Regulations on consumer data privacy can get complex, but one thing should remain simple: Responsible data governance means simply doing the right thing. Or at least that’s what Osano’s Arlo Gilbert believes.
Data does a lot for brands. They can use it to personalize customer experiences and refine marketing initiatives, but for many companies, the ethics of gathering, using and storing this data can get a little blurry.
I’m a dad to three children, and as a father, I spend much of my time and energy teaching my kids how to respect others and their things. Recently, I was discussing sharing with my youngest, and I realized that the behavioral best practices we teach kids apply to more than just playtime. We want our kids to do the right thing in their lives, and we should expect the same from organizations that use our data.
There are a few data privacy regulations in place that are a step toward doing the right thing, such as the EU’s GDPR. However, organizations that care about data privacy ethics will take it further and do right by their customers, even if doing so isn’t mandated by law. Ethical organizations will take care of consumers’ personal and sensitive data.
To help simplify this process, I’ve developed the ABCs of data privacy. These guidelines are uncomplicated enough that kids can understand them while still incorporating complicated messages about how to treat your customers.
CCPA Analysis: 320 Suits Filed to Enforce Data Privacy Protections So Far
In the first three years of its existence, 320 lawsuits have been filed in 28 states attempting to enforce provisions of the California Consumer Privacy Act (CCPA), according to an analysis of those actions by law firm Akin, which found that more than one in three 2022 lawsuits targeted financial services companies.
Read moreDetailsA: Always ask permission before taking something
The concept of sharing is one of the first major life lessons we teach kids — from both the giving and taking sides. If you want to play with your friend’s toy, ask them first, and vice versa. Data should be treated the same way.
If you want a consumer’s data, you must first clearly tell them what it is you’re requesting. Once they understand that, you can ask their permission to use their data. Only when permission is explicitly granted should you move forward with data collection.
Failing to be transparent about what you’re using data for is wrong and costly. Twitter found this out the hard way by misleading users about what their personal information was being used for. Twitter said the email addresses and phone numbers they collected were for account security, but it also allowed advertisers to use the data for targeted marketing campaigns. The FTC fined Twitter $150 million.
Your organization can do the right thing — and avoid fines — by using layers of permissions. For example, if your site uses cookies, a banner that allows an individual to accept or decline them guarantees consumers are informed about what they are consenting to. They’ll be equipped to make educated decisions about sharing their data, and your organization can be sure it isn’t taking anything without express permission.
B: Be prepared to return something that’s not yours
Even if you asked for permission to play with your friend’s toy and they said yes, you must return it as soon as they ask. Data is no different. Your organization is just borrowing people’s data, so if an individual changes their mind about sharing, you must be prepared to give it back.
Someone can ask for their data to be returned through a data subject access request (DSAR). A DSAR allows a consumer to see what of their personal data you hold and how it’s being used. Not only can a consumer delete their information with your organization through a DSAR but they can also modify it, see how and where it’s being shared and more. Here’s what to do if your organization receives a DSAR request:
- Confirm the requester’s identity.
- Verify what they’re requesting.
- Gather the data.
- Ensure the data is clean, i.e. only includes information about the requester.
- Send the data to the requesting party and include information about their data privacy rights.
C: Communicate candidly about where you’re storing someone’s stuff
Because the United States does not have a federal law in place regarding data privacy, a lot of data ends up in many places beyond where it was originally gathered. For example, if an organization collects your data, it may be free to share that data with third parties unless there is a law in place that restricts data collection and sharing. If there is no law, however, those third parties can then sell your data or share it further without telling you they’re doing so. The places your data lives grow exponentially, as do your chances of being affected by a data breach, and you most likely won’t have a clue.
This cluelessness is the result of a lack of transparency. Even when it’s not the law, your organization is responsible for doing the right thing and clearly communicating everywhere your consumers’ data is. If you don’t, and there is a breach, you risk damaging your customers’ trust in your organization’s ability to safeguard their data.
Organizations have a huge amount of data at their fingertips, which must be respected and treated right — just like I have taught my children to respect and take care of things they borrow from others. If you stick to these ABCs of data privacy, your organization will already be ahead of 99% of U.S. corporations.
Arlo Gilbert is the cofounder and CEO of Osano, a data privacy platform. Gilbert, a Texas native, is a high-growth leader with more than 20 years of experience in building companies in industries ranging from payment processing and telecommunications to digital health and enterprise software. 
