Recent data breaches have revealed two important aspects of the debate around consumer privacy:
- When it comes to keeping consumers’ trust, executives with MBAs are much more likely to make dangerous decisions than engineers focused on securing customers’ personal information.
- And the way people view the compromise of their most personal details has shifted.
Unlike with past breaches, where consumer concern centered around the potential for malicious actors to exploit compromised data, those people have become increasingly worried about the conduct of the companies that hold their data.
Just 28% of consumers feel they have control over the way companies use and share their data and three-quarters (75%) support stronger privacy regulations.
A recent report in the New York Times exposed an agreement between Facebook and the Royal Bank of Canada that gave the FI — along with Spotify and Netflix — special privileges to most likely allow its customers to read, write, and delete people’s private messages from within its mobile and web applications. RBC denied it can “see users’ social media conversations.” But whether that is true doesn’t matter to bank customers, who will now flood customer service lines and question their relationship with the FI.
This shift in consumer privacy concerns is clearly reflected in the regulatory environment. While the General Data Protection Regulation in the EU stole headlines globally, in the U.S., states were flexing their own regulatory muscles. Both California and Vermont both passed sweeping privacy regulations, with stronger privacy regulations are also under consideration at the federal level.
The Senate recently introduced the Data Care Act of 2018. Although it’s unlikely to pass in a divided congress, it hints at what federal officials are interested in seeing enacted on a national level. The bill would create a national data breach notification standard, as well as a “duty of confidentiality” requirement that would “Extend to third parties when disclosing, selling, or sharing individual identifying data.”
At the state level, part of what makes the California Consumer Privacy Act (CCPA) remarkable is its expansive definition of "personal information." That covers effectively every class of data that could be conceivably linked with an individual or household, including IP addresses, information regarding the individual's interaction with the website, and even "inferences drawn" about the consumer from these interactions.
While the CCPA does not immediately extend this definition of personal information to California's breach notification law, the array of protected data is expanding rapidly as consumers clamor for greater control and transparency over use of their data.
- FIs must understand their customers’ habits and privacy preferences. To keep trust with banking customers, FIs need to provide clear policies and educational materials.
- Accelerate GDPR compliance to get a leg up on domestic regulations. Regulations like the CCPA take a page out of GDPR’s book in that they are structured to apply to any company that has at least one customer in the covered jurisdiction. Complying with the most stringent data regulations now can reduce the challenge of adapting policies to comply with new regulations as they appear.
- Create clear definitions for required information. That’s data that can’t be deleted — despite customer requests. FIs must make clear disclosures and consent processes and evaluate them. Banks should also create process flows and swim lanes of responsibility to ensure the enforcement of privacy policies.