Home>How Much Control Over Data Do Your Customers Have?

How Much Control Over Data Do Your Customers Have?

By |2019-09-06T08:32:34-07:00April 23rd, 2019|

Today, most consumers use online services like social media, streaming platforms and connected devices without thinking too much about how it’s funded. Many of these services are free to the user, at least in the traditional sense. Nothing is truly free, though, and most of the services that don’t require users to hand over any currency do require some form of payment. How do users pay for these services? With their data.

What is customer data, and how do businesses use it? The companies that provide these services collect data from their users, then sell that data or use it to target ads to them. The ads, powered by data, are what pay for the services and enable them to remain free.

While this setup offers benefits to users in the form of free content and tools, it also raises some concerns. Most people don’t know what happens to their data once companies collect it, and some may not even be aware it’s being collected at all. Why is customer privacy important? Some users may be concerned that private companies and advertisers know too much about them. Others worry, and rightfully so, that their data could get into the hands of a criminal who could use it against them. In 2018, there were 1244 data breaches in the United States alone, which led to 446.5 million records being exposed.

Table of Contents

Why Is Consumer Data Important?

Most consumers understand their data is how they pay for free online services, although they may not think about this fact very often. They realize that by using online services, such as certain applications and websites, they agree that the company providing them can collect and use their data. Few users, however, have an understanding of how, precisely, each company is using their data.

The closest most people come to this is clicking the box that says they agree to the privacy policy. Users rarely read these policies, as they’re long and often difficult to understand. However, users are willing to accept the terms anyway and simply trust that the company won’t do anything unsavory with their data and will protect it from those who may want to steal it.

Currently, the landscape is moving toward more informed users and more user control over data. Different laws and regulations apply to companies depending on where they’re located and who they serve. Recently, the European Union enacted the General Data Protection Regulation (GDPR), the single most extensive update to data privacy rules in history. This regulation impacts not only companies in the EU but also companies located elsewhere that manage the data of EU citizens.

In the United States, the rules are not yet so concrete, at least for most sectors. The general rule is that companies can do almost anything they want with data as long as they disclose it to customers.

Companies across a variety of locations and sectors are taking steps to improve their practices as they relate to consumer data privacy and use control over data. These companies may update their privacy policies to make them easier to read and understand, give users more control over their data and take steps to increase transparency as it relates to their data use.

What Is the Current Consumer Data Environment?

Regulations related to customer data are evolving. The data privacy laws that apply to your company depend on where you’re located, what sector you operate in and more. Here’s a brief look at seven types of regulations in place in the United States and elsewhere and how they affect businesses and their customers.


GDPR came into full force in May 2018. The regulations put the force of law behind the EU’s data guidance. Companies that don’t comply could receive fines of up to 20 million Euros or four percent of their global revenue. Independent public authorities called data protection authorities oversee the application of GDPR by handling complaints about GDPR violations and offering expert advice about data privacy issues. The law applies to any company that has the data of any EU citizens in a database. It covers all personal data, which includes personal details such as names and addresses, IP addresses, social media posts and even anonymized data if you could potentially use to work backward and identify someone.

Under GDPR, you need to provide a valid reason for collecting any data you plan to collect, keep the data you collect secure and maintain data governance, accountability and documentation. You also need to:

  • Tell users why you’re collecting their data and what you plan to do with it
  • Request consent in an intelligible and accessible form before you can use it
  • Give users control over their data
  • Provide users with a copy of their data if they request it, delete their data if they ask you to, correct their data if they say it’s inaccurate and allow them to transfer their data from your service in a machine-readable format if they request to do so

2. The California Consumer Privacy Act of 2018

In June, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018, which will take effect in 2020 and is similar to GDPR. It’s not quite as strict as the EU regulation, but it’s the most stringent data privacy law in the U.S. The law gives users the right to know what data companies are collecting about them and how they’re using it. It also provides the option to opt out of letting businesses sell your data. Companies cannot sell the data of people under 16 years old without their consent, or that of their parent or guardian for people under the age of 13. It also gives consumers the right to have businesses delete your data. The law also says that companies cannot discriminate against users who exercise their privacy rights by, for example, charging them higher prices or denying goods and services.

The act applies to for-profit businesses which collect the personal information of California residents and conduct business in California. For the law to apply to a business, it must also have annual gross revenues of more than $25 million, receive or disclose the information of at least 50,000 California residents, households or devices annually or obtain at least 50 percent of their revenue from selling the personal information of California residents. The civil penalty for each intentional violation is up to $7500 per violation, and the law also makes it easier to sue companies over data breaches.

3. Healthcare Data Regulations

One sector that is subject to extensive privacy regulation is healthcare. The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, covers individually identifiable health information, billing information about medical visits, information in insurers’ systems, conversations between medical professionals about your care and more. The law covers health care providers, healthcare facilities such as hospitals and clinics, health plans and some third-party businesses that handle medical records. The makers of many healthcare apps and personal devices are not required to comply.

Entities covered under HIPAA are prohibited from sharing covered information except to provide you with healthcare services and for limited other purposes. The law also gives consumers the right to access their medical and health information, limit sharing and find out who your information has been shared with.

4. Financial Information Regulations

The Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) cover banking, credit and financial services data. GLBA covers, among other things, non-public personal information (NPI). Under the GLBA, organizations must tell customers which NPI they collect, how they use it and with whom they share it. Companies must also provide an opt-out option if they plan on disclosing NPI to third parties.

FCRA deals with credit report data and has implications for the agencies that create them, as well as those that request them, such as employers, lenders and landlords. Under FCRA, people have the right to know what information is in their credit file and what information was used against them in an adverse decision. They also have the right to dispute errors. The agencies that generate credit reports can only share them with those who have a “valid need” for them.

5. Children’s Internet Use Data Regulations

There aren’t comprehensive laws for internet use data in the United States, except when it comes to the internet use data of children under the age of 13. The Children’s Online Privacy Protection Rule (COPPA) applies to all personal information of children under 13 collected online. This personal information includes anything that could be used to identify a child, including social security numbers, screen names, photos, addresses and geolocation information.

Organizations covered by COPPA must:

  • Post privacy policies
  • Obtain consent from parents or guardians about privacy practice
  • Let parents opt out of letting companies share their children’s data
  • Let parents or guardians review their children’s data
  • Delete data upon request
  • Keep data secure and confidential
  • Limit the retention of data

This law applies to website and apps directed to children, as well as those that knowingly collect the data of children.

6. Phone Use Data Regulations

The Communications Act and the Telephone Records and Privacy Protection Act of 2006 cover the consumers’ phone use data. They cover the customer proprietary network information (CPNI) that phone companies collect when you make calls, which includes the numbers you call or receive calls from, call length, where you called from and information about the services you use. The laws apply whether you’re using a landline, cellular or IP-based phone.

Phone companies can only share this data to provide customers with a service they’re paying for, if they receive a customer’s approval or if they’re required to share it by law, such as when law enforcement subpoenas phone records. It is also a federal crime to obtain phone records fraudulently.

7. Cable TV Data Regulations

The Communications Act — in particular, the Cable Communications Policy Act of 1984 — regulates cable TV data. The law covers both the personally identifiable information (PII) and the CPNI that cable companies collect. Cable companies can collect PII and CPNI to provide customers with the services they subscribe to, bill them and ensure that users aren’t gaining unauthorized reception of services. They can also collect contact information in subscriber lists unless customers tell them not to.

The CPNI that cable companies gather includes a range of data about users’ viewership habits. The law requires companies to use this data in an unidentifiable way, meaning the information is void of names, addresses and other similar information and, so, can’t be traced back to individual users.

Further Implications of Customer Control

The data collection and customer privacy landscape are changing dramatically, and companies are collecting more and more data. It’s been estimated that by 2025, 463 exabytes of data will be created worldwide every day — the equivalent of more than 212 million DVDs. This increased data volume provides new opportunities to businesses and new benefits to customers, but it also increases risk, as there’s more opportunity for data to get stolen or mishandled.

New laws, such as GDPR and the California Consumer Privacy Act, are changing how companies handle data. Companies must now make changes to their data practices to comply with these new laws. We may continue to see more rules related to protecting consumer data enacted in the coming years.

Consumer activism is also playing a role in changing the data landscape. More consumers are getting informed about their data and privacy and are advocating for new laws and protections. Many are also taking steps to limit the amount of data about them that’s available and to control the data that does exist.

Several new approaches to collecting data and ensuring privacy are emerging. On one hand, some companies have begun paying people to provide data about themselves through surveys and other methods. On the other hand, some companies promote a pay-for-privacy model in which users must pay extra to prevent them from collecting and using their information. Privacy advocates often oppose these pay-for-privacy models.

Technology is another force that is altering the data landscape. Hackers and other bad actors are using AI and other technologies to create more effective attacks. The cybersecurity industry, in turn, is creating more advanced protections to increase security and counter these new threats.

Other advanced technologies, like blockchain, also have potentially significant implications for protecting consumer privacy. Blockchain can help to increase transparency and accountability. Decentralized identity solutions, which are powered by blockchain technology, are poised to be especially transformative. These solutions allow users to prove their identity using a blockchain-powered identity wallet rather than providing personal data to every organization to which they need to prove their identity.

Can Your Customers Control Data?

How much control your customers have over their data depends on the laws that apply to your company, the options your company provides customers with and what your customers decide to do with those options. Under the law, companies in certain locations or sectors are required to give their customers more control. Even some companies that aren’t subject to stricter rules may give their customers more options for controlling their data. Even if companies give their customers these options, they may or may not take them up on the offer.

Overall, the world of data privacy is shifting toward giving customers more control over their information. Laws, customer preferences, technology and new business models are all playing a role in creating this shift. Companies that are proactive about these changes now may see benefits in the future.

One way in which companies can be proactive about the changes related to data collection, privacy and protection is by ensuring their cybersecurity and compliance solutions are up to date.

BlackStratus offers several solutions that can help with this. We offer:

  • Cybershark: A comprehensive security and compliance platform hosted in the cloud
  • LOGStormA powerful but cost-effective solution for collecting, storing and reporting security event data
  • SIEMStorm: A comprehensive security management software

To learn more about our solutions and how they can help you manage your cybersecurity and compliance needs, explore our website or contact us today.

Related Posts

  1. https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
  2. https://eugdpr.org/
  3. https://gdpr-info.eu/
  4. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
  5. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
  6. https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm
  7. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act
  8. https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions
  9. https://www.congress.gov/bill/109th-congress/house-bill/4709
  10. https://www.law.cornell.edu/uscode/text/47/551
  11. https://www.weforum.org/agenda/2019/04/how-much-data-is-generated-each-day-cf4bddf29f
  12. https://whatis.techtarget.com/definition/pay-for-privacy
  13. https://www.gartner.com/smarterwithgartner/the-beginners-guide-to-decentralized-identity/

Rich Murphy