Consumers want organisations to give them more control over their personal information as the Internet of Things (IoT) grows and connected devices harvest masses of data.
Research from the Economist Intelligence Unit (EIU) finds that “large majorities” of customers want companies to ask for permission before collecting and distributing any personal data they gather from customer interactions or IoT programmes.
The findings may pose a strategic challenge to some IoT projects.
Transparency and consent
The report finds that consumers “want greater transparency and control”, along with “commitments from government and industry to protect privacy”. And when companies fail to adhere to data protection regulations, consumers want governments to slap them with hefty fines and sanctions, said the EIU.
The report comes just weeks before the EU’s General Data Protection Regulation (GDPR) comes into force, along with the UK’s related Data Protection Act (for more on both, see Internet of Business says, below).
Sponsored by identity management firm ForgeRock, the Economist study nevertheless provides a useful snapshot of the concerns that many people have about IoT ecosystems – some of which will be addressed by the new data protection rules.
Nearly all of the respondents (92 percent) said they want to control the type of personal information that companies can collect. This may suggest strong customer resistance to any IoT systems that harvest data automatically.
The same number said they want punishments to be increased for firms that “violate” their privacy rights, and that fail to comply with laws such as GDPR.
Nearly three-quarters of respondents (74 percent) are worried that even the smallest privacy invasions may affect their civil rights, while 57 percent categorised the so-called right to be forgotten as being the “most important” consumer rights rule.
Meanwhile, a significant majority of consumers (89 percent) said they are uncomfortable that third-parties gain access to their data without asking for permission.
These concerns have certainly peaked with the recent controversy over the use of Facebook data by UK company Cambridge Analytica, and related stories about the social network harvesting call data from Android phones.
Part of the problem is users not reading the Ts and Cs of platforms they join, or not customising the default settings. However, with IoT programmes that may harvest data from sensors, cameras, or even phones, the issue of consumer trust and consent may be a bigger challenge than some organisations realise.
IoT reliant on data protection
Eve Maler, VP of innovation and emerging technology at ForgeRock, believes that IoT companies need to become better informed on shifting consumer attitudes toward digital privacy.
She said that more people are now demanding improved data protection mechanisms from technology firms, especially as the GDPR deadline looms.
Maler argued that, “consumers are acutely aware that their personal data is at risk, and feel strongly that they should have more control over how data is collected, managed, and shared.”
She added: “With just weeks to the implementation of GDPR and the recent revelations around Facebook’s data handling policies, the topics of personal data privacy and regulation have dominated news cycles as never before. And with good reason.”
Ben Goodman, VP of global strategy and innovation at ForgeRock, noted how consumers are becoming increasingly savvy about data protection. “Going forward, businesses will need to be clearer about their answer to this question if they want to keep consumer trust – and ultimately, loyalty and share of wallet,” he said.
“For years, we have had free access to social platforms where we’ve traded our personal information for access.
“In light of the recent disclosures around Facebook’s data handling policies, I believe we need to reconsider what we view as ‘hacking’ and what behaviours should be addressed as such, so we can put the proper safeguards in place.”
Internet of Business says
As noted above, the report comes just weeks before GDPR comes into force, and could be seen as a primer, perhaps, for the new data protection environment. In the UK, GDPR has been cast into law under the provisions of the Data Protection Act.
The EU’s aim is to shift the advantage away from data collectors and towards individual citizen rights – with fines of up to four per cent of turnover for breaches, strict reporting guidelines, and a citizens’ right to have data permanently erased from servers and mirror sites.
At heart, the new rules seek to make organisations more accountable for their actions. As a result, the most pressing area will be consent: the new laws’ stipulate that personal data must only be collected for “specified, explicit, and legitimate purposes” with “the consent of the data subject”.
These clauses alone may make a marginal difference to most digitally enabled enterprises, but further provisions should be of greater concern. The new rules say that processing this data must be necessary to “protect the vital interests of a data subject” and “for the performance of a task carried out in the public interest”.
Many processes are becoming increasingly automated and/or AI-enhanced, but some of that innovation may have to be unpicked if the data it addresses is found to be in breach of consent, ‘vital interest’, or ‘public interest’ rules.
However, the core challenge remains that there is no central mechanism or platform for managing consent, individually or en masse. Slow, problematic blockchain has been proposed as the bedrock of a new data commons, but in the technology’s present form that idea is probably unworkable.
An better idea is the concept of a personal API, like a self-managed digital rights platform for citizens’ data, which organisations could be obliged to interface with, effectively licensing data on consumers’ terms; citizen-backed CSR, perhaps.
But creating and enforcing such a system retrospectively, after a quarter century of ecommerce and mobility, may be a pipe dream.