1.4 Data Privacy

You are starting to get an idea of how value is added from business data analytics. But recent history has taught us that diving too deeply into the remarkable capabilities of machine learning and analytics without balancing these strategies against a resolve for consumer privacy and ethical data management can be a costly mistake.

Privacy and ethics build consumer trust and enhance the reputation of a business. When consumers believe their data is handled responsibly, they are more likely to engage with the business. This is one reason that companies clearly communicate their data use policies in letters and emails.

Adhering to privacy laws and regulations is mandatory. Non-compliance can result in significant fines, legal actions, and loss of business. There have been over 4 billion (USD) in GDPR (discussed next) fines (https://www.eqs.com/compliance-blog/biggest-gdpr-fines/) thus far with Facebook (Meta) getting the top two.

Besides honoring the law, ethical data practices are about doing what is right. This includes obtaining explicit consent, minimizing data collection, and ensuring data security. There have always been unintended consequences of data collection as will be discussed more later. Data should only be used for the sole purpose that it was collected. Companies must avoid misusing sensitive information.

Importantly, poor and unethical data practices can be exposed when data breaches inevitably happen. If hackers break into a company database, and the world sees their lack of ethics, they lose customer trust and suffer massive financial losses.

To hammer these principles home, let's review relevant privacy regulations and examples of (un)ethical data uses.

Privacy Regulation

In the United States, health data is protected by the Health Insurance Portability and Accountability Act (HIPAA). It apples to healthcare providers, insurers, and their business associates in the US. HIPAA protects sensitive patient health information from being disclosed without the patient's consent or knowledge.

The Children's Online Privacy Protection Act (COPPA) applies to websites and online services directed at children under the age of 13, and to operators of other websites or online services that knowingly collect personal information from children under 13. COPPA requires parental consent for the collection or use of personal information from children. It mandates privacy policies and practices to protect children’s privacy and safety online.

The Family Educational Rights and Privacy Act (FERPA) is a federal law in the United States that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions, including banks, insurance companies, and investment firms. It requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Includes the Financial Privacy Rule and the Safeguards Rule.

The Fair Credit Reporting Act (FCRA) applies to consumer reporting agencies, users of consumer reports, and furnishers of information to consumer reporting agencies. It regulates the collection, dissemination, and use of consumer information, including credit information. Ensures accuracy, fairness, and privacy of information in consumer reporting.

The Electronic Communications Privacy Act (ECPA) applies to electronic communications service providers and users. It protects wire, oral, and electronic communications while being made, in transit, and when stored on computers. Includes the Wiretap Act, the Stored Communications Act, and the Pen Register Act.

The Driver’s Privacy Protection Act (DPPA) applies to state Departments of Motor Vehicles (DMVs) and those who have access to DMV records. It restricts the disclosure and use of personal information obtained from motor vehicle records, with certain exceptions.

These are only a few of the US federal laws regarding data privacy. There are many, many state level laws governing the collection, management, and sharing of personal data that companies must be aware of, and adhere to, if they operate in those states.

If companies want to do business outside of the US, there are many more regulations to be aware of. Most significantly, the General Data Protection Regulation (GDPR) applies to all European Union (EU) member states and organizations handling the data of EU residents. It is a comprehensive set of regulations covering data protection principles, rights of data subjects, and obligations of data controllers/processors. Similar regulations exist in Canada with their Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil with their General Data Protection Law (LGPD), and Australia with the Privacy Act.