Those of us who work in the Insights Industry here in the US have come back to work after our holiday break facing a new set of challenges as the California Consumer Protection Act comes into force. I suspect the most oft-heard word in conference rooms around the industry this past week was “compliance.” And while comply we must it is nowhere near enough to repair our frayed relationship with the public whose data we rely on to do what we do.
Way back in the 1990s, Ann Cavoukian, then Information and Privacy Commissioner of Ontario, Canada, advanced the concept of “privacy by design.” She argued that “the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must become an organization’s default mode of operation.” Her message should have special meaning for an industry such as ours.
As a self-regulating industry we have a higher bar to clear than simply complying with whatever laws are relevant in the countries where we do research. We have a long history of protecting the privacy and confidentiality of survey respondents. The challenge before us now is how to adapt those practices to a dramatically changed world as we increasingly rely on data collected by others outside of our sector who may or may not observe the same privacy protections and ethical standards to which we are accustomed. Saying “it’s legal” is not enough if we are to demonstrate our commitment to legislators and re-establish lost good will with the public. We need to stand apart from those who treat personal data as a commodity to be bought and sold.
And as a practical matter, tailoring our processes to meet the minimum requirements of each country (or state) in which we work simply makes no sense. We can do this here but not there. Really?
Common philosophy
The sensible approach is to rally around a common data privacy philosophy and set of implementation processes that meet or exceed the requirements in most jurisdictions. This is essentially what Microsoft has done by voluntarily extending the consumer rights established by the CCPA in California to the entire US.
The insights industry should be doing the same, but on a global basis. So, for example, a privacy philosophy based on the GDPR framework might set the bar at a level that keeps us clear of the regulators in most of the countries where we work. In this, the industry professional associations and trade bodies have a key role to play. Through their codes, guidelines, and disciplinary processes they demonstrate our capacity to police ourselves. Done right, they also form the foundation for lobbying legislators to shape legislation that is friendly to the practice of research and data analytics, even arguing for exemptions, as ESOMAR and the European associations were able to do successfully in the EU’s Copyright Directive.
Now is not the time to be wringing our hands about the disruption and compliance costs of new data protection requirements. We need to treat this not as an obstacle to be overcome but as an opportunity. When you stop to think about it, our history has been to fund our businesses by extracting value from people’s personal data, something they have willingly provided at little or no cost. What a great business! But the party is over. Through privacy legislation we are being put on notice about what now is expected of us. Whether we like it or not, we need to embrace it.