brands. If consumers engage with Pampers, Shook says, perhaps to shop for baby gear, take a quiz, or sign up for rewards points, “We note that this data may be shared with other brands that are part of P&G’s family of brands. If consumers want to limit this sharing, they can exercise an opt out to be removed from all other P&G brand programs,” she adds.
It’s legal, but where?
Companies like P&G have a lot of control over their own data. However, consumer data is part of a larger, worldwide ecosystem, governed by geographic regulations that vary widely.
Fair information privacy principles herald back many decades. Even when it wasn’t required by legislation, P&G generally has adhered to these philosophical tenets of data privacy.
However, today’s privacy policies are complex and fragmented, with nuances that will keep lawyers busy for years. There are a lot of gray areas where the law hasn’t caught up, Shook points out.
European leaders are being fairly active with about privacy regulations, an effort that was started back in the 90s and recently culminated in Europe’s recently enacted General Data Protection Regulation (GDPR). GDPR was meant to harmonize data protection and privacy interpretations for all companies doing business in Europe. However, local regulators have been interpreting certain provisions of GDPR differently, causing potential legal landmines and nuanced go-to-market executions by country. Similarly, there are open questions about U.S. federal legislation. As lawmakers debate a federal standard in the US, many states have taken up their own patchwork of laws and regulations, the most significant of late being California’s Consumer Privacy Act (CCPA), which goes into effect this month.
Take the high road
One example of the increased complexity of privacy policies is corporate involvement inprogrammatic advertising, where hundreds of providers compete to provide data-driven insights in a real time marketplace among marketers, agencies, data vendors, and publishers. To compete successfully in this environment, P&G may utilize data from third parties. For any company to conform with privacy regulations, it must know where the data came from, including how much transparency and opt-in the third parties offered to consumers. For example, P&G requires third parties who share data with it to sign data sharing agreements where the third parties make representations that they’ve legally collected and shared the data.
When P&G works with other companies, says Shook, “We validate [the provenance of the data] ourselves. We would not solely rely on another company to say, ‘We’ll take care of it,’ without other controls being in place.”
Eight or ten years ago, suppliers’ legal teams weren’t used to responding to these kinds of in-depth privacy questions. A retailer or supply chain partner that wanted to create a co-marketing campaign with P&G might not have thought through who was collecting the data, what was being done with it, or which retailer could access it. That’s changed, because companies understand that they are liable under the law.
Now, data privacy policies and differing risk perspectives are an important negotiating point in setting up partnerships. A supplier’s idea of what’s okay to do with consumer data may not match P&G’s. A partner’s lawyer might say a particular data-use is legally defensible. “But when it’s been too close to the line for us, on several occasions we have said, ‘Thanks but no thanks,’” Shook says.
Sometimes, that self-limitation is frustrating. The premise behind big data is that you can get insights from information you have collected but not yet correlated to another use case. Big data helped Wal-Mart discover that people buy more Pop Tarts before hurricanes, for example. If you don’t collect the data, you can’t discover those fascinating correlations, which can truly help consumers through improved customer engagement, real-time alerts, and data analysis leading to product or even medical breakthroughs.
Finding a balance between privacy and data innovation requires nuance and a “learner’s mind.” Competing and evolving privacy regulations are hard for companies to navigate – and also confuse consumers. “Even with my legal background, I couldn’t read all the privacy policies I trip across, given the number of hours in a day and the number of applications I use – and even with the benefit of legal training to make the reading a bit easier,” says Shook. “I don’t know how the everyday consumer could make sense of all of them, either.”
Right now, the burden is on the consumer to navigate it all. Shook sees a need for the industry to lock arms and work together on new frameworks for regulation and making existing policies clear and understandable. “We need concrete definitions on which we all agree, so that a consumer can more easily understand and define how they want to engage.”
This is too important for P&G’s future to delegate to others. “Often we left this to industry organizations,” she says. “We anticipate becoming more active.”
For example, at one point there was academic discussion of using the model of a nutrition label for presenting privacy information: a standard way to impart information in consistent, easy-to-understand terminology. That concept initially was raised many years back, Shook says, and perhaps it’s time to dust it off.
Consumer data privacy is important to everyone. Shook sees an opportunity for the business community to work together to find solutions — a topic likely to be front and center at CES this year.