Sound Data Privacy Policy Can Drive Market Differentiation

When it comes to consumer technologies such as the Internet Things (IoT), the shift enables businesses to adapt their data privacy policy to redefine their customer interactions. Organizations with mature data privacy policy can use security and privacy as point of competitive differentiation, according to Lisa Donchak, engagement manager at McKinsey & Co. While those that don’t risk reputational bruising or potentially running afoul of a growing number of privacy regulations. The increasing amount of data business-to-consumer companies collect on their customers is a “double-edged sword,” Donchak said. “On one hand, you can do some amazing analytics, better understand your consumer and craft value propositions around that. On the other hand, there’s an increased responsibility to handle the data the right way.”

Many organizations struggle to keep abreast of the changing privacy landscape, and consumers are growing more aware of the data devices such as smart speakers to smartphones to facial-recognition-enabled surveillance cameras collect.

For manufacturers, studying relevant IoT security frameworks and regulations is vital. They should also think of risk from a variety of viewpoints, suggested Jeff Wilbur, technical director at the Online Trust Alliance at the Smart Home Summit. For a consumer, a threat can be internal or external, he said. “If you’re a homeowner, you might wonder: ‘Are people spying on me? Can they open my door? Can they get my data?’ But there’s also an external threat where IoT devices can be weaponized such as with the Mirai botnet,” Wilbur said. “That’s where the government has the most concern.” 

[IoT World is North America’s largest IoT event where strategists, technologists and implementers connect, putting IoT, AI, 5G and edge into action across industry verticals. Book your ticket now.]

Not only are data breaches frequent, they have become more severe in recent years. “Historically, a breach of credit card numbers caused minor inconveniences for a small subset of users who had to wait to receive a new credit card,” said Ben Auton, vice president at SpearTip. But the number of breaches exposing highly sensitive data, including personal images, financial and medical histories, is increasing. “This intimate, personal impact is unprecedented, and will certainly increase public awareness and aversion to this level of data being maintained by private companies,” Auton added. “In the end, this will likely lead to continued policy development and regulation.” 

In the event a company is breached, the response matters. “That’s a very strong signal,” she added. “Just saying you care about users’ security or privacy is not impactful.” 

Consumer-facing industries must also wrestle with a lack of trust from the public. Internal McKinsey research found that fewer than half of consumers trusted organizations ranging from health care and financial service institutions (both with 44%) to consumer packaged good companies. Consumer trust in technology companies is also waning, according to the 2019 Edelman Trust Barometer report. 

Proving Trustworthiness 

Given the  public’s eroding trust, organizations deploying technology in consumer contexts should ask only for personal data that is relevant for a given interaction. Organizations with a conservative data privacy policy can convey data management maturity to their users, according to Donchak. “We also recommend creating a map of where all your data is inside and outside your organization. After that, you can create clear policies about where and how it is used,” she said. 

Such considerations are particularly important when consumers have choice in the marketplace. McKinsey has noted a growing trend of consumers who avoid doing business with a company with problematic or unclear privacy practices. Internal research from the advisory firm found 85% of consumers stated they would avoid doing business with a company if they lacked trust in its security practices. Seven out of 10 consumers McKinsey surveyed said they would stop doing business with a company if it shared sensitive data with other parties without their permission.

The Importance of Clarity

Still, when consumers don’t have a choice, they may be forced to use a vendor with problematic security or privacy protections, said Chester Wisniewski, a principal research scientist at Sophos. In some cases, the question of how an IoT device gathers and uses data is unclear, even for cybersecurity specialists. “I read my TV’s privacy policy, and I can’t make heads or tails of exactly what it’s collecting,” Wisniewski said. 

License agreements don’t effectively communicate data privacy policy, agreed Deral Heiland, IoT research lead at Rapid7. “How often do you read those?” he asked. “And if a company changes hands, those user policies can easily change, and consumers tend to get a little notification.” 

Consumer IoT device makers should remind their customers regularly which types of data are collected, and offer an opt-out option. “That’s a pretty good approach because, if you as a consumer are not comfortable with something, you can turn it off,” Donchak said. 

Beyond the simple opt-in/opt-out model, another approach is to focus on informing consumers when and how their data is used. “Look at what Estonia does in health care,” said Will Ackerly, chief technology officer of Virtru. The country has deployed a centralized approach for unifying medical information that can notify patients when their data is accessed. “If a doctor reads your health record, you can get a text message,” Ackerly said. “The idea is to create a system that makes data self-protecting.”