Very often, we hear clients or businesses express the idea that “we want to give our customers control over the privacy of their data, and that sounds good, but making it a reality is much more complicated.”  That’s a fair assessment — operationalizing privacy is something that companies in the U.S. have a difficult time incorporating into how they conduct business, even when they really want to.  The fact is, we’ve never met anyone who said “I don’t want my customers to have control over their data, I get to decide.”

Fine, with notable exception, that’s not a view companies espouse, certainly not in public.  It’s easy to understand why a small business owner, for instance, would want her customers to have control over their data: she’s someone else’s customer, and she wants that kind of control herself.  It’s an interesting phenomenon, in that we’re all data subjects, we all want to have our privacy respected, and we all want to exercise control over our digital identity.

John Rawls wrote about what he called the “original position,” which is a thought experiment about ethical decisionmaking and just laws.  Imagine that you are creating a society, but you have absolutely no idea what your place in that society will be.  You don’t know your class, sex, gender, race, education, and neither does anyone else.  When you and everyone else decide on laws from this position, Rawls suggested, you’d come up with the most fair, the most just, and the most equitable society you could, because to do otherwise would put you at risk of being disadvantaged. (E.g., you wouldn’t give 10% of the population all the food because, nice as it would be to be in the 10%, it’s unlikely that you’ll wind up in that group).  Thus, in Rawls’s view, if you work backwards from any given actual law to see if it would arise in the original position, you’d know if it were just or unjust.

There are lots of problems with the thought experiment, but it raises an important point for us, as data subjects.  If, as we said, everyone wants privacy and autonomy, then maybe we have a rare opportunity to agree on principles from a sort of “data original position.”  In other words, because everyone from your neighbor to Tim Cook (more or less) wants privacy, and everyone (more or less) wants autonomy and control, then everyone (more or less) should agree that control over privacy rights isn’t negotiable, but rather the starting point in every relationship, business or commercial.

Too much, eh?  Okay, so we’re not ready for a massive cultural shift in the way we talk, think, and act about privacy.  But what about the idea we started with, that businesses want (and need) to give their customers control over their data?  How do we incorporate that idea with some of the more theoretical points that, in all honesty, really do matter when we talk about privacy?

Data Quadrants

We have to begin by remembering those first principles and work forward.  If we all want privacy and we all want choice, then that is our starting point.  We’re all familiar with the present model of privacy and choice on the Internet: “By using this site you agree to our privacy policy,” or “By continuing to use this site you consent to cookies.”  Your alternative is to stop using the website and, even then, you’ve probably already had dozens of cookies placed on your computer which means that you “consented” to placement of cookies before you knew that they’d be placed.

That, of course, is not consent.  So let’s assume we’re talking about real consent, an actual choice for consumers, a way to give them a clear, concise, and helpful explanation of what their options are, and how they can control their data.

There’s no perfect way to do this, but here is what we devised as a rubric for offering choice to consumers for businesses that 1) use customer accounts, 2) want to track customer activity and preferences, and 3) want to be able to develop derivative data products based on those customer activities.  We call it the Privacy Quadrant.

We’ve set out our thoughts here so you can review them (and we’ve made a copy of the full white paper available for download as well).  We understand that it may take time to unpack, but better to give everyone a chance to mull over what the Privacy Quadrant means, and how it could require further thought.  Are you ready?  Here it is.

Allow your customers to decide how they want their data used.

Alright, that was glib, even for us.  What do we actually mean?  You provide your users with options at the outset of their engagement, broken into questions that feed into a very simple decisional tree.

1. Do you want to create an account (Y/N)

2. Do you want to share your data (Y/N)

These two questions allow for a division of your customer base into four groups, a self-selecting segmentation that both gives the customer what they want and gives you clean, clear, unambiguous knowledge as to how they feel about data sharing.  Think back to middle school algebra to the Cartesian plane with its four quadrants, then take a look at our extremely professional graphic below, and you’ll see what we mean.

Lower Left Quadrant – No account creation, no tracking permitted (The “Ghost”)

In this sector, the user opts against registering for an account and against being tracked.  We have placed this in the first quadrant because this must be the default setting for every user who visits a website or downloads an app.  If the app is not useable without the creation of an account or tracking or some kind, then the most minimal amount of data collection possible must be the starting place.

In this way, XYZ Co. avoids the paradox of relying on the terms and conditions of their website to infer consent from a user who came to the website without reading the terms and conditions.  This anomaly will soon be, itself, a violation of privacy law, as explained by supervisory authorities in the UK and France.  In addition, it allows for the user to decide, at the beginning of their experience, the degree to which they want to share data.

While this may invite criticism that a user may wish to share very little data (or none at all), there are two important responses: 1) the user is in control of their data anyway, and don’t owe it to XYZ to share, and 2) given that the user has just downloaded the app or visited the website, they are highly likely to already be engaged and positive about XYZ’s product or services, which means they’re more likely to want to share.  The irony of the traditional method to data collection is that it exploits user trust at the very moment when they have the most trust to share.  By reversing that approach and offering the user control at the early stage, XYZ is able to make privacy and respect for personal data a feature of the product itself, rather than an afterthought.

Upper Left Quadrant – Account creation, no tracking permitted. (The “Beta Tester”)

This quadrant represents those individuals who opt for the benefits of an account with XYZ Co but who do not want the relationship to go further.  In essence, this is a purely transactional relationship, likely governed by GDPR art. 6(1)(b).  The user provides all the data necessary to receive the benefits of their account (including, in most cases, contact and payment information).  XYZ has the right to engage with the user to provide any information about their account, services, or goods.  And, contrary to much of the hype from would-be GDPR “experts,” XYZ will be able to directly market to customers who sign up for an account, because direct marketing to existing customers is one of XYZ’s “legitimate interests.”  As long as the customer has the right to opt-out, there is no problem with direct marketing.  (See GDPR art. Art 6 & rec. 47 (“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”).

Lower Right Quadrant – No Account creation, tracking permitted. (The “Meh”)

This quadrant is most useful when XYZ Co. has an app, although it is also allows for tracking on a site while a user visits, as with the traditional approach to session cookies.  But in the standard case, this is a framework for app users who wish to obtain the benefits of XYZ tracking their activity without becoming a formalized accountholder.

We call this “Meh” mode, in that XYZ will know that a user is engaged in activity and receiving the benefits of tracking, but does not have the full identification of the user that an account provides.  In other words, “Meh” users don’t really care about brand participation or engagement with products — at least not yet.  But they also aren’t particularly worried about the balance between privacy and utility in apps and services.  Their experiences are going to be very different than those in the other three quadrants, and marketing to/respecting the privacy of these individuals requires finesse.  One important caveat to Meh mode is that XYZ bears a heavy responsibility to avoid identifying users, either intentionally or inadvertently.  In a sense, this quadrant represents the concept of “pseudonymous data” operationalized into a customer relationship.  Pseudonymous data is data which could be used to identify a user, but is not.

Pseudonymous data is not anonymous data.  The distinction between the two is one of the great misconceptions of privacy under European law, in that many companies have mistakenly concluded that if they hash a user’s name or hide their email address they have successfully created an anonymous account, no longer subject to GDPR.  That is incorrect.  Anonymized data can never be traced back to an individual; pseudonymized data can, but only with effort.  As an example, if individual data is placed into a database to form a non-discrete component of a national average and then the individual data is deleted, leaving only the national average, the average is anonymized data, because the underlying personal data can never be traced back to the individuals.  Merely stripping out usernames or email addresses is not the sufficient.

Quadrant three, then, allows XYZ Co. to collect information about its users to create insights, understand trends, and develop products.  If it aggregates that data and deletes the source material, the information it has created is likely anonymous, and therefore not subject to GDPR.  If XYZ opts to keep the individual datasets to create a profile of Customer 123, for instance, but they do not tie the profile to the customer’s name, address, or any other direct identifiers, the dataset could be considered pseudonymous, and therefore subject to a lower standard of care than a full user profile.

Quadrant three is a compromise position for users and companies.  The user is able to receive benefits that accompany tracking (personalization, metrics, etc) and XYZ can generate valuable insights about customers and trends, all while leaving actual customer identity (and, therefore, distinct profiling and direct marketing) off the table.  We think of it as a kind of “privacy escrow” – both sides can exchange data and goods without interacting in the traditional, account-based way.  The burden, of course, does remain on XYZ not to succumb to tracing pseudonymous profiles back to an identifiable individual, but the risks of regulatory enforcement (if not the importance of customer trust) should be a sufficient deterrent.

Upper Right Quadrant – Account creation, tracking permitted. (The “Champion”)

This is the ideal customer for XYZ – engaged, participatory, and willing to share.  We call them the “Champion” client, because they are typically brand loyal, with strong affinity to the product or service.  By creating and account and sharing data/allowing tracking, the user commits to providing XYZ with an extremely valuable asset: user data about motivated customers provided after an informed, purely voluntary decision.  These datasets are valuable not only because they have no regulatory strings attached (other than the ever-present right to withdraw consent), but also because the data show how the company’s very best and most engaged customers behave.

In fact, one of the built-in benefits of the Privacy Quadrant is that it is a self-selecting audience segmentation tool.  When a user opts to join a particular quadrant, they demonstrate their level of engagement with XYZ at any given point.  If Customer 123 moves from Quadrant 3 to Quadrant 1, it’s perhaps a sign that something is amiss, and even though XYZ co cannot talk to Customer 123 about it (because, recall, they do not wish to be tracked), the simple fact of the shift itself is telling.  And, if a user switches from Quadrant 2 to Quadrant 4, it’s a sign that engagement techniques are working well, and that, perhaps, the customer would be willing to give a more detailed insight into what compelled their move.  Regardless of the reasons, the Privacy Quadrant not only empowers customers to control their data and privacy, it allows XYZ Co. to understand customer views on privacy as they change in real time.

So What?

Why does this matter?  A few reasons. First, because it’s the law, and we tend to have some strong views about following laws. Second, and more importantly, it’s focused on what customers want and deserve: the right to make informed choices and the right to manage data, not as a property interest, but as an extension of who they are.  The days of constant surveillance and endless cookie-ing are over, or at least they will be soon.  When you want to know who your customers are, what they want, and what they value, how will you find the answer in a way that respect their privacy and their right to make choices?  We think the Privacy Quadrant is, if not an answer, then a very important first step.  We hope you’ll take it with us.