Data Privacy Important for Consumer Trust, Not Just Compliance, Say Panelists

“For context, every company now is a data company, and they are all increasingly leveraging data for profit,” said Kristin Johnson, head of privacy and governance at Afiniti. “This is happening against an increasingly complex regulatory landscape, given the fact that privacy laws are expanding globally, the [General Data Protection Regulation] continues to have a lot of influence on new legislation, and the U.S. has an increasingly complex patchwork of state privacy laws.”

As such, data privacy is “an increasingly significant ethical principle, guiding responsible, fair and compliant use of personal information today,” Johnson added.

Moreover, “a robust [privacy] program must be grounded in ethics and focused on doing the right thing in relation to data handling, adhering to applicable legal requirements, ensuring transparency with data handling accountability and also ensuring that team members handling data understand how data ethics applies to their company, as well as their specific role and responsibilities,” she said.

However, Tiffany Li, associate law professor at the University of San Francisco, said sometimes companies "forget the ethical components of privacy." This can happen when an organization thinks of "privacy law as a compliance checkbox," where "you do what the law says" without considering further steps that consumers may want, she said.

To combat a check-the-box view of privacy, Li said she teaches students to consider consumer opinion as well as compliance requirements. “Ethical privacy principles can actually be a market differentiator in many industries, and if not that, at least you have this idea of being a good-faith actor if you run into any issues."

Johnson agreed. “Trust-building is directly linked to corporate profitability,” she said. “The two go hand-in-hand." Top of mind for consumers is: "I want to know that you're going to do the right thing in relation to handling my data," Johnson said.

She said a recent IAPP privacy and consumer trust report found that "57% of global consumers view the use of AI in collecting and processing personal data as a significant threat to privacy," which is something companies can be aware of when planning their approach to AI.

Jevan Hutson, privacy and security associate with David Wright Tremaine, said there is “a common refrain" that ethics in privacy is “nice to have,” but not something companies should prioritize and spend lots of money on. Companies often say "'We'll meet our compliance obligations, but anything beyond that is maybe something we'll get to [later]', or 'When we have the money, we'll think about it,'" he said.

Johnson said “it's helpful to counter" that view "with data and reports.”

Li also said “pointing out the average cost of a data breach, pointing out recent high-profile privacy incidents” can help emphasize that privacy ethics are more than just nice to have. Noting "all the bad press" companies get when they suffer a breach is also effective, she said.

From the consumer perspective, media coverage is a big deal, said Johnson. If "I see information online that gives me concern, that will make me look elsewhere" for other places to bring my business, she said.

Creating ethical principles in a privacy program is a continuous process, Johnson said. “Once you lock in that tone at the top in relation to your privacy program, you have to maintain it,” she said. “It's not a one-and-done kind of exercise.” Johnson said a “focus on making privacy relatable” for company staff and consumers helps keep a focus on ethics in privacy.

While privacy assessments can be taxing, especially within the patchwork of differing state privacy laws, they are key in helping to keep companies compliant and consumer data safe and protected, said Ashley Fowler, senior privacy program manager at Osano, on another panel Thursday.

“It's important to remember that assessments are the core of what we believe in as privacy professionals, and what they really bring out is accountability,” she said. “They can be tedious, they can be exhausting, but if done properly and effectively they can accomplish so, so much.”

The three states with privacy laws that become effective this year -- Maryland, Tennessee and Minnesota -- “have data protection assessment requirements,” Fowler said. “Accountability in our business is key, and I think assessments are a really great way to prove that accountability every time."