Across a range of scenarios that involve interactions with brands and service providers, customer willingness to share information about themselves is being tested.
Consumers of “free” online services generally understand these days that “they are the product”: that they trade some of their privacy in exchange for access. But there is a fine line between what is and isn’t an acceptable use of customer data in this space, and we know this because there is growing evidence in many countries of that line being not infrequently crossed.
Loyalty schemes are also facing similar existential questions on their data handling practices. While consumer sensitivity to sharing data with such schemes is heightened, 55% are still willing to share information where they perceive the value exchange they receive in return to be equitable, according to one recent Australian survey. Still, this shows there’s room to improve data-handling practices and to build – or, in some cases, try to rebuild – trusted relationships with customers in this space.
Retailers, telcos, insurers, utilities and other service providers – and a long tail of associated third-parties involved in data collection and analysis – all find themselves in the same boat. These are the types of organisations that have suffered data breaches that exposed customers’ personally identifiable information (PII). These incidents have not only increased the prospect of identity theft, but also raised questions about data collection practices generally – including how much, or how little, control a customer has over their data, including the storage or use of that data long after the purpose for which it was collected has expired.
All of this has translated into changed customer behaviour. As McKinsey notes, “While 59% of consumers think that, in general, companies care more about profiting from their data than protecting it, most respondents have confidence in the companies they choose to do business with”.
The same survey shows 85% of consumers now check a company’s data handling policies before transacting and that 53% will only transact with companies that have a reputation for protecting customer data.
What organisations need in place today
For organisations and brands, the takeouts from this are twofold.
First, any organisation collecting data should be clear about how they intend to use it, and to spell that out in their data and/or privacy policies, since it’s clear prospective customers are going to check.
If the data is to be shared, internally or externally, the organisation should be upfront about obtaining the data in the first place. Customers expect that their data will be used to drive personalised marketing or similar outreach, but may be less comfortable with more uncontrolled uses involving third-parties.
The second takeout is that organisations need to have an appropriate identity and access management (IAM) system and controls in the backend to manage customer consents around data use (either on the customer’s behalf, or more preferably, giving customer some self-service control over this), and to ensure that use of the customer’s data is traceable and auditable, such that it can’t be accessed inappropriately or used in ways that would violate customer consent and trust.
Preference management and consent cannot be ‘set-and-forget’. What a customer is comfortable consenting to today may change across the course of their relationship with an organisation. A customer may authorise data use only for a particular period of time. Alternatively, they may decide to revoke a prior consent.
It’s incumbent on the organisation to be able to honour that, while ensuring that previously authorised data usage ceases. In the future, in Australia, customers may have a formal ‘right to be forgotten’, similar to a right that exists in Europe. That would again thrust responsibility upon organisations to have strong IAM in place to manage this.
Just as importantly, IAM controls who accesses customer data internally. Knowing the data being shared is going to the right internal user requesting the data, who has the requisite access permissions, at the right time and right place, is critical to auditability and to ensuring customers’ wishes around data use are respected. This helps build trust in the relationship and denotes the organisation as a place that is trustworthy to transact with.
Decentralised identity will change the nature of relationships
In the longer-term, consent and preference management is likely to look very different, with the customer – not the organisation – at the centre.
The emergence of decentralised or self-sovereign identity promises to flip the current brand relationship and data access paradigm on its head.
Rather than the situation today, where a customer has to provide data over and over and authorise themselves with every organisation they transact with, in the future customers will have one identity that they centrally control and can use to authenticate to every organisation.
This identity, stored in a digital wallet on their smartphone, will also be significantly privacy-preserving, sharing only the bare minimum of information required to do business or transact. For example, if age verification to use a service is required, decentralised identity proves the identity holder meets the threshold, but does not share their actual age, date-of-birth or other identifying details.
That shift in the balance of power in the relationship will have a number of impacts for organisations around data collection or use, and how transparent they will need to be in order to receive customer data into the future for personalisation or other analytics-based purposes.