Those of us who work in the Insights
Industry here in the US have come back to work after our holiday break facing a
new set of challenges as the California Consumer Protection Act comes into
force. I suspect the most oft-heard word
in conference rooms around the industry this past week was “compliance.” And
while comply we must it is nowhere near enough to repair our frayed
relationship with the public whose data we rely on to do what we do.
Way back in the 1990s, Ann
Cavoukian, then Information and Privacy Commissioner of Ontario, Canada,
advanced the concept of “privacy by design.” She argued that “the future of
privacy cannot be assured solely by compliance with legislation and regulatory
frameworks; rather, privacy assurance must become an organization’s default
mode of operation.” Her message should
have special meaning for an industry such as ours.
As a self-regulating industry we
have a higher bar to clear than simply complying with whatever laws are
relevant in the countries where we do research. We have a long history of
protecting the privacy and confidentiality of survey respondents. The challenge
before us now is how to adapt those practices to a dramatically changed world
as we increasingly rely on data collected by others outside of our sector who
may or may not observe the same privacy protections and ethical standards to
which we are accustomed. Saying “it’s legal” is not enough if we are to demonstrate
our commitment to legislators and re-establish lost good will with the public.
We need to stand apart from those who treat personal data as a commodity to be
bought and sold.
And as a practical matter, tailoring
our processes to meet the minimum requirements of each country (or state) in
which we work simply makes no sense. We can do this here but not there. Really?
Common philosophy
The sensible approach is to rally around a common data privacy philosophy and set of implementation processes that meet or exceed the requirements in most jurisdictions. This is essentially what Microsoft has done by voluntarily extending the consumer rights established by the CCPA in California to the entire US.
The insights industry should be
doing the same, but on a global basis. So, for example, a privacy philosophy
based on the GDPR framework might set
the bar at a level that keeps us clear of the regulators in most of the
countries where we work. In this, the industry professional associations and
trade bodies have a key role to play. Through their codes, guidelines, and
disciplinary processes they demonstrate our capacity to police ourselves. Done
right, they also form the foundation for lobbying legislators to shape
legislation that is friendly to the practice of research and data analytics,
even arguing for exemptions, as ESOMAR and the European associations were able
to do successfully in the EU’s Copyright Directive.
Now is not the time to be wringing
our hands about the disruption and compliance costs of new data protection
requirements. We need to treat this not as an obstacle to be overcome but as an
opportunity. When you stop to think about it, our history has been to fund our
businesses by extracting value from people’s personal data, something they have
willingly provided at little or no cost.
What a great business! But the
party is over. Through privacy legislation we are being put on notice about what
now is expected of us. Whether we like it or not, we need to embrace it.