Do you trust that the company or individual that is receiving the data will use it ethically?
For a long time, companies defined how they could use their customers’ data in their terms and conditions. But under increasing pressure from consumers, there’s a growing belief that what they are legally allowed to do, and what’s morally right, are not necessarily always the same thing.
Social licence is a fairly new concept, yet it’s becoming clearer and clearer that it’s time to change our thought process from ‘can our terms and conditions allow this?’ to ‘is this the right thing to do with this data?’. In many cases, the answer to the first question is ‘yes’, while the answer to the second question may be ‘no’.
It’s actually quite a minefield to navigate both sides of the equation when it comes to how we use the data we gather. On one side, there is increasing demand from companies to collect and use data in ever more innovative ways, using data science and artificial intelligence to create highly valuable data sets for advertisers, marketers and others.
On the other side, while consumers want the experiences that auto-suggestions and targeted advertising etc. bring, they may well be uncomfortable when they find out how those experiences are driven. They want the experience, but don’t want to know that generating the experience requires the interpretation of large quantities of data gathered about themselves, their online movements, information they have entered and things they have viewed.
You can comply with GDPR and your terms and conditions, but still fall foul of what is socially acceptable
The General Data Protection Regulation (GDPR) has really raised the general public’s awareness around data privacy and is prompting questions about how companies are using their customer’s data. The problem is, that despite the many provisions of GDPR and strict definitions around data use, we still don’t know what is acceptable under social licence, and what isn’t. You can comply with GDPR and your terms and conditions, but still fall foul of what is socially acceptable. Social licence is continually evolving. It’s society’s opinion, and it’s not something that we can control. It’s a really difficult area that a lot of companies are trying to navigate. In the court of public opinion it is not enough to point to legal compliance – you need to pass the “front page test”.
The Facebook/Cambridge Analytica scandal is a good example of a company playing by the rules, falling foul of social licence.
Mark Zuckerberg learned fairly quickly that while Facebook’s users consented to the use of their data when they accepted the terms and conditions, that the company shouldn’t have used it in the way that they did.
Zuckerberg didn’t say ‘we did nothing wrong, you agreed to the terms and conditions, if you don’t like it, stop putting your information on Facebook’. Instead, he owned up to his company’s mistakes. He acknowledged that they didn’t do enough to prevent data abuse and misuse. He promised to do better.
For those companies looking to develop awareness of their own social licence, it is worth considering a few points:
What information you should keep internal vs. what is okay to share
When is it okay to share any of the information you have gathered? Is it even okay to use it internally to help product development or drive sales and marketing? What if customers have consented to the data being shared? Is that good enough, or do we need to consider how the company we are sharing it with will use it? Do you trust that the company or individual that is receiving the data will use it ethically?
What terms and conditions cover vs. what social licence tells you is acceptable
Is it a fair assumption that if a customer agrees that a company can use their data, that the company then has licence to do so? Industry is fast realising that terms and conditions are not the be-all and end-all – that what you’re legally entitled to do is not the same as what is socially okay to do. So what is your community telling you is acceptable?
Freedom to use aggregated data vs. individual and personally identifiable data
Regardless of what a customer agrees to, it is likely that social licence would dictate that it is poor practice to release individual and personally identifiable data unless that agreement expressly gives permission for the particular situation. However, aggregated data is a different issue. Can we freely use someone’s data in aggregation? If so, how aggregated should the data be? How big should the sample size be for data to be truly anonymous? What restrictions do you need to place around the use of the data?
None of these points have easy resolutions – establishing social licence is complicated. What we do know, is that it’s time to start having these conversations and considering these concepts to ensure you are protecting your customer's information – and potentially your business’ reputation.
Tony Stewart is chief product, platform and data officer at Xero.
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.