Wary of connected commerce — but nonetheless excited about IoT — consumers are conflicted about the tradeoff between privacy and security. In an interview with PYMNTS’ Karen Webster, Chris Babel, CEO of TrustArc, weighs in on the ways firms can give consumers choice in what they share and when — and how GDPR across the Pond may have a say in shaping such interactions.
Data and connected devices. Privacy and choice.
Decisions, decisions.
A recent study, done jointly between PYMNTS and Visa, found a growing level of comfort among consumers with the concept, and practice, of shopping with connected devices, the realm of the Internet of Things (IoT). Three-quarters of 2,600 U.S. consumers surveyed said they have 4.4 of them, and 83 percent reported that they view these devices as critical to reducing friction when it comes to paying for things when using them.
But what concerns those consumers is how their data is used and how it will be kept secure. It seems the more things change, the more some things stay the same, with a high value placed on trust and security.
In an interview with Karen Webster, Chris Babel, CEO of TrustArc, weighed in on the general needs and wants of the consumer, where Babel says that the assumption of data protection is a given no matter the conduit of device, but choice in just what data is shared is fast growing as a key desire, too.
People worry about security issues at the consumer level, he said, but as an industry —particularly in the financial industry and in commerce — firms in those arenas “have figured out a way to take care of the consumer.” He noted that transactions at a gas pump, for example, typically require an additional layer of authentication, such as entering a zip code. “People feel good,” in this environment, “that their money is protected. I may lose a card on a trip … and that is a pain in my butt … but I carry three or four cards, so I am OK.”
But firms must make sure that they lock data down, especially from a security and compliance perspective, said Babel. And once the mechanics of security are locked down, then the question for enterprises comes down to whether companies are using consumer data in alignment with local laws and international laws.
Nowadays, said Babel, consumers get so many breach notifications that they worry about their most basic and valuable data. Such morsels, catnip to hackers, range from name, social security number and even relatives’ data, and once stolen, “the toothpaste is out of the tube, and you cannot put that back. You do not get issued a new identity … The consumer is getting worried about … true facts about them that are leaving the premises … data goes somewhere, and they do not know,” how or why or how the data will be used in the future, he said.
Such corporate actions leave the realm of mere security and venture into the realm of customer preference, said Babel, where some individuals may, in fact, want to be the recipient of a targeted ad … or not.
Might the U.S. be gearing up to take a page from the General Data Protection Regulation (GDPR) that is looming in Europe? The regulation can leave firms on the hook for 4 percent of global revenues for security violations — and that extends to any firms that do business in the EU.
“You need to know what data you have, how it is classified … [if it is] super sensitive … or is it innocuous,” said Babel. The GDPR gives a hint as to how data privacy may be managed in a new age of regulation.
Considerations extend to cross-border transactions, and even whether firms are processing that data for their own use or on behalf of another party.” With highly sensitive consumer data, he added, “you may have to go and ask a regulator if it is OK.”
Firms must then consider additional steps, such as anonymization, or asking users for consent or conducting what is known in the industry as a legitimate interest balancing test, which measures societal benefit in comparison to an individual’s benefit. Juggling such considerations amid global financial firms can be a heady feat.
Webster pointed to a theme posited by some in the payments realm (notably Nest’s Tony Fadell) — why not create a customer manifesto in lieu of simply striving to satisfy regulators?
In that case, the customer owns and has access to their data privacy and can determine when and where it is used. The argument here, she said, is that the industry is injecting so much complexity in the name of privacy, that things come to a standstill.
Even without concrete corporate manifestos in place, Babel noted that consumers have more insight into privacy and how their data is used than ever before. There is much more transparency at the company level, he said, and privacy notices have become “less legal, more user friendly.”
One wrinkle is that there has been a movement to push those privacy settings on a global basis in lieu of consistently resetting those profiles. Thus far, an independent aggregator has proved elusive. Other initiatives to put standardized practices in place have been more homegrown, when some of the larger tech players in each industry band together to establish consumer choice, such as icons that accompany targeted ads, allowing consumers to opt in or out.
Babel noted that technology is complex enough that some firms may not even know how many cookies they are “dropping” on users when people visit their sites — which means that privacy can be lost “because now everyone knows that the consumer is on site X.”
Again, touching on Europe as a possible signpost of how firms can adapt, a bit of a pathway to better practices might be taking shape here, as in the U.K., an alert is displayed on screen, where in Germany, alerts are granular enough so that users can opt out of types of interaction, such as targeted ads.
“Consent is complicated today” in Europe, said Babel, and is becoming less so, “but carries higher consequences” in the form of higher fines if data is not handled correctly. In the end, however, it is up to the consumer to say yea, nay or otherwise to such interactions. All of this choice can, of course, have an impact on conversion rates when someone clicks on a URL, mused Webster.
The general worries that companies, particularly those in the ad tech space have, said Babel, focus on first-party vs. third-party data implications. Someone logging into Facebook, for example, is a first-party user — and that site is “what is called a controller, meaning you give me your data directly. And that is very different than a processor, who is a third party and who has to ask for consent,” said the executive, which can be a problem because many of those companies are relatively lesser known to users (and thus are perhaps less trusted).
“The systems that are already in place will have to go through changes in order to better meet the consumer consent requirements,” Babel said. “So there will be an extra click potential here, an ability to change a user setting there that maybe was not as prevalent before.”
But in the end, there will be a net benefit to companies, where good data “can help them have a better interaction with the consumer.”