When it comes to deciding how your organization will develop privacy policies for big data, there are at least three distinct sets of guidelines to consider. Without consideration for all three of these areas, you will put your organization at risk:
- What is legal?
- What is ethical?
- What will the public find acceptable?
In an ideal world, these three considerations would lead to the same result. In practice, however, the three are often not in sync and can in fact, point to totally different decisions. It will be important for your organization to decide how you want to balance the results to guide your actions when the three criteria diverge.
For example, it may not be expressly illegal to use big data in certain ways. At the same time, it may not be ethical to do so. Often, laws and industry standards haven’t caught up with our data collection and analytic capabilities. So, it is important to consider what is right and ethical, not just what is legal. If you’re the first to ponder a new type of analysis, you need to think through these considerations before you even start down the path. Maybe there is a loophole that would make it legal to sell my historical location information to a 3rd party, such as an investigator, who is interested in studying my whereabouts over time. However, most people would agree that it certainly isn’t ethical to do so without my knowledge and consent.
What the public finds acceptable can often be even more stringent than what is legal and ethical. It is both completely legal and ethical to analyze my shopping patterns when I sign up for a loyalty program. However, the public only wants it to go so far. For an example, consider the trouble a major US retailer got into for crossing the line from helpful to creepy when predicting who was in the early months of pregnancy based on purchase history. The retailer learned the hard way that the public has its own lines in the sand to watch for. These lines may not always be clear or easy to identify. However, you cross them at your own peril. That makes it necessary to look for them up front.
My belief is that an organization will be well served to routinely sit down and explicitly discuss the legal, ethical, and consumer perception of its analytic policies in detail. After examining the legal, ethical, and consumer perspectives, I recommend defaulting to pursuing strategies that fall within bounds of the most restrictive of the three considerations. Given the rapid change of the legal environment and consumer acceptance of the use of their data, you can expect your decisions to be fluid and changing over time. What seems ok today may not be ok a year from now. While it may not be the most exciting process, keeping on top of your privacy policies will help avoid much bigger issues, such as legal problems and PR fiascos, down the road.
Of course, all of the above points to the need to have analytic systems and processes in place that are flexible enough to adjust as required. Building highly rigid environments will make every adjustment much more painful than it needs to be. Focus must be on a flexible privacy framework rather than a rigid set of specific privacy rules.
None of us wants to be the person behind an analytic initiative that garners a lot of negative public attention for his or her organization. Being proactive in addressing privacy issues is one way to stop you from becoming that person in the news.
To see a video version of this blog, visit my YouTube channel.
(image: big data privacy / shutterstock)