Does your company have consumer data it isn’t legally authorized to possess?
Don’t be too quick to answer. Many ethical, lawfully managed businesses do have such data — and it comes from a surprising source: their customers, who inadvertently share the personal data of their family, friends, and colleagues.
The lack of awareness regarding peer-dependent privacy is one way that London-based Cambridge Analytica Ltd. was able to collect the personal information of more than 71 million Facebook users, even though only 270,000 of them agreed to take the now-bankrupt company’s app-based personality quiz. Cambridge Analytica reportedly knew what it was doing, but any company that accesses customer data, such as contacts, call logs, and files, can unknowingly breach peer privacy.
Blame apps. Virtually all large companies offer apps to their customers, and most of those apps access and collect customer data. Often, that includes peer data, which also is collected even though the app’s owner may have no direct relationship with the user’s peers.
Consider a typical scenario: John installs a customer club membership app on his smartphone. During this process, the app requests permission to access core services on his device, including his contacts. John agrees. This opens a Pandora’s box of potential problems. John has given a third party — the company owning the app — permission to access not only his personal data, but also the personally identifiable information of the hundreds of contacts saved in his phone. None of those people, including Rachel, whose name, phone number, email address, photo, and date of birth are stored in John’s phone, agreed to share their information with the company. They have no idea that they have been caught up in a peer-dependent privacy breach.
Company executives may be no more aware of the privacy breaches built into their apps than John and his contacts. Yet, it could cost them as dearly. Under the EU General Data Protection Regulation (GDPR), any company can incur fines of up to 4% of global annual revenue or 20 million euros, whichever is greater, for failing to respect the sovereignty of EU citizens over their personal data. Notably, these fines are not limited to customer data: As of May 25, 2018, the personal data of EU citizens, including data on other people’s devices, must be obtained lawfully, fairly, and transparently in accordance with the principles of the GDPR. This implies that the fully informed consent of peers is needed prior to taking possession of their personal data (barring some other legal basis). In most cases and subject to a balancing test, companies also need to provide peers with access to their personal data and, in some cases, delete that data on demand.
In short, peer-dependent privacy has…