4: Customer Privacy

Customer privacy refers to the protection of the personal information of customers by companies, organisations, and third-party data agencies while collecting, managing and using various data from transactions. This can include information such as names, addresses, phone numbers, email addresses, financial information, and browsing history.

Imagine you’re at Nike’s website, checking out those newly launched Jordans but decide to skip the purchase as It’s falling out of your budget. A couple of minutes later, that product is following every app you go to. Weird, right? Or how about this: your Insta or Facebook feed starts buzzing with a similar type of shoe. Annoying, to say the least! These scenarios, a couple of decades ago, may seem like something out of a sci-fi movie, but this is today’s harsh reality.

When companies collect and use your personal data without your knowledge or consent, it can feel like you're being watched or tracked. While it's true that personal data can be used to provide targeted advertising and personalized recommendations, it's important that this is done in a way that respects customers' privacy and gives them control over their own data.

Customer Privacy is more than just a buzzword - as more and more of our personal information is being collected, stored, and shared by companies. From our shopping habits and financial records to our social media posts and search history, there is a vast amount of data being generated by each and every one of us. With concern for the protection of personal privacy growing day by day, the need for privacy laws has become imminent. Several privacy regulations emerged over the years with the most popular one being GDPR(General Data Protection Regulation) in the EU law.

Whatsapp had to rewrite its Europe Privacy Policy after it was issued a mammoth $270 million in fines by the GDPR in September of 2021. Similar regulations have been implemented across the world. Some examples include: CCPA for California State in the US, Data Protection Act 2018 in UK & India’s very own Digital Personal Data Protection Bill introduced in late 2022.

Given the rate at which users produce data on a daily basis, companies need to be vigilant on the practices they implement within their organisation to ensure data security, build trust and establish long-term relationships with their customers.

Industry Best Practices

Here are some best practices that an organisation can implement to protect their customers’ privacy:

1. Collect only essential information :

Potential breaches of customer data can be minimized by collecting only the information which is necessary for your business to meet certain goals. Conducting regular data audits can help you identify essential data that needs to be stored securely and unnecessary data that can be discarded to avoid Data Hoarding.

2. Encrypt data and implement password protections :

Use secure methods for collecting, storing and sharing data. This involves sufficiently securing company databases, networks, and websites and the use of encryption standards relevant to your business needs while storing or transmitting any sensitive data.
Organizations should also employ firewalls that keep unauthorized users out. To secure private emails and data, password protection tools like multifactor authentication and password managers should be used.

3. Limit access:

The vulnerability of internal breaches can be reduced by limiting the number of individuals with access to the data. There are several ways to restrict access such as setting up password protection for various levels of authority (so that only authorized users can access specific files) and setting up two-factor or multi-factor authentication to reduce the risk of password compromise.

4. Comply with data protection laws :

Stay updated about the laws that apply to the regions you operate in (For eg: GDPR in the EU, DPDP in India, etc) and be compliant with those regulations while collecting and storing customer information. This can be done by assigning dedicated personnel to keep a track of changes in regulations or by using a system that is compliant with those standards.

5. Transparent Data Usage and Privacy Policy :

Provide clear communication to the customers about what personal data you are collecting and for what purpose. Keep your privacy policy easy to understand and be transparent about any third parties with whom you share personal data.

6. Investigate the security of third party service providers:

Businesses must manage risks posed by third parties which can be done by employing security teams for enforcing cyber security policies for internal as well as for third-party vendors used by an organization. Security teams should set security standards in service-level agreements to ensure everyone including employees, leadership teams and service providers adhere to the protocols.

7. Update all softwares:

Outdated programs are easier to infiltrate, so regularly updating a system strengthens its defenses against malware and viruses. Updated software generally includes bug fixes and improvements that prevent your computer from being as vulnerable to security breaches as it may remain otherwise.

8. Secure Non-digital data:

Businesses must securely handle customer data that is stored on paper or in any other physical form. For instance, documents containing private consumer information cannot be simply thrown away. To ensure that customer information does not end up in the wrong hands, businesses must shred documents or adopt other measures.

9. Establish a strong security infrastructure :

• Antivirus software can perform routine scans to keep all workstations and servers healthy.
• Antispyware and anti-adware programs can defend computer systems from harmful malware and safeguard customers’ sensitive personal information.
• Pop-up blockers can guard against pop-ups which can endanger the stability of the system.
• Firewalls serve as an additional layer of security and operate as a layer of protection for your data against cybercriminals.

Additionally, organizations can also invest in Vulnerability Scanners, Endpoint Detection and Response tools. You can set aside a budget for these tools as they will assist in defending your company against data breaches.

10. Educate your employees on cybersecurity best practices:

Cybersecurity Education is crucial to eliminate the risk of human errors. Businesses need to make sure that their employees are informed about the latest cyber threats so they do not unintentionally disclose customer information. Explain the significance of Multifactor authentication and the drawbacks of using public Wi-Fi networks for work. Education on best practices will help your employees to be better equipped against threats like phishing scams, baiting attacks, malware attacks, ransomware attacks and other such social engineering scams.

Case Study

• A Case of the Data Breach Scandal - Facebook and Cambridge Analytica

The story of Cambridge Analytica (CA), a London-based data analytics and political consulting firm’s data collection practices was brought to light by a former CA employee - Christopher Wyle who revealed that CA acquired the private Facebook data of tens of millions of users without their permission and misused it for political advertising.

The information was collected through an app named “This Is Your Digital Life” developed by data scientist Aleksandr Kogan & his company Global Science Research in partnership with CA. Users were asked questions regarding personality traits to identify behavioral patterns of users and build psychological profiles which would be to identify the most effective ways of advertising for influencing them.

Moreover, Facebook allowed them to harvest the personally identifiable information of not only the users who agreed to take the quiz but also the data of the user’s Facebook friends. This means that people who had not even directly given their permission for their data to be used were also affected by this malpractice.

In only a few months, two lakh twenty thousand people had taken part in the survey. Data from up to 87 million Facebook user profiles was harvested and used by Kogan to create a psychometric model by combining the survey results with the user’s Facebook data. The data was then combined with voter records and shared with CA by Kogan. The data was detailed enough to create a profile that implied which type of advertisement would be most effective in influencing the users.

CA used findings from the psychometric model to aid their client - the company that was handling Donald Trump’s election campaign, by using Psychographic Microtargetting Advertisements to deceive and manipulate people to change their political views and votes.

Implications:

• While CA was blamed for having harvested the data of millions of people for political and financial gain without their consent, Facebook had to face immense heat in many countries.
• In March 2018, the revelation of the data breach scandal led to a massive public outcry that resulted in more than $100 billion being deducted from Facebook’s retail funding in a matter of days and the #DeleteFacebook movement trending on Twitter.
• On March 26, 2018, a little after a week after the story was initially published, the Facebook stock fell by about 24%, equivalent to $134 billion.
• Despite its best efforts and constant belief that its employees acted ethically and lawfully, CA’s clients and suppliers had been driven away implicitly as a result of the media coverage and public outrage.
• As a result, in May 2018, CA inevitably filed for bankruptcy.
• Following the scandal, Mark Zuckerberg was required to testify in front of the US Congress. Facebook was subsequently fined $5 billion by the Federal Trade Commission in 2019 for data privacy violations.
• In December 2022, Meta Platforms agreed to pay $725 million to settle a private class-action lawsuit related to improper user data sharing with Cambridge Analytica and other third-party companies.

Conclusion
The user of a platform should be made aware of the kinds of personal data and apps to which permissions should be allowed, regardless of how many changes or updates are made to that specific application.
Additionally performing checks is essential to keep user data secure. For Example analyzing account activity, denying access to unlawful programs, and regularly checking account settings. Governments should establish a regulatory framework that severely limits the activities of companies like CA and prevents the unrestricted global use of user data on social media.

Even though Facebook offered apologies and more stringent measures to ensure data privacy, there is certainly a permanent dent in public perception and erosion of trust regarding the company among users, investors, and lawmakers. The CA- Facebook case is a prime example of why businesses should follow data protection regulations and not indulge in any practices that can land users’ data in the wrong hands leading to a breach of privacy or trust.