Camilla Winlo, Head of Data Privacy at Gemserv, discusses consumer data behaviour, and why putting people at the heart of innovation is the key to success in digital feature adoption rates.
Regarding consumer data behaviour, a frequently asked question is – why do people not use the features innovators create? A 2019 Pendo report1 found that software companies invested up to $29.5 bn in features rarely or never used, and that 80% of features in the average software product are hardly ever used.
There are a number of reasons why feature adoption rates are so low. They may not be widely useful. They may not be easy to find. But they may also not be trusted, and that is the issue we will explore in this report.
The trust gap in consumer data behaviour
In 2018, consumer organisation Which? published its policy paper ‘Ctrl, Alt or Delete? The Future of Consumer Data’, a survey with more than 2,000 UK participants, created to allow adults to understand their attitudes to the way in which their data is used. The survey highlighted that people generally fall into four categories.
Which? found that:
“19% of the population are taking considerably more action than others to restrict what data can be observed about them and ‘dirtying’ their data by putting incorrect information in forms and using separate email addresses for organisations they do not want to receive communications from.”
“24% of the population are characterised by how much more they take advantage of the shortcuts afforded to them online than others (for example saving their bank details in forms and logging into other services using their social media.”
Perhaps surprisingly, Which? noted that “there is a relative lack of a relationship between attitudes and behaviour.” In other words – those choosing to lock down their data are not necessarily those who are considered ‘anxious’ and those who use shortcuts are not necessarily ‘liberal’.
Innovators who want to improve feature adoption and consumer data behaviour should take this very seriously. User-centred privacy is an approach that organisations can apply to understand how different groups of users feel about features, address any concerns they may have, and recognise the potential impact of user behaviour such as providing dirty data.
What is user-centred privacy?
User-centred privacy is an approach to design that recognises that different individuals will be affected in different ways by the same processing activity. It is an approach that is at the heart of data protection laws such as the General Data Protection Regulation (GDPR).
The GDPR requires organisations to behave in certain ways when designing and improving processing activities. It requires them to carry out data protection impact assessments (DPIAs) to analyse the risks to individuals and design controls to mitigate those risks. It gives individuals the right to explain the impact of a processing activity to them, and to prevent the processing taking place or having their data removed from a dataset. It requires organisations to provide user-friendly information to help users understand how and why the organisations want to process their data so that they can make informed choices.
However, at present few organisations have a mature approach to this. Issues we see include treating DPIAs as a form to fill in just before launch, and after all the design decisions have already been taken. Data Protection Officers (DPOs) rarely have direct access to product and service users, with any focus groups and research typically managed by marketing or customer service teams. Privacy information is provided as a ‘one size fits all’ notice that is rarely drafted in the brand’s tone of voice and even more rarely takes into consideration the questions users might have about how their personal data is processed.
By contrast, applying a user-centred privacy approach means improving the project team’s understanding of the user’s hopes and fears in respect of the processing, ensuring that they are addressed throughout the build, to communicate with them in a way that is clear and builds trust. Doing this is not simply a more effective approach to compliance – it is also likely to improve feature adoption rates.
User-centred privacy in practice
Applying a user-centred privacy approach requires project teams to consider four pillars.
The goal for the user-centred privacy approach is to ensure that users and organisations understand the risks arising from the processing, the choices users want to make, and the controls that need to be available to help them to do that.
There are two pillars to this approach: information flows and operational delivery.
Information flows
There are two core information flows required for user-centred privacy. First, user insights need to be received by the organisation. Project teams should consider how they can capture user insights. These may be surprising. At a recent Gemserv webinar discussing user-centred privacy in practice, Philippa Harvey of the Cabinet Office described how she sought user insights from participants at the recent COP26 climate change conference, to ensure individuals felt safe to participate in person.
Harvey ran a series of Q&A sessions, and uncovered a range of concerns – such as fears that Covid tests amounted to providing DNA samples to the government – that were not anticipated by the project team. She was clear that had she not taken such a structured approach to capturing user insights, participation rates would likely have been lower and therefore the impact of the conference could have been reduced.
The other core information flow follows naturally from the user insights. Having identified the hopes and concerns of individuals, organisations then need to address them in a transparent manner, so that users can see how their hopes and fears are taken into consideration. This may require more than simply updating the privacy notice, and we would recommend considering how the ‘7 Ps of Marketing’2 might contribute to a consistent and transparent message. These are:
- Product – do the benefits of the feature outweigh the perceived risks?
- Price – if the product is free or very inexpensive, will people be concerned that collection of their personal data is part of the business model?
- Place – are there places the feature should and should not be associated with?
- Promotion – what messages around data privacy should be included in sales and marketing materials?
- People – are different user groups affected in different ways by the processing?
- Process – how should processes be designed to address users’ hopes and fears?
- Physical Evidence – what do users need to see and experience in order to trust that they can use the feature with confidence?
At the same webinar, Beverley Adams-Reynolds, the Data Protection Officer for homelessness charity Crisis, described how they built in privacy while trialling the use of targeted online advertising as part of their Christmas fundraising campaign. Crisis considered the different ways their service users might be affected by the use of tracking cookies in comparison with their donors. They decided to ensure that cookies were only dropped from appropriate pages that were unlikely to result in detriment to visitors and tracked metrics to test whether the intrusion was justified by the outcomes, in order to improve consumer data behaviour.
Operational delivery
The goal for operational delivery is to ensure that the design of the service or feature incorporates data protection by design and default, as required under the GDPR. There are two aspects to this. First, the foundational design needs to address the user insights gathered through the project development phase. Then, organisations need to review user complaints and requests to identify any further user insights and make adjustments where appropriate. In order to do this, organisations must have appropriate processes in place to identify, capture and escalate complaints and requests relating to data privacy.
We recommend that organisations consider:
- How data privacy can be incorporated into user insight sessions
- The training frontline teams receive to support them to recognise and act on insights
- How complaints and requests are logged
- What management reporting is produced based on the logs
- How ongoing feature maintenance is resourced.
User-centred privacy could be your source of competitive advantage
Organisations that understand how to make data privacy an innovation enabler have a competitive advantage at present. There are clear actions that organisations need to take in order to do this, and if truly incorporated into programme management methodologies, there is likely to be very low or no incremental cost associated with it. If your organisation is looking at how it can improve feature adoption, we recommend including this approach within your strategy. To find out more about how Gemserv can support you with this then please get in touch.
References
- 2019 Feature Adoption Report Digital.pdf (pendo.io)
- McCarthy 1960; Booms & Bitner 1982
About the Author:
Camilla is an experienced leader of data privacy consultancy teams. Key achievements include winning Best Privacy by Design at the DMA Awards, and Best Privacy and Data Ethics Initiative at the DataIQ awards, both for work with WarnerMedia and DQM GRC.
She is a regular media commentator noted for her commercial, pragmatic, and strategic view of data privacy issues. Prior to moving into data privacy, she was a senior marketer and part of the leadership teams that launched three new financial services brands to market in response to regulatory change. Camilla has almost a decade of experience of commercialising regulatory change, including as part of the leadership team, developing and launching three new financial services businesses. She specialises in data protection, privacy by design, compliance and regulation as well as marketing, financial services and professional services compliance.