Fairness and flexibility: Citizens Advice Bureau go right to the source

Mydex CIC were delighted to read the recent report Fairness and flexibility: making personal data work for everyone, published by the Citizen’s Advice Bureau. This report does not stand alone. In the last year and a half alone, we have responded to over 10 consultations and papers concerning personal data, consent and making the digital ecosystem work. The number of events around personal information has accelerated massively, the MyData 2016 conference in September along with Ctrl-Shift’s Personal Information Economy 2016 seeing a big turnout and engagement from some of the world’s largest brands.

Getting to the source

Despite this great increase in interest — not to mention the call for compliance with the imminent implementation of the new GDPR regulation — this new report from Citizens Advice stands out from the crowd. It provides an important perspective that has largely been ignored: how people really feel. For the first time, the CAB has started with the individual — giving a unique perspective, untainted by the agenda of those that have the data today, or want the data in the future.

Continuing the trend from their excellent previous paper — Personal data empowerment: time for a fairer data deal? — the report focuses on the most important element in personal data: the individual. Drawing on new research with consumers themselves, it reflects the main concerns they voice regarding digital trust, control over their data, accountability, and their relationship with service providers. As they say, their research “addresses [the] insight gap” (3) in terms of how consumers themselves experience the digital ecosystem.

We will reflect on the core themes of the paper, which align closely with our ideals at Mydex, and aim to contextualise these in terms of how these concerns can be alleviated not in the future, but today.

Accountability and the status quo

“There’s just no point — what can I, or even we, do against the likes of Google?” (12), reads one of the quotations from a research participant. We have previously discussed the inaction of individuals due to the status quo: a combination of a lack of tools, the convenience of ‘free’ services and the size of established digital monoliths. As the report points out, big digital brands are some of the most significant in people’s lives — particularly young people. Despite this, the ability for individual consumers to hold these organisations responsible when they have misgivings about their use of data is next to non-existent.

Measures are being taken to address this imbalance. The GDPR seeks to place tighter controls over what organisations can do with an individual’s data once they have agree to the terms of service. Data could become more protected, more portable for the individual, and use of data more transparent — but is this enough? Many companies and service providers are also seeking external ‘trust marks’ to display their commitment to the correct handling of personal information. The criteria for certification vary, from using stringent certification criteria (e.g. our own Mydex Trust Framework, the Fair Data certification, or tScheme) to peer-to-peer style review systems that rely on the community to enforce standards.

The idea of trust frameworks and accreditations aims to create ‘cross-brand’ seals of approval that demonstrate to consumers that a particular organisation adheres a particular sent of data handling and management principles. As trust becomes the central theme of many digital brands’ value proposition, these accreditations — able to develop faster and with more agility than regulation and legislation — are expected to pick up momentum, many of them gaining valuable status as respected and trustworthy.

The benefits do not extend only to the individual, however. Trust framework and accreditation schemes can also help organisations to become compliant with upcoming regulatory changes, such as the GDPR, which is to be implemented in May 2018. Going through the accreditation process could save organisations significant amounts of time and money with regard to compliance, as well as providing them with a valuable means of differentiating themselves in a way that consumers can understand.

We expect to see these kinds of frameworks become popular as big brands begin to realise that being a household name is no longer a free ticket to trust amongst individuals who are beginning to make more concrete demands about the use and handling of their information online.

Understanding the relationship

Not only are people making more demands in terms of the handling of their data, they are also becoming more aware of the exchange taking place when they sign up for online services. Consider this observation from the report (11):

As the convenience and reach of digital technology increases, so does dependence and with it the sense that it could all be ‘too good to be true’. There is a concern that perhaps nothing is actually really free and that there will be consequences for them.

The era of the interactive web that we are currently experiencing is built upon ‘free’ services. The vast majority of the biggest online platforms offer their services for no monetary fee. The current consent model — where a new user consents to the terms and conditions of a company at the point of signup — allows an organisation to share and ultimately to monetise its users’ data without their knowledge. Not only this, but this setup traditionally offers no means of recourse in terms of updating what data is shared and with whom in the future (not including self-posted data in the context of social networks).

This can, legally, be defended by the existence of supporting clauses in the terms and conditions that an individual agrees to — but invariably doesn’t read — in their rush to sign up for a service. As one participant in the report points out however, they “read them but you still don’t have a choice about what you’re signing up to”; or put perhaps more succinctly by another participant, “they’re a joke; no-one could understand them” (14). Indeed, a contract between two parties that can only be understood by one of them doesn’t seem to constitute a fair relationship.

As the report then points out, claims that individuals do not have any interest in understand their relationship with organisations are — certainly in the present day — not watertight (14):

…it is important to see this not as a lack of willingness to understand the relationship, but more of a lack of confidence in their abilities to do so given the complexity of terms and conditions. It is also clear that the terms and conditions, as currently designed, does not work for many consumers.

There is a clear call for a relationship between organisations and individuals that is conducted on a level playing field; that is, a relationship that everyone can understand.

Seeing through the facade

An important part of this ‘equal’ relationship is the ability for consumers to know what is happening to their personal data. Transparency is key. Those well versed in the changes brought by the GDPR will know that transparency is high on the agenda, with organisations having to provide more detailed information, more often, on how the customer, user, citizen’s personal data is used and will be used.

In her inaugural speech as Information Commissioner at Ctrl-Shift’s PIE2016 event, Elizabeth Denham reinforced this message, saying that “transparency is top of the list”, and stating her belief that “it’s not privacy OR innovation — it’s privacy AND innovation”. The full text of her speech has been published on the ICO website.

But there is more to what Commissioner Denham said than just the agenda of the ICO going forward. She expressed an increasingly popular sentiment in no uncertain terms: “however wide the range of possibilities there is a single common inescapable factor. Consumer trust is essential to achieving growth.” The findings of the CAB report corroborate this theory, and indicate an important change in consumer thinking (19):

“Consumers feel that terms and conditions and privacy policies which communicate how their data is used, are overly complex, and adopted to discourage understanding of what they are signing up to.”

If it were plotted on a graph, the importance of trust to individuals vs. the amount of trust they report to have in organisations are diverging greatly. Addressing this balance, whilst not having an obvious first-degree return like new features or a change in pricing, is an essential building block, without which other plans around new relationships with individuals will most likely fail. As the report explains (21):

If brands were more transparent about the value they get from consumer data, it would allow the people to have a better sense of their worth in the value exchange. This, by itself is not necessarily empowering, but it will allow a more honest relationship, which is a prerequisite to building trust.

The message is ultimately simple: building your interactions with individuals around trust and transparency will open up a wealth of opportunity as well as save a massive amount of time and money. It is an easy to way to ensure compliance with upcoming regulation, it’s a good means of ‘future-proofing’ your organisation, and most of all, it is essential if you want individuals to feel any sense of loyalty to your organisation. People are waking up, they are learning, and they are more discerning than ever. Trust is the big opportunity for brands to be on track for the next era of digital.

Liz Coll, the main author of this report, has now left the Citizens Advice Bureau and taken on an exciting new role in global digital consumer rights at Consumers International. We thank her for this report and wish her great success in her new position working on a global stage. You can keep up with Liz on Twitter via @elcoll.