The debate over personal information and privacy is at a turning point.
Information once thought private and protected is now out in the open for all to see – social security numbers, credit card numbers, the street you lived on when you were 12, your eating habits, shopping habits, business and personal correspondence… Between the multitude of data breaches and the sheer volume of data generated and collected on each of us every day, the internet now knows more about you than you do.
So is privacy dead? Does anyone still care? Or have consumers become numb to the barrage of headlines about data breaches or data mining of which they were unaware?
According to a recent survey by Deloitte, people do care about their information falling into the wrong hands and 81 percent “feel they have lost control over the way their personal data are collected and used.” These concerns are not new but tend to rise and fall based on events.
What’s changed today and what should be seen as a turning point, however, are the sweeping privacy rules in the European Union’s (EU) Global Data Protection Regulation (GDPR) and the newly enacted data privacy bill in California. Both measures expand the definition of private information, give consumers new rights over how their data is collected and used, and will have broad-ranging influence over how companies operate and communicate with customers.
GDPR, which went into effect at the end of May, has forced companies handling any EU citizen’s data to be more transparent about how they use the data and provide clearer disclosure statements. Most notably, GDPR also provides consumers the ability to request that their information be deleted – often referred to as the “right-to-be-forgotten”.
The California law is similar to GDPR but grants consumers further ability to opt out of data sharing rather than being forced to opt in in order to continue to use online sites or services. It also protects consumers from companies charging them a premium if they choose not to share their data, gives consumers the right to know the commercial purpose for which their data is collected and the categories of data sources.
As firms analyze these new requirements, there are a number of questions, potential conflicts and operational challenges that will likely arise. For instance, how will financial firms be required to implement customers’ ability to request the deletion of their information and how will this affect Know Your Customer and Anti-Money Laundering obligations, or the ability to track bad actors in cyberspace through the international IP address registry (a.k.a., WHOIS database)?
If the history of data breach laws serves as an example, other states will soon implement their own privacy measures, leaving firms with a hodgepodge of customer privacy protections and disclosure requirements to meet across the country. For internationally active banks, the problem is multiplied across countries, and complicated by growing requirements for on-shoring of data. Balkanization of data would represent a serious loss of efficiency for national and international firms. Thus, multiple industries, including financial services, are coming together to try to shape these conversations and bring some uniformity, ideally in the form of a national standard that avoids conflict and overlap across jurisdictions.
Regardless of what occurs at a national level in the U.S. firms should rethink how they use customer data with an eye toward empowering the customer through greater control, transparency and choice.
Financial firms are at an advantage when it comes to security and privacy. As an industry that values customer trust, firms have long prioritized protecting customer data and have invested significantly in the technology and organizational processes necessary to secure information and protect it against unauthorized disclosure. Among the critical infrastructure sectors, financial services is the most highly regarded for its cybersecurity risk management practices and has long served as an example for others. Critical aspects of protecting private information such as data governance, segmentation, encryption, access controls and retention policies are all familiar territory for financial firms.
Now is the time to leverage this expertise to reimagine customer experiences through a privacy lens.
The firms leading the way are prioritizing customer trust and innovation by providing clearer and simpler disclosure statements and offering new options for how customers engage with them. Soon it may be commonplace for customers to be able to choose what types of data the industry collects and to swipe left or right to grant access or turn it off when using a financial services app.
If customers can more easily control their data and understand the benefits of its use, they are more likely to provide it. While the thought of being tracked through your mobile device may be somewhat uncomfortable, if you knew that it was only used to confirm that it’s you trying to use your credit card for a large purchase on vacation rather than a fraudster, would you feel better about it? Or that by allowing your bank to collect and match your fingerprint, behavioral patterns and location, that it improves the security of your account and speeds up the sign-in process?
Customer demands and market trends have moved toward providing greater personalization, and tailored and seamless experiences. FinTech start-ups and incumbent financial firms are all relying on customer data in the race to do everything from improving product and service offerings to finding new ways to expand access to credit. All of this could be curtailed if firms fail to articulate why they are good stewards of customer data and how they use the data for good.
Over the last several years, BITS, the technology policy division of BPI, has been exploring the opportunities and challenges brought by using new types of data. Some of these conversations have raised thorny issues around consumer sentiment and the data practices of other industries. We are continuing this work with a particular focus on data privacy. The landscape is shifting quickly but the path forward is clear – greater transparency, clarity and control for customers will win the day.
Disclaimer: The views expressed in this post are those of the author(s) and do not necessarily reflect the position of BITS, The Bank Policy Institute, or their memberships, and are not intended to be, and should not be construed as, legal advice of any kind.