This article originally appeared on Forbes.com.
With more companies offering up customers’ personal data for sale, governments are moving to intervene more deeply. In the U.S., for example, the Obama administration has proposed a wide-ranging bill intended to provide Americans with more control over the information that companies collect about them. In Europe, proposed data protection rules are being rewritten to reflect individual nations’ agendas.
There’s a real danger that multiple country rules might undermine the internet’s openness. They might also limit user access and create expensive duplicate infrastructures. So companies must get ahead of the threat.
Yet many companies still miss the point: In a digital age, this is all about earning their customers’ trust. The thoughtless click of the “agree” box isn’t an agreement in any meaningful sense. It may protect companies from legal harm; reputational harm is another matter. Users may not have read the agreements, but many know acceptable behavior.
The attitudes and preferences expressed in our recent survey of more than 900 U.S. consumers underscore the trust issue. Most survey respondents know their data is being used in one way or another and that it has become a currency. When users buy goods through online retailers from Amazon to Zappos, they also surrender their data. Sense Networks tracks people’s movements around town through their smartphone GPS breadcrumbs, in order to precisely tailor mobile advertisements.
When we asked people about their willingness to share their data and their desire for measures to protect it, we expected to see that demographic characteristics such as age, income and education would play a big role in their responses. We also expected more active or sophisticated online users to have different attitudes than laggards. But in fact, the survey showed little variation in attitudes due to demographics or online sophistication.
Instead, the trust equation takes shape along two other dimensions: the industry that people interact with and the type of data in question. Roughly 65% of people want to prevent any level of government or any financial institution from sharing their data, while only 43% feel the same way about retailers and airlines. Utilities, search engines and communications providers land in the middle. The industry differences partly reflect long-standing loyalty programs in retail and travel, but also the nature of the data that different types of companies collect and store.
Consumers prove most willing to share user-contributed social data like reviews; for that data, 44% say it’s fine to share without their explicit permission. But fewer than 20% of respondents want their purchase behavior or demographic data shared without permission, while hardly anyone wants to see family/friend networks or financial or health information shared.
Just as striking, trust cannot be bought. About 91% of respondents do not want companies selling their data, even if customers are compensated for it. People opposed to having their data used or shared—even when asked—rarely get swayed by offers of monetary compensation. Moreover, the reluctance to trade their data for monetary compensation applies to all customers, no matter how active or sophisticated they are online.
If a company wants to use or share customer data, then the best way to proceed is to ask in a clear, straightforward way. Simply asking for permission can more than double the number of consumers willing to share their data. And the strategic goal for any company engaged in collecting data should be to earn customers’ trust, which leads to stronger loyalty to the company.
World technology organizations have banded together to develop “trust frameworks.” But companies need to own this issue and develop programs that will deliver that trust, one consumer at a time. Above all, they need to communicate clearly and ask permission. In the same spirit, they can:
- Appoint a corporate ombudsman, as trusted news organizations do, to look after privacy ethics and standards. While ombudsmen are technically employees, the top papers sometimes rotate distinguished journalists with no axe to grind.
- Name a “chief data officer,” as well as a “privacy board” of credible outsiders charged with fiduciary duties toward users. The privacy board could provide an annual privacy report and should have direct insight into confidential information that it will not make public, just as boards of directors do.
- Conduct an annual “privacy audit” overseen by an independent body like certified public accountants. This would be regulated by generally accepted privacy guidelines similar to the rules established by the Financial Accounting Standards Board.
Technologists are working on individual user “lockboxes” in the growing cyber cloud. But for those without advanced computer degrees, it would be good to know we can trust companies with our data by other means. The companies would benefit, too.
Written by Rasmus Wegener and Eric Almquist, partners with Bain & Company who are based, respectively, in Atlanta and Boston.