It has been more than a month since the California Consumer Privacy Act went into effect and it is an opportune time to reflect on the role data plays in our lives, how the conversation has evolved over the past year from impending legislation to compliance and enforcement and, more importantly, how more and more companies are likely to continue to rethink how they prioritize data privacy.
Let’s take a moment to review the progress we’ve made in data privacy, deficiencies that still exist and reevaluate how we can provide data protection for consumers and businesses. Over the past year, data breaches impacting tens of millions of consumers — coupled with new revelations on how consumer data is being used — has captivated the general public, legislators and regulators in recent months, galvanizing calls for stricter consumer protections. Already this year, nine more states have introduced or implemented legislation on privacy and data governance, increasing compliance costs for many companies, large and small. At the same time, across industries, businesses now, more than ever, are prioritizing data privacy as a necessary cost to not only ensure regulatory compliance, but to build and maintain customer trust.
Why are businesses now ready to pay the privacy bill? There may no longer be a choice.
PwC’s 23rd Annual CEO survey, released in Jan. 2020, found that two-thirds of CEOs in North America believe the internet will become more fractured in the year ahead, with governments likely to apply their own legislation on content, commerce and privacy. In the U.S., the CCPA became law Jan. 1, granting nearly 40 million Californian residents the right to know how companies collect and use their data as well as delete their personal data upon request, among other safeguards. The California Department of Finance released a report that estimated initial compliance costs with the CCPA could average $2 million for firms with more than 500 employees, and PwC’s own proprietary research estimates 43% of large companies will spend more than $10 million preparing for the CCPA, and one-fifth will spend more than $100 million.
In Washington, federal lawmakers have been devising federal privacy bills as well. A sweeping new data privacy bill introduced in Oct. 2019, the Mind Your Own Business Act, would force executives and tech platforms operating in the U.S. to face tough penalties, including prison, if they fail to meet new privacy and security standards.
For its part, the European Union introduced its sweeping data protection law in 2018 with the General Data Protection Regulation, which endows consumers with ownership of their personal data and requires internet companies to provide them with the information necessary to exert their control. And regulators have stringently enforced the regulation.
But most importantly, businesses are beginning to recognize that they must reform their operations to prioritize data trust by centralizing consumer privacy, data evaluations and the risks of compromising breaches. According to a recently released PwC Digital Trust Insights survey, 60% of American businesses would sacrifice profit to strengthen their privacy protections. Companies that maximize the value of their data in a secure, ethical and compliant way will be best positioned to prevail over their competitors while preserving their long-term brand value.
The bigger driver may not be the new regulations and enforcement mechanism, but a fear of losing consumer trust. A Pew Research Center survey found that 74% of Americans say it is very important for them to control who has access to their personal information. And 61% of Americans responded that they would like to take further action to protect their data.
Other research has shown that companies that take data privacy seriously and successfully protect consumer privacy yield improved customer loyalty. For example, 71% of Americans would be less inclined to join a rewards program that collected private information and 76% of Americans said they would be more likely to sign up for a program that required only their name and phone number, according to a Harris Poll survey.
Near-term investments in data privacy
Businesses must make these near-term investments in data privacy protections pay off in the long run. How do they know how much to invest and what the return will be? Companies that adopt valuation models for their data will be able to make the most-informed cost-benefit trade-offs. Data valuation is more challenging than fixed-asset valuation, however, because data can have different values in different commercial contexts, and relatively faster rates of value deterioration.
Retaining data that is no longer generating value can create increasing exposure for businesses, especially multinationals. From Sacramento to Brussels, regulators and lawmakers have taken a more aggressive stance on protecting consumer privacy and holding organizations accountable for costly data breaches.
Ultimately, why should consumers and business people care about corporate America’s shifting perception that protecting privacy is paramount to immediate profits? As the recent Business Roundtable announcement that a business’s shareholders are no longer the “only” stakeholders demonstrates companies must fundamentally change how they do business. To prioritize data trust, corporate America must address consumer privacy, brand and reputational consequences of compromised data, and rapid technological innovation to foster an environment where consumers feel their data is truly safe and protected.
Photo by Dayne Topkin on Unsplash