It’s been a whirlwind few weeks since GDPR came into effect, and it seems that many people are learning about privacy rights for the first time. Plenty of them are making data subject access or deletion requests, including against the biggest players in the market. Even though there were years’ worth of stories about data mining and bloggers wrote innumerable posts about the onset of the new order, there is some genuine surprise among businesses that the public is taking the GDPR seriously, and that there may well be a movement towards greater control for data subjects more globally, and limitations on what data companies actually need to use. That’s probably why your Chief Privacy Officer was not amused when you asked if you could start doing real-time location tracking on your customers on May 24th.
We’ve already discussed the California Consumer Privacy Act and other iterations of data security around the globe, but there is another important aspect to the new privacy phenomenon – businesses that make privacy an integral part of their pitch. There are, of course, plenty of companies that will provide data security or privacy services to customers. You can group encryption software providers, secure cloud storage companies, and even (ahem) data security lawyers into this group.
Interestingly, though, there are companies pushing to make privacy a central component of what they do, even if it is tangential to their core service. Duck Duck Go (“DDG”) immediately leaps to mind. The company, a search engine in the mold of (but quite distinct from) Google, DDG has made user privacy the core of its business model. “The Search Engine That Doesn’t Track You” is their slogan, and they have links to articles on privacy, Do Not Track, and the like. Compare those overt efforts, if you will, to the now-abandoned motto at Google, “Don’t Be Evil.”
Why does DDG do this? It doesn’t directly add any value – in fact, it is a business model that directly disclaims the right to use all kinds of value-adding data partnerships. Selling data is big business, and monetizing customer/client information has yielded incredible revenues and opportunities for some businesses that do it. Why give up all of those revenue streams, just so that you can say “we don’t sell your data” to customers who, quite frankly, have already had all of their data bundled and sold by dozens of other companies?
Because DDG has recognized the value in marketing privacy itself as a service. You see, by emphasizing the privacy as a distinct good enhancing the underlying search service, DDG has created a secondary product to market to its users at no additional cost.
We’ve often said that privacy is currency, but this demonstrates an important obverse notion, which is that privacy is a separate commodity. Put another way, every individual has a certain quantum of privacy that they can choose to keep, sell, or simply give away. When you agree to provide apps all of your personal data, you’re giving it away (and yes, I consider getting extra lives in Gardenscapes to be “nothing”).
For others, maintaining the highest level of privacy and security for their data is more important, and those people are, in essence, “saving” the privacy currency that they have. Others will agree to give up data but only in exchange for real value (such as lower cost for services). We anticipate that last category is going to become far more prevalent as GDPR and CCPA make it unlawful to block access to those who opt-out from data sharing.
But there is also this notion of privacy as a commodity that you can market and sell, a unique benefit that will appeal to customers. It’s a movement gaining traction everywhere you look. It presents an enormous opportunity for businesses to differentiate themselves as outside the “mainstream” of data selling and data partnerships, and can, if done properly, yield even more financial benefits than the data that they no longer sell, a particularly lucrative position for those companies who need to be careful about their data practices under GDPR anyway. And, of course, nothing stops these companies from analyzing the data internally – it’s typically just the transfer that bothers consumers (and regulators).
This is why you need to consider how privacy as service or privacy as commodity can work for your business. Analyze your GDPR or privacy law compliance regime to identify areas where minimization can provide savings (or at least minimize exposure to liability) and determine whether you can announce your changes to customers in a savvy way – “We hear your concerns about data sharing, and that’s why we are no longer doing X, and from now on will only do Y.” The customer doesn’t necessarily know, or even care, that you’re doing so because Articles 32 and 44 require it, but they do see, and do care, that that you’re making moves in the “right” direction.
None of this is perfect, and the notion that we will be commoditizing privacy has some deeply troubling aspects (not the least of which is that it effectively makes privacy impossible for those without means to afford it). But Duck Duck Go clearly has clearly made the business decision that it is better to lose out on data sharing revenue in an effort to secure users who want to “spend” less on privacy: they now field more than 20 million searches a day.
Those privacy-minded consumers are a real, and growing market segment. How are you going to appeal to them?