Compliance and Consent: The Privacy Factors that Help Drive User Trust

If there’s one thing we took away from this year’s RSA Conference, it’s that privacy is top of mind for today’s organizations. But how can they abide by the many emerging privacy regulations without creating tedious user experiences? The answer: by adopting secure data handling practices that build user trust—while still providing delightful customer experiences. After all, when consumers understand that you have their best interests at heart, they’ll be more likely to share their personal data, allowing you to provide tailored services that further enhance their experience.

In our previous posts in this series, we discussed how companies can build user trust across the customer journey and the role that authentication plays along the way. This post will explore the two core focus areas that are pivotal to building consumer trust through privacy: compliance and user consent.

The growing need for compliance

Organizations that handle customer data are increasingly responsible for abiding by different privacy regulations that have emerged across various regions—with widespread applicability. These include:

  • General Data Protection Regulation (GDPR): The EU’s mandate for customer data ensures that businesses have the right practices in place to respond to a data breach. It also places stricter punishments on businesses that suffer data loss and dictates that they report an incident within 72 hours.
  • California Consumer Privacy Act (CCPA): A California-based customer privacy regulation that gives consumers the rights to request all personal information collected on them in the previous 12 months, stop the company from selling their data, prevent companies passing their data onto third-party organizations, and more.
  • Children’s Online Privacy Protection Act (COPPA): Restricts the online collection of personal information of children under 13-years-old. It details what website operators should include in their privacy policies, how and when to get verifiable consent from a parent or guardian, and the responsibilities around protecting children’s privacy and safety online.
  • Health Insurance Portability and Accountability Act (HIPAA): Designed to protect all individually identifiable health information that is created, received, maintained, or transmitted electronically.

What compliance looks like in practice

The challenge for companies that serve various overlapping user groups is that they must follow more than one set of regulations. In order to respond accordingly and avoid infractions, businesses need to have robust compliance, oversight, and audit programs in place.

In practice, this means implementing policies that cover what information a company gathers and processes, why and how this information is being collected, and methods for verifying user identities. It means adopting auditing and trailing processes that provide insight into what data is gathered, how this data is accessed, and what consent customers have given. And it means deploying automated workflows that help an organization meet various aspects of compliance—like a process for automatically deleting user data upon request per the CCPA.

Customers are demanding compliance

As these regulations continue to grow in number, customers are increasingly aware of the practices companies should adopt to protect their personal data. Businesses need to be able to meet these evolving expectations if they want to maintain user trust. This can be done in three ways:

1. Maintaining the spirit of the law

The easiest thing businesses can do when it comes to compliance is communicate the steps they’re taking to be compliant. They should also inform their customers of exactly how their personal data is being utilized. In the CCPA, for instance, any personal data being collected for ‘business purposes’ could be used for auditing, detecting security incidents, performing services, providing customer service, processing payments, fulfilling transactions, and more.

If customers have clear visibility and see that the companies they patron are doing the work, they’ll be more likely to maintain their relationship with them.

2. Aligning with privacy frameworks and standards

Beyond the list of mandatory regulations, there are also global privacy frameworks that provide best practices and policies for businesses to take on as they see fit. This includes the NIST Privacy Framework, which was developed with input from the public.

3. Adopting the right tools and programs

A big step towards maintaining compliance is ensuring that a company’s tools, services, and applications are tried and tested—with the badges to prove it. Industry certifications like ISO 27001, 27002, and 27018 are all crucial for securely managing IT systems and handling personally identifiable information both on-prem and on the cloud. The CSA Star indicates that a business is proficient at handling data in the cloud, and the FedRAMP Authority to Operate offers a Federal Government stamp of approval.

Enhancing user experience (and trust) with consent

While companies have to comply with these external regulations, they’re also focused on fulfilling their own mandates and generating revenue. To do so, they need to deliver unhindered customer experiences that encourage the adoption of their services. For digital service providers like Spotify, Netflix, and Uber Eats, this means being able to use customer data to make personalized recommendations and provide tailored user experiences. But in order to maintain trust and remain compliant, companies first need to get consent for how this data will be used.

To make this process unobtrusive and effective, companies should consider developing clear and transparent messaging that communicates the need for consent, explains how the data will be used, and outlines how this will improve the user’s overall experience with the brand. These communications should also be supplemented by robust tools that manage and monitor user consent and preferences, centralize and automatically share policies and notices, and conduct automated requests that don’t impact user experience.

Remember, if a customer gives their consent for their data to be used in a certain way, that does not constitute a rubber stamp of approval to disseminate their information. Consent should be given and enacted upon within the parameters outlined by existing privacy regulations.

Build trust while remaining compliant

Customer trust relies on a number of different features across a user’s experience with a brand, and privacy has become a significant component. By having the infrastructure in place to comply with emerging regulations while also effectively requesting and abiding by user consent, companies can strengthen the trust their users have in their offerings.

For more information on how to enhance user trust, check out the following resources: