Early in 2012 my 12-year-old son ran down to my office after getting home from school and said, “Hey, Mommy, did you know that Walmart can tell when you’re pregnant? And so can Target! Even before anyone else knows! They got a girl in trouble when they sent her dad coupons for baby stuff and congratulated her!”
I replied, “That’s pretty incredible, isn’t it?” My son said, “Gee, that’s really creepy. I think you should look into that for your privacy business!”
As companies are able to discover things like that about people now more than ever before through analyzing what is called “Big Data,” I’m glad my son recognized this as a privacy concern. But how many business organizations are actually looking into the privacy issues for how they use or plan to use Big Data?
As Uncle Ben said to Peter Parker in Spiderman: “With great power comes great responsibility.”
Complex data analysis capabilities not only make it easier for businesses to customize their services for customers, but all that data and customization can also reveal a lot of personal information about the customers, their personal lives and activities, along with those of their friends and families. Such powerful algorithms have the capability to take otherwise “de-identified” data that, on its own, cannot be attributed to specific individuals and quickly correlate many pieces of the data puzzle and determine — sometimes with amazing clarity — the actions, likes, history, and even medical conditions of specific individuals. The more data that exists, the more likely such correlations can occur.
Businesses need to carefully consider the potential privacy issues involved with using analytics and Big Data.
“There are no laws against using Big Data, so there are no privacy issues!” I am hearing this argument from many company and consulting lawyers more often; if there isn’t a law against using data, then it must be OK and not cause privacy issues. Right? No, not right. Technology and the associated uses always evolve and are actively used (and sometimes abused) long before any laws or regulations can be hammered out and agreed to, especially by an increasingly divisive group of lawmakers. And laws and regulations are overwhelmingly reactionary. Typically, they are not created until a significant number of bad events have happened. Until that time, businesses of all sizes need to become good data and privacy stewards and make thoughtful decisions about how they are using data, keeping in mind that their actions may not only reveal information that is valuable for business, but may at the same time reveal explicit information about individuals in unintended ways.
Here are some questions organizations should ask before using Big Data and deciding on a Big Data analytics agreement and/or tool:
- Is the analytics company bringing in additional data from elsewhere to combine with your company’s data? Growing numbers of organizations are using de-identified data internally, but with the requirement that it cannot be shared with others.
- What does the company really mean when it says it has de-identified the data? This is a very fuzzy, subjective term. Is such de-identification really removing the ability to point to specific individuals? This may be the case with just your company’s de-identified data, but if it is combined with other data sets, it could actually become “re-identified” data capable of pointing to specific individuals.
- If you are using “publicly available” data, how does the data analytics vendor collect all the data they use? Is it glomming on to every type of data possible, even data from online sites that may have been left unsecured, but really should have been secured? For example, one marketing vendor told me if it finds unsecured personal data on financial or retail sites, it grabs it; it justifies this by telling me that if it was off limits it would have been secured. Just because data is not appropriately secured does not mean it is available for anyone to take. You need to determine the type of online ethics the company has (or lacks).
- Are you planning to contact customers as a result of your Big Data analysis that they may consider creepy, in the least, or mind-blowingly privacy-invasive at worst? (Refer back to the Walmart baby coupon example.)
- Are you making business decisions using assumptions based on the results of Big Data analysis that are incorrect? For example, do you deny insurance coverage to someone because of such results? Or make hiring decisions? Send communications regarding physical or medical assumptions? Target individuals as potential terrorists or criminals?
- Have you discussed your plans with your information security, privacy, and compliance officers? This is very important; you should never make business decisions involving data that reveals information about individuals, their activities, likes and dislikes, medical conditions, and so on, without talking to these folks. Even if the data is labeled de-identified, make sure that term fits your organization’s definition.
- Do you have company policies covering the use of Big Data? If not, now is the time to create some, in collaboration with your information security, privacy, and compliance areas.
- Big Data will continue to be used more widely and for more reasons. All organizations need to keep in mind the privacy impacts of such use before crossing over the line of doing what’s reasonable to violating individuals’ privacy.
As I have discussed here and in my recent Cutter Executive Update, “Big Data: Part I — New Privacy Concerns,” Big Data and associated analytics can be used to improve business and customer experiences and bring about innovation and medical breakthroughs. However, organizations must make sure they don’t cross over that line of customization and business improvement into creepiness or, worse, privacy invasion.