Would you trust your credit card data to the grocer?
Let’s imagine for a minute...
You are running short of ingredients for the evening meal and you won’t make it to the grocery on time. Luckily, there’s a little shop at the end of the street; they are open until late and they cover the basics... You hurry to get there before closing time, get whatever you need, and head to the counter to pay. But before you know it, you realize you left your wallet at home! There’s a young woman behind the counter, certainly a new hire because you’ve never seen her before. A bit annoyed, you start apologizing, explaining it's late and you were in a hurry, you’re a regular, you will pay next time... but she swiftly replies, “No worries, Chris, I know who you are!”. I’m baffled, how does she know my name? “And”, she says, “do you remember about 6 months ago when you paid with your credit card because you were out of cash? We still have your card number on file, I’ll just take the money from your account if that’s ok with you! Oh, and I can send you the receipt via email”...
Really, how would we feel if unknown merchants knew us by our name, if they kept a log of all our visits, a trace of all our transactions and whatever information they could glean about us, all of this without telling? But isn’t this exactly what we allow for every company or organization on the internet when we blindly consent to cookies?
Of course, for any website to keep some information about our visits is practical such as to store our language preference or to not have to reenter the same info over and over again, etc... but how do we know that they are only collecting what is needed and useful, not keeping traces of our behavior, context, devices, geolocation and whatever else they DON’T need to provide their service? And how do we know that they are not giving away this valuable information to others without our explicit consent? Because, let’s be honest, who bothers about reading the fine details behind the consent button? Who takes the time, for every single website, to answer the detailed consent choices?
The question is, how do we know that a company is being ethical and fair with our data? That is, that they’re only collecting what they need, not keeping it for longer than needed, protecting it well, not transferring it to others, etc.
Unfortunately, the answer to this question goes well beyond mere GDPR compliance: this is all about trust... and trust takes more than a consent button! Trust requires transparency (clear information/knowledge of which data are collected and how they are being used) and the capability to control the usage of such data.
Whilst we should expect every company or organization dealing on the internet to put trust mechanisms in place, we cannot expect every user to delve into the details of such mechanisms. Therefore, similar to ISO9000 for quality, or FairTrade for ethical and responsible commerce, we believe certification, labeling, and audit and control mechanisms are required to guarantee ethical and fair usage of our data, and thus regaining “data trust” in the companies we deal with.
Want to know more? Check out our talk at Open Belgium 2020 on the 6th of March.