The Cambridge Analytica data breach offers an objective lesson in why companies should be wary of encouraging users to share contact information.

Does your company have consumer data it isn’t legally authorized to possess?

Don’t be too quick to answer. Many ethical, lawfully managed businesses do have such data — and it comes from a surprising source: their customers, who inadvertently share the personal data of their family, friends, and colleagues.

The lack of awareness regarding peer-dependent privacy is one way that London-based Cambridge Analytica Ltd. was able to collect the personal information of more than 71 million Facebook users, even though only 270,000 of them agreed to take the now-bankrupt company’s app-based personality quiz. Cambridge Analytica reportedly knew what it was doing, but any company that accesses customer data, such as contacts, call logs, and files, can unknowingly breach peer privacy.

Blame apps. Virtually all large companies offer apps to their customers, and most of those apps access and collect customer data. Often, that includes peer data, which also is collected even though the app’s owner may have no direct relationship with the user’s peers.

Consider a typical scenario: John installs a customer club membership app on his smartphone. During this process, the app requests permission to access core services on his device, including his contacts. John agrees. This opens a Pandora’s box of potential problems. John has given a third party — the company owning the app — permission to access not only his personal data, but also the personally identifiable information of the hundreds of contacts saved in his phone. None of those people, including Rachel, whose name, phone number, email address, photo, and date of birth are stored in John’s phone, agreed to share their information with the company. They have no idea that they have been caught up in a peer-dependent privacy breach.

Company executives may be no more aware of the privacy breaches built into their apps than John and his contacts. Yet, it could cost them as dearly. Under the EU General Data Protection Regulation (GDPR), any company can incur fines of up to 4% of global annual revenue or 20 million euros, whichever is greater, for failing to respect the sovereignty of EU citizens over their personal data. Notably, these fines are not limited to customer data: As of May 25, 2018, the personal data of EU citizens, including data on other people’s devices, must be obtained lawfully, fairly, and transparently in accordance with the principles of the GDPR. This implies that the fully informed consent of peers is needed prior to taking possession of their personal data (barring some other legal basis). In most cases and subject to a balancing test, companies also need to provide peers with access to their personal data and, in some cases, delete that data on demand.

In short, peer-dependent privacy has become a significant exposure for companies that want to ensure the highest standards of data protection, privacy, and regulatory compliance.

Your Customers Don’t Understand Peer-Dependent Privacy

Peer-dependent privacy is something of an iceberg for companies; customers, not IT systems, are the weak link. To gauge the weakness of this link, we identified the levels of customer awareness and action required to protect peer data. Then, we conducted two surveys — one of digitally savvy business students in London, and one of internet users in the general public in the European Union and United States — to gauge customer behavior at each level. This research suggests that nine out of 10 customers share the personal information of their peers without consent. (See “Failure Rates in Peer-Dependent Privacy.”)

There are three sequential levels of awareness that customers must attain if they are to protect the data rights of their peers. We found that customer awareness is sorely lacking at each of them.

Level 1

Customers must realize that a data transfer process is happening when they download an app and click the accept button, and that they are giving away personal data in the process. Our surveys revealed that 95% of London business students and 71% of the general population underestimated the scope of the data that they had agreed to give away.

Level 2

Customers must recognize that the peer information stored in their devices belongs to their peers and their peers have rights regarding that data. Our surveys revealed that 42% of the business students and 49% of the general public did not recognize others’ rights to data they held, including contact data.

Level 3

Customers must respect peer rights. Specifically, they must be able and willing to forgo a service if they do not have their peers’ consent to share personal data. When we explicitly alerted participants that their consent included access to peers’ personal information, 70% of business students and 65% of the general population preferred to ignore peer data rights and keep the app.

Three Implications for Companies

We see three main implications stemming from the lack of customer — and corporate — awareness around peer-dependent privacy.

First, the financial risks for companies will grow as the discussion about peer-dependent privacy gains momentum. Public pressure to protect peer data will likely rise given the involvement of privacy interest groups, such as the Electronic Privacy Information Center (EPIC) or the U.S. Federal Privacy Council, and the establishment of data protection regulations, such as the Privacy Shield Frameworks and GDPR. It seems inevitable that lawyers are going to start sensing the financial potential in peer-dependent privacy breaches.

Second, companies that incur peer-dependent privacy infringements could suffer serious reputational damage. Cambridge Analytica claims that it did not violate any laws in collecting peer data on Facebook, but that neither forestalled customers from deserting it nor prevented its declaration of bankruptcy on May 2, 2018.

Finally, where there are risks, there are opportunities. Companies that recognize and properly manage peer-dependent privacy, by either not collecting it or ensuring that their customers realize, recognize, and respect it, may be able to reap both reputational and financial rewards. Now is the right time to explore those opportunities.

1 Comment On: Your Customers May Be the Weakest Link in Your Data Privacy Defenses

  • Oli Ogbonna | June 9, 2018

    If the personally identifiable information (P.I.I.) of the people on a contact list belongs to the individuals it identifies and not the person who has them on his / her device, then that information can only be legally obtained from the individuals in question. Technically this means that all apps requesting for P.I.I. found on any device contact list are in breach of privacy laws.
    One cannot share P.I.I. of another because one cannot build something on illegality. It is like robbing a bank and giving the money to another bank to keep who decides to feign ignorance of the crime.

Add a comment