Your Customers May Be the Weakest Link in Your Data Privacy Defenses

The Cambridge Analytica data breach offers an objective lesson in why companies should be wary of encouraging users to share contact information.

Reading Time: 5 min 


Does your company have consumer data it isn’t legally authorized to possess?

Don’t be too quick to answer. Many ethical, lawfully managed businesses do have such data — and it comes from a surprising source: their customers, who inadvertently share the personal data of their family, friends, and colleagues.

The lack of awareness regarding peer-dependent privacy is one way that London-based Cambridge Analytica Ltd. was able to collect the personal information of more than 71 million Facebook users, even though only 270,000 of them agreed to take the now-bankrupt company’s app-based personality quiz. Cambridge Analytica reportedly knew what it was doing, but any company that accesses customer data, such as contacts, call logs, and files, can unknowingly breach peer privacy.

Blame apps. Virtually all large companies offer apps to their customers, and most of those apps access and collect customer data. Often, that includes peer data, which also is collected even though the app’s owner may have no direct relationship with the user’s peers.

Consider a typical scenario: John installs a customer club membership app on his smartphone. During this process, the app requests permission to access core services on his device, including his contacts. John agrees. This opens a Pandora’s box of potential problems. John has given a third party — the company owning the app — permission to access not only his personal data, but also the personally identifiable information of the hundreds of contacts saved in his phone. None of those people, including Rachel, whose name, phone number, email address, photo, and date of birth are stored in John’s phone, agreed to share their information with the company. They have no idea that they have been caught up in a peer-dependent privacy breach.

Company executives may be no more aware of the privacy breaches built into their apps than John and his contacts. Yet, it could cost them as dearly. Under the EU General Data Protection Regulation (GDPR), any company can incur fines of up to 4% of global annual revenue or 20 million euros, whichever is greater, for failing to respect the sovereignty of EU citizens over their personal data.


More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comment (1)
Oli Ogbonna
If the personally identifiable information (P.I.I.) of the people on a contact list belongs to the individuals it identifies and not the person who has them on his / her device, then that information can only be legally obtained from the individuals in question. Technically this means that all apps requesting for P.I.I. found on any device contact list are in breach of privacy laws.
One cannot share P.I.I. of another because one cannot build something on illegality.  It is like robbing a bank and giving the money to another bank to keep who decides to feign ignorance of the crime.