BigTech has built its business model on collecting personal data-by-stealth and using it to sell to advertisers. Terms and conditions are so long and complicated almost no-one reads them, and most of us click accept. Few of us review the cookies that are dropped into our browsers every day and fewer still use browsers that block ad tracking cookies. However, the uneasy truth is that when a service is free, we’ve become the product.
The problem now is that we’re entering a new phase of personal data exploitation, where personal data is going beyond what we browse and buy on our laptops and phones. Recent studies by Imperial College London and Northeastern University show how smart TVs have been sending sensitive data to Amazon, Netflix, Facebook and Google, while popular apps like FaceApp and Zao use gamification to grab your very identity. These apps use facial recognition and artificial intelligence to generate highly realistic facial transformations, so you can ‘have fun’ with gender swaps, age changes, hair styling and even, with Zao, place your face on a famous actor in a film. They use your identity - your facial data points - and store them who knows where. In their terms and conditions, your facial data becomes their property. In perpetuity. If that’s not scary enough, both companies are state-owned: one Russian the other Chinese.
Another innocuous example is the proposed surveillance on the 67-acre Kings Cross property development in London, using facial recognition. A public outcry followed the Financial Times revealing the programme’s existence and the Information Commissioner’s Office subsequently launched an investigation. These are all warning signals for businesses building business models around personal data collection.
Privacy concerns are hardly a new event and since May 2018 global thinking on data collection, privacy and consumer rights is being re-thought following the implementation of GDPR regulations across the EU. Organisations across the board are finally waking up to the financial cost of eroded consumer trust, not to mention hefty fines. Just take Marriott International and British Airways as two recent examples. The Information Commissioner’s Office intends imposing a £99 million fine on hotel chain Marriott for failing to protect personal data contained in approximately 339 million guest records, and British Airways is facing a potential £183m fine for a breach of customer data.
In effect, privacy is becoming an essential building block for improving trust between business and consumers. Yet the productisation of consumers by Big Tech has left marketers with the dilemma of fulfilling consumers’ expectation of personalisation without infringing their privacy rights. Now the big question is whether marketers are prepared to give up their addiction to data collection to truly embrace privacy as a new competitive advantage?
There is no doubt that digital marketing and personalisation have enabled marketers to get a much clearer picture of their target audiences’ behaviours and desires, however, the overhead of governance, compliance and security has been hugely underestimated.
There is now an urgent need for brands to ‘look outside’ to define threats and opportunities to inform a customer data strategy that identifies what is and isn't collected, how it is used, and who it is shared with to improve the customer experience. Then ‘look inside’ to improve their practices, secure systems and comply fully with the regulations.
Start with GDPR compliance
One of the sectors we work with is the travel sector and we have noticed that only a handful of travel brands place cyber security and GDPR compliance sufficiently high on their list of priorities.
GDPR was the first step to set out obligations for businesses that collect, process and store customer data, ensuring full consent is obtained for specific, explicit and legitimate purpose, however I haven’t noticed any dramatic drop in spam emails since last May, so it certainly does not look like everyone is complying.
If we keep with the travel sector example, there are other long-standing security and data processing problems over and above the website and CRM issues. For instance, it remains common for luxury hotels and travel agents to email booking forms to clients and request, preferences and credit card details as part of the booking process. This is often provided in pdfs and emails without any obvious security in place, with hard copies also being held. If cyber criminals just need to hack into a reservations email server to harvest high net worth individual’s credit cards, the industry has a long way to go to get its house in order.
I’ve recently read a luxury hotel ‘visionary’ who thinks facial recognition will help the reception desk recognise individual guests and enable a more personalised hotel experience. He’s right, but he hasn’t thought through the consequences. Would you really want Ritz Carlton or another hotel brand holding your facial data, just so someone can greet you with your name? That’s not much of a value exchange.
And it is not just the travel sector that is affected. The financial sector is torn between securing its customer data and establishing the right of their customers to have their data transferred from one company to another under the new Payments Services Directive (PSD2) which requires banks to open their systems to other players to offer more choice. While this requires full consent, how will this data be used and who could it be sold to. If there’s a data breach at a fintech start-up, who would get to know your financial profile?
Meanwhile brands across almost every industry sector rely increasingly on personalisation which may on the one hand deliver much more relevant and hyper-targeted marketing messages yet may also risk compromising the very same customers marketers are aiming to engage.
Privacy has become a holistic issue as it effects consumers’ rights, and as a consequence, privacy has been elevated from a purely regulatory-driven agenda to one impacting broader questions around trust and sustainable business growth.
Data breaches are not only potentially embarrassing, they risk seriously devaluing a brand and damaging the trust that has taken years to build.
If this can happen to some of the biggest players in the business, whose cyber security budget dwarfs most businesses, how exposed are smaller organisations?
For those who have invested in the right systems and processes, perhaps privacy could become a highly valued competitive advantage?
We think that this will mean going way beyond promising customers that their data will not be shared with any third parties. Even knowing that they have the right to delete their data at any time and that it will not be used for any algorithmic “learning” is academic in the face of what unscrupulous individuals will do if they get hold of this data.
Securing systems and compliance with GDPR are simply the first two steps, but both need to be part of a full review of how every brand uses customer data for marketing and enhancing customer service.
It’s in every brand’s self-interest to provide secure, compliant and trusted customer data management, because if they get it wrong, it is not just the fines that will be punitive, the damage to their brand reputation may be irreversible.
For those who have not considered privacy and data security as strategic issues and only half-heartedly complied with GDPR, it’s time to wake up to the true cost of customer data.
Contact our brand team if you would like to discuss this article with one of our consultants.
Peter Matthews
Nucleus Founder & CEO
September 2019
Agree? Disagree?
Share your views by emailing enquiries@nucleus.co.uk