Balancing Risks: Big Data & Consumer Privacy

The driver doesn't see the spilled payload on the dark road ahead, but his car does. Calculating  vehicle speed, road conditions and distance to the debris, the built-in auto-safety feature applies the brakes, easing to a safe stop. The car behind it does likewise, as does the following truck.

At a retail store the next day, the same driver browses the aisles, from new electronics to patio furniture, before buying a few dress shirts. He returns to his car not knowing that the retailer has been tracking him through the location sensor in his smartphone, logging how much time he spent in each section and the path he walked through the store.

It's the duality of Big Data. Today’s constant stream of consumer data—via mobile devices and the growing ecology of everyday connected gear known as the Internet of Things (IoT)—give companies unprecedented insight into, and potential benefits for, customers, but also comes with risk, in terms of privacy. In a recent report, Morgan Stanley looks at how companies need to find a balance between the sensitivity of the consumer data they collect and the benefit to consumers of the products and services for which the data is used to develop.

“Consumers will need to decide when they are comfortable for their data being used, and companies will need to be clear exactly how they are using their data," says Victoria Chapelow, an analyst with the Sustainability equity research team. She also cautions: “As consumers are given more rights over their data, companies will need to be aware of the 'value exchange' to ensure that it isn’t tilted toward the company, as this could reduce consumers' willingness to share data."

The amount of data available to companies in recent years has skyrocketed. About 40% of the world's population now has an Internet connection, vs. 1% in 1995, notes Chapelow. Every online excursion leaves a data trail. Additionally, the IoT—networks of sensors attached to everything from cars, and appliances, to wearable technology that can transmit and receive data—continues to mature and expand into more sectors.

While some industries have only just begun to tap into the full potential of Big Data, others—particularly the media—have deeply integrated it into every aspect of their business models. Online consumers, for example, may receive targeted ads based on location, browsing history, or other data. Medical device and technology providers also use Big Data to improve the effectiveness and safety of their products, providing a more direct benefit to consumers.

The data that companies collect to help spark these developments ranges from the relatively mundane details, such as a consumer's preferred supermarket or a car's position on a road, to the highly personal, such medical or financial history. Over the past few years, the aggressive use of data that many consumers consider private has led to a backlash for some companies. 

Consumers aren’t just worried about how companies may use their personal data. In a growing number of high-profile corporate cybersecurity breaches, hackers have stolen some of the most sensitive data that consumers have, including identification numbers, passwords and financial information. Several studies indicate that the increase in the number of such breaches is far outpacing growth in corporate security spending.

The IoT also offers new vistas for hackers; some IoT-enabled devices have already been breached. Chapelow cites IoT security as a major concern, given the significant growth of connected items, the amount of data collected, the diverse software involved, and the lack of standards governing IoT security.

Consumers' reaction to breaches may well depend on the sensitivity of the data stolen. “We see some evidence of consumers changing their behavior after a data breach. This tends to be driven by the type of data and therefore, the sector," says Chapelow. “Consumers tend to be more sensitive to loss of financial and healthcare data."

Some regulators have moved to put stricter rules in place. Mandatory corporate notification of breaches to local data-protection authorities is a key plank of the European Union's General Data Protection Regulation (GDPR), which will take effect in May, 2018, and significantly affect how companies collect personal data. The GDPR will require companies to ensure that consumers give clear consent to the collection of their data, and that they understand how the data might be used. Consumers will also have the right to opt out of data collection and request that companies erase all their personal data. Violators risk fines of up to 4% of annual global revenue or €20 million (approximately $21.5 million), whichever is higher, far more than the current level of fines for breaches.

“Companies do not appear to be ready for the new legislation," says Chapelow, citing surveys indicating that many corporate senior executives are unaware of the details of the new regulation. “As such, we see the GDPR as a material risk to reputation, customer retention and, thus, competitive advantage for most companies."

Indeed, says Chapelow, companies that can offer their customers greater peace of mind and confidence when it comes to data privacy and security could bolster their brand value and customer base.

For Morgan Stanley Research on Big Data and consumer privacy, ask your Morgan Stanley representative or Financial Advisor for the full report, “Big Data & Consumer Trust – How Much Do You Value Your Privacy?" (Mar 23, 2017) Plus, more Ideas.