Managing Director & Senior Partner
This is the second in a series of articles exploring what really matters for organizations that collect and use consumer data.
Companies’ data stewardship practices and consumers’ expectations are fundamentally at odds. Most companies approach privacy and data usage from a narrow legal or regulatory perspective. They ask whether their data collection and management practices are consistent with laws and regulations and meet disclosure requirements. Unfortunately for most companies, consumers take a wider and much less legalistic approach to these issues. They want to be informed about how companies gather and safeguard data about them, and they want to understand the different ways in which companies use personal data. Additionally, they want that information delivered in clear language.
The lack of alignment between companies and consumers about data privacy has real consequences. When consumers perceive data misuse—when they are unpleasantly surprised by the collection or new use of personal data—they either reduce their spending drastically or boycott a company’s products and services altogether. (See “Bridging the Trust Gap: The Hidden Landmine in Big Data,” BCG article, June 2016.)
In this article—the second in the series—we highlight the results of a recent global survey of the data stewardship practices of 140 companies in eight industries. Our survey data suggests that most companies are being recklessly conservative: they are failing to pursue new uses of data that consumers are actually open to. When they do pursue a new use, they typically don’t feel the need to inform and educate their customers or to ask for permission—something most consumers clearly want. With each mistake, companies are slowly but surely setting themselves up to fail with big data.
The requirements of data stewardship can be grouped into four major areas. Good performance in each will prove critical to capturing the value that lies in acceptable new uses of data and to avoiding the real economic harm of data misuse. However, while many companies are executing well in one or two areas, few—if any—are doing so in all of them.
Internal Policies and Procedures. Companies often do a great deal to document how they handle data, through public privacy policies and internal procedures governing data collection, management, and usage. We see a large gap, however, in the involvement of senior executives up front in creating and enforcing data privacy policies and procedures. That’s a problem given the major business implications of the adverse reactions that customers might have to these decisions later on.
First, the good news: 76% of the companies we surveyed have privacy policies that explain how they collect, manage, and use consumer data; 54% have a separate and distinct set of internal guiding principles for how to use that data. Companies in the insurance industry are the most likely to have both privacy policies (94%) and guiding principles (76%), while consumer companies show the lowest frequency of having privacy policies (64%) and energy companies show the lowest frequency of having guiding principles (38%).
Few of the companies that have these policies and principles create or enforce them with C-suite or senior executive involvement, however. They may be adequately managing legal and technical risk, but they are not managing consumer risk—the source of the greatest upside and downside potential.
Of companies with privacy policies, 73% make legal or IT teams responsible, while only 22% give the responsibility to operating or executive teams; of companies with guiding principles, 59% make legal or IT teams responsible and just 34% assign responsibility to operating or executive teams. Industrial goods and insurance companies are the least likely to make operating or executive teams responsible for their guiding principles (22% and 23%, respectively); in the consumer, health care, energy, and technology, media, and telecommunications (TMT) industries, at least 40% of the surveyed companies make guiding principles the responsibility of operating or executive teams.
Data Use and Collection Practices. One of the most surprising findings of our survey was the degree to which companies pursue fewer uses of data than consumers are comfortable with. (See Exhibit 1.)
We asked consumers whether it was acceptable for companies to tap personal data for five types of use: the internal improvement of products and services, the personalization of offers, the marketing of products from third parties, the anonymous use by third parties (the data is not linked to a consumer’s name), and the nonanonymous use by third parties (the data is linked to a consumer’s name). The vast majority of consumers felt company use of data was acceptable in all cases, if (and only if) companies effectively informed them (transparency) and offered them some form of control (permissions). The use that drew the most negative response—use of nonanonymous data, or data linked to a consumer’s name, by third parties—was nonetheless acceptable to 73% of consumer respondents. We also gathered company opinions regarding the same types of use. Companies are generally comfortable using consumer data for internal uses, with 88% thinking that use for internal improvement is acceptable and 80% thinking that use for personalizing offers is acceptable. When it comes to third-party uses, however, companies are extremely—and, we argue, overly—cautious. Companies are 25 to 34 percentage points less likely than consumers to think a third-party use of consumer data is acceptable. For example, 50% of companies think consumer data could be used to market products from third parties, while 80% of consumers find this use acceptable. This caution is echoed across industries. For every industry surveyed, at least 40% of companies indicated that, in general, third-party data uses are unacceptable.
We believe companies are conservative in their pursuit of new data uses, in the hope that this will insulate them from risk. (The same finding applies to data collection as well.) But this is a misguided notion in terms of consumer perception.
Transparency About Current Practices. Companies frequently fail to make sure consumers and prominent stakeholders are aware of and fully understand the data that companies hold and the ways they use it. Companies often do make important information about their data practices available, but they usually do so in a way that is ineffective. In general, they require consumers to take the initiative. Even when consumers do go looking for this information, they do not absorb nearly as much of the details as companies think, or hope, they do.
Far fewer companies engage their customers via “push” methods to actively send out important information:
As a consequence, companies think that twice as many consumers, on average, understand their data stewardship practices at a detailed level as actually do. (See Exhibit 2.) Company and consumer estimates are in alignment when it comes to the percentage of consumers who are simply aware of privacy policies, but the fact that the figure is below 50% shows how ineffective companies are at getting this information out to their customers. Even less promising is the fact that only 10% of consumers said they believe they know what data a company holds about them, even though companies estimated that 36% of consumers have this knowledge.
This lack of knowledge represents a significant issue for companies. Given that the main cause of perceived data misuse is unpleasantly surprised consumers, the current lack of consumer understanding represents a significant risk. In fact, the absence of a committed effort to create transparency is reckless. At present, organizations are not even getting recognition or credit for their conservative data usage. While only 11% of companies reported allowing third parties to use data on an anonymous basis and 4% reported allowing third parties to use data on a nonanonymous basis, consumers thought that 21% and 19% of companies, respectively, allow such uses. If companies cannot successfully educate consumers about how they use data about them, they are doomed to inhabit a world in which consumers presume that every new use they find out about is a misuse.
Notifications and Permissions for New Data Uses. Finally, few companies actively engage with customers about new uses of personal data or allow them to influence how companies use it. To assess company performance in this area, we asked companies about the same five types of use: the internal improvement of products and services, the personalization of offers, the marketing of products from third parties, the anonymous use by third parties, and the nonanonymous use by third parties. We offered a choice between five permission or notification methods: opt-in permission, opt-out permission, notification, payment for access to data, or no notification or permission required.
Of the companies in our survey, 26% to 56% thought that they did not need to take any action before using data for each of the five types of use. (The sentiment was highest among companies in the consumer and TMT industries.) This compares with only 6% to 15% of consumers. Indeed, the vast majority of consumers want companies to take active steps to secure notification or permission. (See Exhibit 3.)
More than 60% of consumers believed that opt-in or opt-out permissions should be required for all five types of use. Only two uses of data were acceptable to more than 10% of consumers without being preceded by action on the company’s part: internal improvement and personalization of offers. Opt-in permission was the top choice among companies for marketing third-party products and allowing third parties to use consumer data on a nonanonymous basis. Paying consumers for access to data was by far the least popular option, with no more than 3% of companies thinking it was necessary. To study how companies engage with customers about new uses of data, we also investigated whether companies offer customers ways to change or control the data that’s collected about them or how it’s used. Only 4% of companies offer their customers control over what data they collect and manage, and 4% offer control over how they use personal data.
There is no easier way for a company to be perceived as misusing data—and therefore to lose significant business—than by failing to engage with consumers about data use in the way that they expect. Actively engaging consumers through opt-in or opt-out permissions gives them the chance to say no, of course. But our research clearly shows that most consumers will allow most uses of data about them, particularly if things are explained in plain language rather than tech-speak or legalese.
Companies are standing on the edge of a precipice. They are not showing consumers how seriously they take the issues of trust and privacy. They are failing to pursue profitable uses of data that consumers would find acceptable, and they are neglecting to actively and transparently educate consumers about how they use data. Finally, they are not engaging with consumers about new data uses in the ways consumers expect.
The wonder, then, is not that 20% of consumers today have perceived some sort of data misuse, but that the figure is not significantly higher. Data misuse is subjective, which means companies must not only perform much better at data privacy than their competitors but also be seen to take actions that reflect consumer expectations. In the next article in our series, we will discuss best practices that can help companies realign themselves with consumers. The competitive advantage they gain will allow them to maximize the potential value promised by big data and help them avoid the pitfalls of perceived data misuse.