Third-party tracking has become so prevalent and the surveillance economy so rich, it can be difficult to see the upside of taking a hard stance on data privacy in an increasingly digitized sales environment. Businesses have been incentivized to pursue every last morsel of user data to try to engage customers and drive growth.
Better customer data, they’re told, is the competitive advantage that will decide the winners and losers. This may be the reason why Amazon Web Services has been advertising location data from X-Mode, a controversial firm that collected at least some of its data without informed consent.
However, this so-called competitive advantage from third-party tracking will need to change to accommodate Canada’s new privacy rules when Bill C-1 becomes law. This falls under the purview of Information Security.
But before we get into the upcoming changes in privacy legislation, let’s take a quick look at how this type of data is being used.
Tracking on Steroids
The data being collected and leveraged by third-party tracking can include IP addresses, behavioral data, social activity, transactional data, feedback, application usage data, and even information about a user’s devices and browsers. While this data is most often used for the purposes of personalizing ads, other uses can include developing analytics about user behavior, allowing social media sharing, and more.
Perhaps more worrisome than the type of data being collected and the uses for it is the lack of transparency and lack of disclosure in the market currently. A recent survey from Zoho, focused on data privacy and data tracking practices in North America, revealed that the vast majority of businesses in the country do not inform their website visitors of third-party tracking. The November 2020 study – conducted by CRM Essentials and sponsored by Zoho – surveyed 429 Canadian business leaders and employees and found that only 20% of respondents inform their website visitors that they use third-party tracking codes.
So while these shady practices are extremely common in today’s economy, they could soon become illegal and subject to major financial penalties.
What is Bill C-1 and how will it affect data privacy?
Originally tabled on November 27, 2020, by the then Minister of Innovation, Science, and Industry, Navdeep Bains, Bill C-11 would enact the Consumer Privacy Protection Act (CPPA) with the purpose of repealing some of the current provisions in Canada’s existing data privacy legislation (PIPEDA) and replacing it with new data privacy obligations under CPPA.
Highlights of Bill C-11 include:
● The federal Privacy Commissioner would have the power to investigate contraventions of the CPPA and apply penalties of between 3%-5% of an organization’s global revenues, depending on the severity of the offence.
● New requirements would mandate written plain-language consent before a business can collect and use a user’s data and consent could be withdrawn at any time.
● Organizations must disclose to people if they have their personal information, how it is being used, and whether that information has been disclosed. Furthermore, individuals would be able to request access to any of their personal information within that organization’s possession or request it be deleted.
● The concept of algorithmic transparency would be introduced. This requires an organization to explain why its algorithm made a certain decision based off of a user’s personal data, if requested by that user.
While this is still just a bill – and it is subject to change if/when it becomes law – the major takeaway would appear to be that a lack of transparency or purposeful deception when it comes to collecting and using people’s data will no longer be accepted and businesses will need to adapt their operating strategies to reflect this.
How Can You Prepare Your Business?
First and foremost, every business should be reviewing their privacy policy in anticipation of Bill C-11 becoming law. If your privacy policy is not yet up to the standards that are likely to be enacted, that needs to change quickly. But for those who would like to take an even harder stance on privacy, there are a couple of incentives to not relying on the financial gain from the harvesting and selling of user data.
For one, by not collecting and storing your user’s data, there’s less to be gained if by a bad actor attacking your organization. The incentive for cyberattacks is greatly reduced.
The average cost of a data breach in Canada in 2020 was $6.35 million. The risk of such a disaster far outweighs the value to be gained by collecting, using, and sharing your user’s data. Additionally, by selling your user’s data to third parties, you are relying on another company’s cybersecurity and data privacy practices to protect your customers’ data.
The second major incentive for greater data privacy in your organization’s practices is the trust that you can develop and maintain with existing customers and new customers alike.
Zoho’s privacy policy does just that by not leveraging any user data for the purpose of third-party advertising or to sell to any third-party companies.
With Bill C-11 set to likely become law this year, there’s even more incentive for businesses to ensure better data privacy.