In the U.S., the past year was the most active to date for passing state-by-state data privacy laws. Following suit with GDPR and other jurisdictions globally, the U.S. is weighing national data privacy and security regulation to help companies keep up with the patchwork of state laws. This flurry of legislative activity comes at a good time — and with good reason. Consumers are quickly losing trust, and companies must act swiftly and responsibly to restore it.
A Pew Research study reveals a concerning trend: 67% of consumers have little understanding of what companies do with their data, a sentiment echoed by an IAPP study which found that only 29% feel informed about how their data is protected. This happens in an environment where consumer trust is already fragile. A September 2023 study that Acquia conducted with an independent research firm found that just 56% of customers trust that brands will handle their personal data appropriately, and only 17% think that their personal data is “very secure” in the hands of companies.
It doesn’t have to be this way. Companies’ use of consumer data should be helpful instead of harmful or untrustworthy. Ideally, this data should be productively used to create better, more personal experiences for consumers. Companies benefit equally from the responsible use of data, in the form of greater customer loyalty or better engagement with information their customers actually care about.
The tide is turning. Companies that neglect consumer privacy and safety risk losing business from loyal customers that are fed up with preventable security threats and unfair data-sharing practices. To protect consumer data and re-establish a bond of trust, companies must create a clear, fair and transparent “contract” with their customers on how they’ll use their data. In addition, companies have an obligation to embrace multiple layers of security within their own systems to protect customers from bad actors.
Advertisement
Let’s dive into how companies can embrace a culture of security and trust.
Improving the Data-Sharing Contract Between Businesses and Consumers
From quick pop-up boxes to opt-in website cookies to multi-page privacy agreements, consumers are confused about what data companies collect and how they are using it.
According to the Pew study cited above, 61% of people think privacy policies are ineffective at describing how companies use their data, and 56% of people click “agree” without reading privacy policies. Oftentimes these policies are downright inaccessible to consumers because they’re far too long and filled with legalese.
Improving the “contract” means making it clear and transparent as to which data is being collected and how it is being used. While they’re not perfect, many financial services companies provide concise, one-page statements clearly detailing why consumer data is collected, how it is collected, what is collected and how it is used. Similarly, all companies should provide clear descriptions of what information they intend to collect, and how it will be used to improve the customer’s experience — written in plain language instead of legalese.
Customers should be allowed to expressly opt into or out of these agreements, understanding how their experience with the company will change if they say “no.” Instead of a one-sided disclosure, data privacy can and should become more of a dialogue and a choice for consumers.
A Company’s Obligation to Securing its Own Systems
On top of data privacy, companies must demonstrate a commitment to maintaining multiple layers of security to protect their customers’ data from threat actors. For many companies, it is not a matter of “if” there is a data breach, but when. The total number of data breaches and leaks last year surpassed 2022’s numbers in September.
Typically, it’s been difficult for customers to evaluate a company’s commitment to security. However, companies should make that job easier by embracing robust security practices and providing clear information for customers on their websites. For example, customers should look to do business with companies that take a “security by default” approach. This might include policies like role-based access control (RBAC) and principle of least privilege, multi-factor authentication (MFA) requirements, and multiple layers of security (such as firewalls, security event monitoring, vulnerability management and more).
In addition, companies should clearly include information about their compliance with certain regulations that are both relevant and important to customers. Whether they are geographic regulations like GDPR or industry-specific compliance standards like HIPAA for healthcare, customers deserve to know how the company performs their compliance obligations.
Customers should also be aware that companies taking a proactive security posture are more likely to pursue security standards like SOC 2 Type 2 or ISO 27001. These stringent, third-party standards ensure that a company’s security controls meet a high bar.
A Future Web That’s Safer for Everyone
Today, customers don’t have a lot of faith in the way companies handle their data. That trend must change, and it’s up to companies to change it. First, creating more clarity into how data is used and why it can improve transparency for customers. Companies must demonstrate value for customers by creating more useful technology and productive, data-driven digital experiences. What’s more, adopting multiple layers of security and compliance controls provides customers with the assurance that a company takes great care to protect their data.
Embracing these fair and transparent business practices isn’t just good for customers, it’s good for business. When done right, these practices improve the bottom line by creating more loyalty and trust among customers. They also set a good example by establishing a path toward greater accountability for both companies and competitors. The goal in acting responsibly is to create a safer, more inclusive web for generations to come.
Stephen Reny is President and CEO of Acquia. Most recently, he was Acquia’s COO, leading all aspects of customer success, professional services, global support, security and operations. Prior to joining Acquia in 2018, Reny served for nearly three decades at organizations such as HP and Micro Focus, where he was VP and General Manager and ran the information management and governance and global SaaS businesses. He has held CEO, CFO and COO roles spanning the technology, finance, corporate banking, investment banking and private equity industries. Reny is a Bentley University alum.
