The future of data privacy and compliance (and how to stop it)

With 2024 upon us, experts are once again sharing best practices for adapting your business’ data strategy to the times. From ensuring compliance with state-by-state privacy laws to preparing for the inevitable removal of third-party cookies over the course of the year, organizations face ever-increasing pressure to adapt to new realities.

Still, mere compliance isn’t enough: the winners will be those who can follow the rules without sacrificing their ability to glean valuable insights or offer superior customer experiences using data. In the rush to stay one step ahead of this changing landscape, too few people are asking if the privacy vs. data capture arms race is sustainable — and if it isn’t, what would a viable alternative look like?

The Unsustainable Status Quo

Today’s paradigm is built on data extraction. Customers (and prospective customers) browse the web and engage with brands while businesses monitor and record these behaviors alongside any demographic information required to register or transact with them. Once extracted, this data can be used for analytics, marketing, and other purposes — everybody knows this.

At the same time, everybody also knows that this has historically occurred without the users’ consent, which has given rise to the increasingly complicated mix of technologies and laws that limit how information can be captured, housed and utilized. We can place these within two broad categories:

  • Direct Regulation: Perhaps the easiest to understand conceptually, direct regulation involves any specific limitations or requirements imposed by government regulators and enforced under penalty of law. These regulations vary widely in both their requirements and jurisdictional scale. For example, General Data Protection Regulation (GDPR) governs the entirety of the European Union, whereas the United States is a patchwork of laws from each individual state — or no specific laws at all, in some cases.
  • Indirect Regulation: Indirect regulation comes in several forms. It could be voluntary agreements between private companies that limit how certain data is captured or used; it could be an individual data or advertising company imposing limitations on its software based on a desire to avoid more restrictive direct regulation; or it could even be a strategic move on the part of a major service provider to eliminate alternatives and ensure the adoption of new proprietary solutions.

Multiple regulation types mean businesses have to deal with more constraints, but that’s not the whole story. Direct and indirect regulation each have their own stakeholders, priorities, and timelines while also placing different stresses on organizations looking to be compliant. Once the cost of indirect regulation is taken into account, the total potential price tag becomes truly staggering.

The expensive regulatory situation and poor consumer sentiment around the state of online privacy make it clear that something has to change, but most forward-looking strategies continue to focus on extracting data from users as the only way to secure advantages in the marketplace. Typical advice includes tactics like social listening, lookalike targeting and device fingerprinting to re-create the essential functions of tracking and targeting methods that have been — or will soon be — rendered largely ineffective or outright impossible due to direct or indirect regulation.

This approach focuses on compliance at the expense of long-term sustainability. Instead of addressing consumers’ privacy concerns, so-called best practices presume that the interests of businesses and consumers are largely opposed, if not fundamentally incompatible. Regulators share this presumption, as do many technology providers, which forces businesses into the uncomfortable position of having to stay one step ahead of regulators and walled gardens in the race to capture valuable data.

Things get worse on closer examination. Companies that wish to stay ahead of the curve when it comes to data extraction for marketing and analytics end up fighting on three fronts:

  1. Against regulators & jurisdictions: Businesses are forced to get increasingly creative as regulators restrict how customer data is collected and used. This creativity does nothing to assuage privacy concerns, which means there’s ongoing, even accelerating pressure for additional regulatory protections.
  2. Against technology providers: Walled gardens understand the value of consumer data, and frequently use privacy considerations as justification for creating their own proprietary “privacy-preserving” audiences and data assets.
  3. Against their own customers: Surveillance anxiety makes customers less likely to opt-in to disclosing non-essential information about themselves, forcing businesses to look for newer, more cutting-edge methods of compliant data capture.

All three adversarial scenarios share a common thread: they’re part of a self-sustaining, self-defeating system. Surveillance drives anxiety, and anxiety drives regulation. Regulation drives data scarcity and value, which incentivizes walled gardens to capture that value by making it harder to access. All of this forces businesses into new modes of surveillance, which create more anxiety. It’s unsustainable, it erodes brand equity, and it’s all needlessly complicated.

Moving Beyond the Arms Race

So, what does the future hold? There’s a world in which everything gets taken to its logical, dismal conclusion. In that world, businesses and consumers are strictly opposed to one another, consumer trust is functionally zero, and the cost of compliant data capture and storage continues to soar. At the same time, customer experience falls off of a cliff because brands are unable to personalize effectively without ready access to data.

Things don’t have to end up that way. There’s another world wherein the root cause is addressed, and the downward spiral is interrupted. In other words, there’s a world in which we move past outmoded notions of data extraction and adopt a more collaborative approach to data collection and utilization. Done correctly, this empowers consumers, reduces surveillance anxiety and enhances overall experience, which completely disrupts today’s privacy arms race mentality.

Businesses can take steps to begin addressing the problem today:

  • Communicate your data collection policy in a clear, direct way rather than hiding it in a ToS — and let them know why you need that data.
  • Empower your customers to share more or less data as they see fit, including anonymous transacting when possible. Cookie preferences are a great start; the more you can go beyond all-or-nothing, the easier it is to build trust over time.
  • Reward your customers for making disclosures to you. This doesn’t need to be discounting (although it can be); instead, be sure that the data you collect translates directly into a superior customer experience.

This is only the beginning, though. The next evolution of data-driven engagement and experience will be won not by the craftiest or the most brazen when it comes to skirting regulation, but instead by the organizations that most effectively find paths to real partnership with their customers. This starts with transparency, but has the potential to go much further, including finding ways to share data’s financial upside with the individuals who actually generate it.

None of this is easy. Today’s methods may be collapsing under their own weight, but that doesn’t mean we’re poised to return to the bad old days of low data and low personalization. Indeed, we’re still in an arms race, and the most innovative companies will reap the highest rewards. The only difference is where that innovation is focused, and how it can benefit businesses and consumers alike. 

https://www.securitymagazine.com/articles/100526-the-future-of-data-privacy-and-compliance-and-how-to-stop-it