Privacy challenges in the IoT: Providing consumers with transparency and control in a connected world
Mobile World Congress 2018, Barcelona
Our Head of Digital Advocacy Liz Coll took part in a GSMA seminar at this year’s Mobile World Congress on “Privacy Challenges in The Internet Of Things: Providing Consumers With Transparency And Control In A Connected World” along with the European Data Protection Supervisor, Vodafone, Deutsche Telekom and Meeco.
The panel looked at new approaches to consumer transparency and how meaningful understanding and consent can be achieved in a hyperconnected world. Below is an edited version of her opening remarks.
Consumers in a hyperconnected world
You can probably imagine what the reality might be like for consumers in the hyperconnected world, or indeed have already started to experience it. Let’s remember that even for those of us who are not a ‘conspicuous’ consumer of novel new IoT devices, many of us are already connected to services, devices and networks for example through TVs, home assistants, smart energy meters, transit systems, speakers, not to mention smart phones or gaming consoles.
And while there is often disagreement on what the nature or severity of the privacy challenge is; we can probably all agree that there are major challenges for consumers in the current approach to providing an understanding of how and why our data is used; visibility, transparency, and control. This is usually done through information provision in the form of terms and conditions, privacy policies or user guides coupled with the ability to adjust settings. Or, as we like to say ‘tick, click and hope for the best’.
Too much information?
Information provision, ‘caveat emptor’ or ‘buyer beware’ have dominated much consumer protection policy and discourse and is based on the idea that if you give people enough information about something they are equipped to make an informed decision about whether to take it up.
But the limits of its effectiveness have become much more apparent as products and services become more connected. Functionality may be easy enough to understand, but the way in which people’s data is used and how it relates to companies’ business models is far from clear.
While there are great examples out there of visual prompts, just-in-time notifications or clear explanations and easy opt outs, on the whole the way information is presented does not work for people in terms of providing:
- Engagement and understanding: the tiny numbers of people who actually read terms and conditions is widely documented. Up to a quarter may claim to read them, but other estimates put it at less than 1%. This is not surprising given their length and style of wording, or even some very basic factors. For example, it was only in 2016 that a Berlin court ruled a messaging app was breaking consumer protection law as their terms and conditions were not provided in German, although they had to be read and agreed to in order use the service.
- Effectiveness: the number who read them and feel empowered, confident or in control is less still. Indeed, a survey by a UK consumer group found that people who made the effort to read terms and conditions and inform themselves felt worse off afterwards.
- Knowledge: A global survey found 72% of people do not know what information is collected about them by companies online.
Disclosure and transparency is not the whole story….
And let’s remember that information provision is just one element of consumer rights and protection. Just as important are fair treatment, safety, security, redress and the ability to choose between different products etc.
Which is why we need to break out of the assumption that regulators, companies and sometimes even consumer groups make that consumers are a group of ready, willing, able new converts to connected technology with plenty of time on their hands to familiarise themselves with how new technology works.
And again, this is why much of the provision in the European Union’s new General Data Protection Regulation (GDPR), which has the potential to set a high standard globally, shows such promise. As well as clarity and control requirements, such as unambiguous consent, clear language and easier opt outs, it also puts obligations on businesses to carry out Privacy Impact Assessments for certain data use cases. This will have the effect of enabling businesses to consider more holistically what the organisation is doing with the data it collects and the impact it could have on people’s privacy – giving them a chance to look across the piece at what they are collecting and why. The GDPR also emphasises Privacy by Design which should shift the onus to companies to show good privacy consideration throughout the product’s design and delivery, and not bolt on privacy compliance at the end by way of a notice.
Smart businesses should use GDPR as an opportunity
All these elements can be used as levers by smart businesses to demonstrate a different way of doing things with consumers and give them more than just transparency.
Because let’s be clear –the drive for new rules and requirements in the GDPR did not come out of nowhere. And contrary to popular opinion they didn’t just come out of Europe. As a global membership organisation that represents consumer groups around the world, we hear from most of our members about direct concerns from consumers about privacy and security, about not understanding how their data is used or being unable to stop things they don’t like.
There is also strong survey evidence showing consumer concern. Consumers International’s own survey last year of consumers in six G20 countries found that 72% are concerned that too much of their data is being collected online. The Centre for International Governance Innovation survey found almost eight in ten people are concerned their information may be bought or sold, and that in 2016, 57% of consumers worldwide reported that they were more concerned about their online privacy than they were in 2014.
Create consumer confidence, not just legal compliance
Across the world, consumers tell us they want more transparency, control and accountability – and given what we know about human nature, we know they want to do things quickly and easily and without worry. We want it to be ok. Not to expect that nothing can ever go wrong but that the best has been done to minimise what could go wrong, and that if it does that someone will take responsibility for putting it right. In a hyperconnected, ‘always on’ world getting these basics right will become even more important.
I am going to finish my comments by saying that privacy challenges for consumers in the IoT do not start and finish with providing control and transparency. Instead, it is about taking transparency and enhanced control as a starting point to show you understand the complexities of an ever more connected lifestyle, to demonstrate good practice and values and to give consumers a meaningful say in how they want to make best use of services that could potentially contain so much personal information about themselves and their families. To see an opportunity to create confidence and not just be compliant.
This way you can help to build a digital world consumers trust – and a better brand consumers value.