Collecting, storing and sharing personal data has become ubiquitous with the age of information. It allows companies to know where we are, what we like and who we’re interacting with. So it’s unsurprising that many people believe data privacy is now completely dead. But is it premature to mourn its passing? What is being done to address how companies use our data? And who, ultimately, is responsible for providing better protection – us, our governments or companies themselves?
Companies are always finding new and innovative methods to collect personal data. Normally, it relates to the information needed to set up an online account – like email addresses, date of birth and location, which have become the minimum requirement for creating a social media profile.
But beyond the personal information we explicitly choose to share, there are a ton of methods companies can employ to gain more of our personal data. Requesting cookies allows our online behaviour to be tracked, and is often applied to serve us up personalized, targeted ads. But in parallel, lots of mobile apps track users’ geolocation, often for the sole purpose of selling our data on to third parties.
Individually, each of these types of collection only reveals a small part of our character and behaviors. But when taken together, they can form a creepily accurate profile of our activity – leading many to believe that data privacy is now dead.
Despite the fact data collection is now commonplace, people aren’t entirely comfortable with the practice. Recent research by DMA indicated that 75% of surveyed internet users in the UK were concerned about their online privacy. The US showed similar results, with 73% of consumers indicating an increased concern over privacy in the past few years.
The issue of companies collecting personal data is often not what makes people nervous. Privacy concerns instead tend to emerge from a lack of control over how personal information will be used, and a distrust in a company’s ability to properly protect data.
So the increasing collection and use of personal information is not something that people have “just gotten used to”. People still value their privacy highly, and seek greater agency and reassurance over how their personal data will be collected and used.
That said, individuals are not completely helpless here. There are a range of ways people can protect their privacy and enjoy greater control. Browser settings can be configured, or extensions added, in order to block unwanted third-party cookies. And in Europe, the GDPR has facilitated tools that can be used for requesting the removal of personal information held by companies.
But despite widespread privacy concerns, consumers rarely take measures to actually protect their privacy. Research by PWC found that under a third of those surveyed had actively changed their internet browser settings to enhance protections. And a survey by Deloitte suggested that 90% of consumers agree to terms and conditions documentation without reading them.
But consumers are scarcely to blame for this. Protecting privacy involves weighing the benefits of disclosing personal information against the potential harms present and the effort required to protect data. And since estimates suggest it would take a person up to 76 days to read all the terms and conditions they encounter each year, it’s not surprising. Many argue that these everyday legal contracts are intentionally stodgy, designed to put people off fine-combing the small print.
So, instead of reading the fine details, we operate by an unrealistic and inaccurate blind privacy calculus, making decisions using incomplete information. Since ensuring personal data protection currently requires a superhuman level of effort, in many ways privacy has experienced a “de facto death”.
It’s an issue that governments are increasingly recognizing, as the legislative pushback we are currently witnessing across the world clearly demonstrates. The GDPR is the most well-known example of government efforts to protect consumer privacy, but Europe isn’t alone in its efforts. China – historically renown for its lax privacy protections – has recently enacted stringent standards, which some consider to be more far reaching than those of the GDPR.
Common to both of these efforts is the empowerment of consumers. They hand service users more control over what personal information can be collected, and establish higher legal expectations over how to store and share parties with other parties.
Though the US has not enacted nationwide legislation, some states have been implementing privacy laws. There is growing political interest within the US to establish updated national privacy laws, as a survey by SAS shows: 67% of US consumers surveyed thought that the government should do more to protect consumer privacy.
Clearly, the world’s governments are making greater conscious legislative efforts to enhance the baseline privacy protections people receive online.
While governments can help to protect privacy, responsibility undeniably rests with the companies requesting personal data in the first place. Thankfully, many are becoming increasingly aware of the need to compliment governmental measures, and a 2015 Europe-wide survey of businesses showed that 66% felt data protection was an important consideration for their customers.
But many companies are beginning to understand that data protection is not just something to comply with; it is a minimum requirement for honest and reputable business. Building strong privacy protections into operations and products is a hallmark of a quality which consumers value.
This becomes even more important for services that leverage a user’s tracked data with a group of people – as in the case of employee performance monitors and time trackers. To avoid becoming intimidating surveillance tools, such products need to give users agency over what data they want to share with colleagues. But it’s a decision that product designers need to make right from the drawing board.
So, far from being dead, privacy is experiencing a new revival. Though practice has to-date been surprisingly invasive, companies are increasingly recognizing that consumers want – and expect – them to take data protection seriously; that their products need to lead with trust, instead of building it in as an afterthought.