Exploitation vs empowerment
New technologies generate data. When people visit a website, they may be identified as a potential customer.
Example:
Most people, when interrupted by a dialogue box, will click ‘OK’ without giving it much thought. Few will look at the privacy policy terms and almost none will assess these in any depth.
Soon, a friendly face might appear, inviting the potential customer to ask questions via voice call or keyboard. That face will most likely belong to a chat-bot.
Whether or not visitors respond, data about their journey is monitored through the website. High-level telematics can help retailers and manufacturers see which features attract customers and improve marketing communications or product innovation. At an individual level, people may receive further targeted communication when they visit related websites. And they may be profiled to help ‘customise content and advertisements’. But it goes much further. Customer data can be linked to public-domain data to improve customer profiling and behavioural predictions. Google, Amazon and Facebook first developed huge user networks. Then, by allowing outside applications to interact with their networks, they developed platforms that enhance customers’ experience and attract even more traffic to their networks.
With huge user networks allowing outside applications to interact with their networks, there is a risk of data misuse and losing the trust of consumers. Companies have been exposed for how they have collated consumer data without their consent, building profiles to target them with products, services and even to manipulate them. For example, Facebook’s reputation was badly tarnished when Cambridge Analytica exploited their lack of data governance to gain access to customer data.
Ethical considerations arise for two reasons:
Under the EU’s GDPR, data controllers must have a lawful basis for processing personal data. Individuals’ consent must be given affirmatively (i.e., not unwittingly or passively). Further regulations apply for sensitive data around ethnicity and health.
Individuals’ rights under GDPR are:
Businesses must comply and respect individuals’ rights, but, the key issue here is the duty imposed on controllers and processors to process data securely. The ‘security principle’ under the GDPR requires that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.vi
Recently, British Airways (BA) was fined a record £183m after people were diverted to a fraudulent site that stole their data. BA had breached the ‘integrity and confidentiality’ principle of the GDPR — also known as the security principle.
More recently, the Federal Trade Commission (FTC) approved a fine of $5 billion against Facebook for “allowing Cambridge Analytica, a British consulting firm to the Trump campaign, to harvest personal information of its users. The firm used the data to build political profiles about individuals without the consent of Facebook users.”vii
“Data gained about customers can be linked to public-domain data to improve how customers are profiled and their behaviour predicted.”