Customer Privacy and Consent Best Practices

Security teams have been focused on protecting their customers and their business for quite a while now, but the job is never finished. Bad actors are always finding new ways to exploit IT infrastructures, and they aren’t interested in slowing down. As digital commerce and operations have shifted online, so have the bad actors. Nobody is holding up banks anymore; all the fraud now happens online. 

To make matters a bit more complicated, customer privacy and consent have also grown in demand, and they often fall on security teams to implement. This adds yet another set of requirements that these teams have to learn, implement, track, and update, often requiring a consent management platform (CMP). And it’s not a simple switch that can be turned on. Privacy and consent requirements vary by region, regulatory standards, customer preferences, and other factors.

Long gone are the days when convenience was the main customer driver. “You’d like access to all of my personal data for one-click access? Sure, why not, what’s the harm?” Do you still wonder what happens to those pictures you upload to social media sites and who ultimately owns them? For the longest time, it seemed like social media companies owned them, but fortunately, this trend is starting to shift as customer concern about privacy and data collection continues to grow. And the main driver of this shift is often companies’  bottom line. Customers don’t do business with companies they don’t trust, especially when there are numerous substitutions available just a few clicks away. 

Customer preferences are always changing, and it’s vital to keep up with them. Otherwise, you might lose touch with what your customers expect from you as a business. Consumers speak with their wallets and, sometimes, reviews. So why do customers care about privacy and consent all of a sudden? Well, there are two reasons: increased phishing and annoying marketing. Plus, governments around the world are also stepping in big time with privacy laws that aim to protect their citizens. 

Increased Phishing

Data breaches are on the rise, but they’re often spun as harmless since no credit card information or social security numbers are stolen, which means no financial harm is done. But instead, breaches leave personal customer information in the hands of bad actors, who then use that data for more effective phishing or try to access company accounts by using personal customer data to bypass security verification steps. Personalized phishing attempts are more effective. Customer personal information being shared with so many parties has increased the attack surface on customer data, putting customers at risk and making them more susceptible to fraud. 

Annoying Marketing

With so many unauthorized third parties having access to customer data, unwanted marketing outreach and annoying marketing are prevalent. You can barely call it marketing since it requires little thought and creativity. Is it cheap marketing or just spam? Fortunately, many services we use today have spam blockers, but some spam still gets through. Have you ever wondered, how did this service get my email? How did this telemarketer get my phone number? Why am I getting all these unwanted texts? It’s probably because your personal data was shared with other parties without your consent. It’d be nice to have the ability to see who has access to your data and possibly even revoke that access from certain parties, right? We’re not there yet, but that’s the goal. Also, how long are cookie consent and pop-ups going to last? They’re on their last legs, right?

Data Privacy Regulations

To accelerate the protection of customer privacy, governments are stepping in with privacy laws such as GDPR in the EU, CCPA in California, CDR in Australia, and many others. Governments have started to require organizations to implement privacy and consent management tools into their websites and mobile apps. If not, then hefty fines, penalties, and bad press follow. Data privacy laws vary a little but have the same goal in mind. Also, new laws are often added that require organizations to be flexible in order to stay compliant. We’ll cover a few of these privacy regulations in more detail later in the blog. First, though, let's learn about a few cases where companies didn’t have the best privacy and consent practices, got caught, and were penalized for it.  

Italian energy company Enel Energia was hit with a significant fine of €26 million by the Italian data protection authority, Garante, for violations of GDPR. Enel Energia was cited for hundreds of complaints about unsolicited sales calls made without customer consent. The calls targeted users not listed in the phone directory or those who opted out of sales promotions. Additionally, the company delayed responding to customer requests for access to personal data and objections to data processing for marketing purposes, with some feedback disappearing entirely.

Instagram, owned by Meta, was fined €405 million by Irish regulators for violating children's privacy. The fine resulted from a long-running complaint about the lack of protection of children's data, particularly their phone numbers and email addresses. Some children reportedly upgraded to business accounts unknowingly, which made more of their data public. Child-safety-online advocates, such as the National Society for the Prevention of Cruelty to Children (NSPCC), view this fine as significant, emphasizing how effective enforcement can protect children and their privacy on social media.

Zoom Video Communications reached an $85 million settlement to resolve a class-action lawsuit related to user privacy issues and "zoombombing," which is when unauthorized individuals disrupt video meetings. The lawsuit accused Zoom of sharing user data with Facebook and failing to prevent zoombombing. As part of the settlement, Zoom agreed to implement changes to improve data privacy and security, including additional encryption measures and clearer information provided to users about data-sharing practices.

Customer identity and access management (CIAM) solutions provide key capabilities that help you not only comply with regulatory standards but fundamentally transform how you see your customers. CIAM helps you turn the challenges of adhering to privacy regulations, consent processes, data access and authorization, and application security into a unique opportunity to build customer trust. 

European Union’s GDPR

​​The General Data Protection Regulation (GDPR) has been one of the most significant worldwide pieces of consent collection and data privacy legislation for more than 20 years. By establishing strict controls on how organizations handle personal and sensitive information, GDPR ups the ante on data protection. The EU regulation imposes a series of technical and other requirements on any organization that sells or markets to EU citizens, even non-EU entities, and the consequences for non-compliance are steep. 

Leading organizations see much of GDPR compliance as an extension of their existing customer experience or “know your customer” initiatives. This approach has the significant advantage of moving beyond compliance to improved trust and engagement with your organization’s most valuable asset–your customers–and toward transparency regarding the use of personal customer information. 

No matter where your organization is located, if you market or sell to EU individuals, or if you collect or process EU citizen data, your organization must be GDPR-compliant or risk facing hefty fines: up to 4% of your global annual revenue or €20 million, whichever is greater. And keep in mind that personal data is defined very broadly. For instance, even if an EU citizen does nothing more than browse your website, that browsing data may be considered personal data and therefore require user consent.

California’s CCPA 

California Consumer Privacy Act (CCPA) grants consumers more control over the information businesses collect, and it imposes penalties on businesses that do not comply. No matter where your company is located, you are regulated by CCPA if you do business in California and meet at least one of the three following criteria:

• You’re a for-profit company with annual gross revenues of at least $25 million

• You’re a business that buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices

• You’re an organization that gets at least 50% of your annual revenue from selling consumers’ personal information

Failing to fix any violations within 30 days may result in significant financial liability as CCPA grants both a civil and a private right of action. With regards to the former, the California Attorney General may bring an action against a company for up to $2,500 per negligent violation, and the fine increases to $7,500 per intentional violation. Additionally, the private right of action grants citizens the right to sue for statutory damages of $100-$750 per data breach incident if a company fails to maintain reasonable security. 

CCPA protects consumers who are California residents by giving them the right to access and control their personally identifiable information (PII) that companies collect, store, and sell. PII is broadly defined as any information that can be linked to a particular consumer or household. This includes identifiers like name and address as well as browsing history, behavioral data, and more, but it does not include information that has been de-identified. CCPA goes beyond the PII definition imposed by GDPR to include household information as well as individual consumer information. CCPA requirements are spelled out in the legislation’s articles, and many of these articles relate to how data is collected, stored, accessed, modified, transported, secured, and erased.

Australia’s CDR

Consumer Data Right (CDR) in Australia is a regulatory framework that aims to provide consumers with greater control over their personal data and enable them to securely share it with trusted third parties. The CDR has been introduced in the banking sector and is being extended to other sectors, such as energy and telecommunications. The primary points of CRD are: 

• Data Access. Data holders, which are usually businesses that hold consumer data, are required to provide consumers with easy-to-use mechanisms to access and share their data securely. They must comply with strict privacy and security requirements to protect consumer data from unauthorized access and misuse.

• Privacy. The CDR emphasizes robust privacy protections to ensure that consumers have control over their data. It incorporates principles of data minimization, consent, and purpose limitation, which means data can only be used for the specific purpose it was shared for.

• Consent. CDR requires explicit and informed consent from consumers before sharing their data with accredited data recipients. Consumers must be fully aware of what data they are sharing, with whom, and for what purpose.

• Individual Rights. Consumers have the right to access specific categories of their data, such as transaction history, account information, and product usage data. Consumers can then share this data with accredited third-party providers they trust.

• Incident Reporting. Both data holders and accredited data recipients have obligations to report any data breaches promptly. This includes notifying the affected individuals and the Australian Information Commissioner.

Brazil’s LGPD

Brazil's General Data Protection Law (LGPD) is a comprehensive data protection legislation that governs the processing of personal data in Brazil. The main objective of the LGPD is to protect individuals' fundamental rights to privacy and their personal data and to ensure the transparency and accountability of organizations that handle such data. The regulations apply to any organization that processes personal data, regardless of where the organization is based, as long as the data processing activities are related to individuals located in Brazil or data collected within the country. Non-compliance with the LGPD can result in significant fines and penalties, which can range from warnings to fines of up to 2% of the organization's revenue, subject to a cap of 50 million Brazilian reals per violation. The primary aspects of LGPD are:

• Protection of All Data Types. Covers all types of personal data, which include any information that can identify an individual directly or indirectly. This includes names, identification numbers, IP addresses, geolocation data, biometric data, and any other information that could be used to identify a person.

• Data Security and Privacy. Organizations are required to implement security measures to protect personal data from unauthorized access, breaches, and other security incidents. 

• Cross-Border Data Transfers. If personal data is transferred outside of Brazil, it must be done in compliance with the LGPD. Adequate safeguards or specific legal mechanisms, such as standard contractual clauses, must be used to ensure the protection of personal data during cross-border transfers.

• Consent. To process personal data lawfully, organizations must have a valid legal basis, such as obtaining explicit consent from the data subjects, fulfilling a contract, complying with a legal obligation, protecting the data subject's vital interests, or fulfilling the organization's legitimate interests.

• Individual Rights. The LGPD grants data subjects various rights, including the right to access their personal data, correct inaccurate information, delete data, and obtain information about the data processing activities performed by the organization.

There are quite a few benefits to being a good steward of customer data. Avoiding hefty fines is a good motivator to get things started, but there’s more to it than just abiding by the law. It’s similar to providing good customer service. If your customers enjoy their experience, then they’ll come back and spend more money, and maybe even recommend your brand to their friends. 

Customer Trust and Loyalty. Believe it or not, your customers genuinely care about data privacy – it's a high priority for them. Studies reveal that unauthorized data sharing is a major turn-off, even surpassing the fear of data breaches. And guess what tops their tech concerns? That's right, data privacy takes the crown. It’s like finding a good car mechanic. If you’re lucky to find a mechanic you trust, you’ll be a loyal customer for a lifetime. 

Enhanced Security Posture. Privacy and consent practices significantly bolster your cybersecurity. You reduce your attack surface by centralizing customer data, ensuring only the right stakeholders have access to it, and consistently monitoring user activity. Privacy is all about ensuring appropriate access to data, which is exactly what identity and access management platforms are built for. 

Scale Your Business Globally. And here's the exciting part – privacy compliance goes beyond borders. It gives you an international edge, as data protection knows no boundaries. When you implement privacy and consent best practices, you become a global data guardian, elevating your brand on the world stage.

Change is hard. Implementing new technologies and adding new features to your IT infrastructure is difficult, and it takes time away from other priorities. Plus, doing something new often leads to mistakes. Let’s review a few of the main obstacles and shortfalls of deploying privacy and consent so you won’t run into any surprises and can be better prepared. 

Inadequate Consent. The baseline level of consent in the past is no longer sufficient. Instead of implicit or opt-out consent allowed in some cases, your customers must give unambiguous consent via a statement or clear action, such as marking an online checkbox or filling in an online form. As a data controller, the organization is required to demonstrate that the request for consent has been presented in a clear and intelligible manner. 

An even higher standard of explicit consent is required if you collect special categories of data. In addition, consent is required in a wider range of scenarios than ever before. For example, user browser data is considered personal data, necessitating explicit agreement for data capture. If your enterprise does not yet support such activity, you will need to update your environment. 

Silos of Data. Consider a customer who is shopping via your business website. Your company may be storing browsing data in an analytics system, other lead data in your e-commerce system, purchase history in an order management system, and credentials and other identity data in yet another system. This siloed data makes adhering to compliance requirements such as data access and portability much harder to carry out. Also, it is unlikely that all these disparate systems adhere to data protection and security by design requirements. 

Lack of Authorization. Not only is it a good business practice to limit application access to customer identity and profile data needed for the app to function, but most regulations essentially require that organizations create specific policies to limit applications’ access to any unnecessary customer data. Businesses that have not done so already must adapt and enforce data access processes on an app-by-app basis via centralized data access governance policies that take consent, privacy preferences, and corporate requirements into consideration. 

Limited Self-service Access. Do your customers have access to preference management tools to self-manage their profiles and preferences? Are these preferences consistently enforced across all devices and channels? Does your organization have the ability to easily store and retrieve different types of preference data, both structured and unstructured? If your organization answers “no” to any of these questions, you will find yourself having to beef up customer self-service access to comply with privacy regulations. 

As always, your resources are limited and you have other stuff to get done. So you don’t have to boil the ocean, let’s review a few of the important privacy management and consent features. Finding a balanced approach always helps. 

Customer Consent and Communication Preferences. Safeguarding your customers' privacy is more than just a regulatory obligation; it's a fundamental pillar for building unwavering trust. In today's data-driven world, providing customers with the autonomy to decide how their personal information is shared and their preferred communication methods is a powerful way to demonstrate that you value their privacy and respect their choices.

Every customer is unique, and their approach to sharing information varies. Some customers are open books on social media, embracing the digital spotlight, while others prefer a more discreet approach, keeping personal details close to their chest. By offering them the freedom to tailor their privacy settings, you empower them to feel in control of their data, which can deepen their sense of trust in your organization.

Data Retention and Reporting Capabilities. Ensuring the security of your customers' personal data is paramount. One critical aspect is guaranteeing that their data resides only in the region where they are located. Additionally, you need a well-thought-out plan for data retention to address the question of how long to keep their information. Failing to implement these considerations into your customer identity management solution can make answering such inquiries challenging, especially during audits.

The key to success lies in reliable reporting capabilities and a robust data security strategy. By having a well-defined approach in place, you can meet data residency requirements and cater to your customers' privacy preferences. This proactive stance empowers you to safeguard data, maintain compliance, and establish a bond of trust with your customers.

Delegated User Access. Shared accounts can be a practical solution for many families, whether it's for insurance plans or bank accounts. However, setting up access control and permissions can become a cumbersome task. Ensuring that your kids don't have the same access as you is essential to maintain privacy and security.

The solution lies in providing a smooth and secure IAM experience for your customers. By offering a user-friendly system, your customers can easily authorize and delegate access to their family members. With proper IAM implementation, families can manage their accounts effortlessly, customizing access for each member while keeping sensitive data protected. By empowering your customers to manage shared accounts effectively, you build trust and reliability in your services. 

Robust CIAM solutions offer key capabilities including data consolidation, consent capture and management, data access governance, and end-to-end security that will help your organization meet privacy use cases. In addition, CIAM best practices help make compliance efficient and cost-effective through consolidation of data, improved control and governance of your data, and fast integrations, while improving security and streamlining the user experience.

But organizations whose goals exceed mere compliance will be the real winners, as they deliver secure, seamless experiences across all channels and devices, resulting in increased customer trust, engagement, and loyalty.

The PingOne Cloud Platform is designed to provide key capabilities that help meet privacy and consent technical requirements out of the box. Our leading CIAM solution can transform a privacy compliance challenge into an opportunity to get closer to your customers, building trust, loyalty, and engagement along the way.

Step 1: Capture Consent

Capturing customer consent should be done very early in the customer onboarding process, typically during registration. For added convenience, you can leverage a progressive profiling feature and capture consent the next time a user authenticates to log in. The goal here is to provide your customers with privacy and consent options and allow them to select their preferences. Customers can opt-in via a registration form and be able to make changes anytime in customer preferences or settings. 

Step 2: Store Consent

Once customer consent and preferences are captured, you should have a way to store those preferences. Storing consent preferences alongside your customer attributes is recommended. This provides your organization with a unified directory where all customer information can be obtained, allowing for consistency and reducing the sprawl of customer data in other siloed data stores. The added benefit is that it also reduces the attack surface, as your customer data isn’t replicated in various places. 

Step 3: Enforce Consent

The last step is to enforce consent. Centralized authorization policies provide fine-grained access control that uses real-time context about your customers and resources. With easy drag-and-drop controls, your admins can quickly make changes and edits. Compliance is ensured by streamlining the management of data privacy and consent with automation. For example, authorization policies will restrict a loan officer to accessing only the customer information required to evaluate and approve a loan application, and nothing else about that customer. 

Looking Past the Immediate Horizon

Decentralized identity is a new and quickly approaching concept that gives customers the ability to control their own identity and personal data. It gives the ultimate control of privacy and identity data back to your customers. It lets you verify IDs, documents, and identity claims like driver's licenses and issue digital credentials based on those. Users can share their digital credentials with organizations to quickly and effortlessly prove who they are without you having to store personal customer data. Instead, personal data always resides with the customer, the first-party user. 

Recent high-profile privacy abuses have made customers wary of how companies are using their personal information. They are increasingly reluctant to provide their data and increasingly worried about what’s being shared without their knowledge. These attitudes are reflected in the diverse geographic, industry, and corporate privacy regulations we see today.

With the right CIAM solution, you’ll be able to provide secure, cohesive customer experiences through SSO and a high-performance, scalable, unified profile that is accessible across all applications and channels. It should build the trust of your customers by providing centralized authorization policies that enforce customer consent and adhere to privacy regulations. And it should allow customers to easily register and to view and manage their account information, data-sharing consents, and preferences to facilitate a personalized experience across channels. To learn more, check out our privacy and consent web page. 

Contact us if you have any follow-up questions, or check out our PingOne for Customers solution to learn more about capabilities and solution packages to ensure customer privacy and security.