Bidisha, 23, got hooked to an Indian period-tracking app that collects information on mood, sexual activity, water intake, and vaginal discharge in return for predictions about a woman’s menstrual cycle. She would recommend the app to her friends, citing how it made her life easier. But in September this year, Privacy International reported that the app shares this information with Facebook. Speaking with Anwiti Singh from 101reporters.com, Bidisha says that the app breached her trust by selling her information, making her feel cheated and paranoid.
Another user, Mansi, said that she might have agreed to share the data if the app asked her beforehand, but that the terms and conditions don’t count as consent because no one reads them. Bidisha and Mansi (both names changed) are two among a growing chorus of Indians who would like to see responsible data practices from businesses they share data with.
Privacy matters to regulators, customers and investors/markets – hence the business case for taking privacy seriously; it generates both risks and opportunities for businesses. Poor data practices increase financial risks – including penalties and impact on valuations. In May 2018, Europe enforced the General Data Protection Regulation (GDPR) which sets steep fines of up to 4% of global turnover for non-compliance with its clearly specified privacy guidelines.
European regulators have been quick to act and imposed major penalties on companies like British Airways ($230m), Marriott ($130m) and Google ($55m). California, the home of Silicon Valley, will start enforcing a similar law in January 2020. Both these laws cover all entities that process their residents’ data, including any Indian company that does business directly or indirectly with either Europe or the US.
Closer home, government has said that it is prioritising bringing a robust data protection bill to Parliament. The draft bill under consideration envisages fines similar to Europe, and goes further by introducing criminal provisions and jail terms. This law will cover almost all significant commercial entities in India. Therefore, the initial impetus to better privacy will likely come from regulation. Those with a global customer base can be exposed to both domestic and global laws, and bear the risk of steep fines in case of non-compliance. Both large corporations and startups need to equip themselves to comply with such laws.
Data breaches can potentially also impact valuations. For example, research from the US shows that companies that experience a data breach see a 2-6% decrease in stock prices. The business risk is loss of customers – in the face of poor data practices, customers like Bidisha and Mansi are likely to uninstall apps and be more willing to share data with those businesses that uphold user privacy.
At a time when distrust of businesses is increasing and their role in society is being questioned, they will need to go beyond compliance in order to win the trust of customers. A recent survey by CUTS International shows that 60% of Indians fear unauthorised data collection. The desire for privacy goes much beyond fear – a study by CGAP, Dalberg and Dvara Research showed that Indians across the socio-economic spectrum seek greater control over their data. These stated preferences also lead customers to act differently. Behavioural experiments show that, all else being equal, consumers prefer a product or service with better privacy. In fact, they are often willing to pay a little bit extra.
The opportunities lie in building customer trust and differentiation through privacy as well as an increasing market opportunity in privacy-first businesses like data protection and management. Businesses are increasingly using privacy as a key market differentiator. For example, Apple has launched a marketing campaign emphasising the fact that the iPhone is equipped with several privacy-protecting features.
Globally, venture capital investors are waking up to the commercial value in privacy-first businesses, a handful of whom have achieved the coveted ‘unicorn’ status. These new unicorns are emerging across the globe and have raised large funding rounds, including One-Trust ($200m) in the US, Acronis ($180m) in Europe, and Druva ($130m) in India.
Regulatory compliance, gaining user trust, and market differentiation are three mutually reinforcing factors driving a transition towards better data practices. Admittedly, we are in the initial stages of this journey. Those who embrace and prepare for this transition stand to create robust and resilient businesses. Growing evidence signals that the future belongs to those who become trusted fiduciaries of their users’ data. People like Bidisha and Mansi expect no less from them.
DISCLAIMER : Views expressed above are the author’s own.