Security awareness

Consumer data, who owns it and who protects it?

Brooke Satti Charles
January 17, 2024 by
Brooke Satti Charles

This article was co-authored by Karla V. Daugherty, CIPM, Director, Data Protection and Privacy, WILEY.

We live in a globalized, digitalized world. We stay connected through social media, instant messaging and voice-over-IP apps. We use health apps to track our steps, heart rate and sleep cycles. We take free surveys to get access to our daily horoscope. We gamble, engage in fantasy football, March Madness brackets and play online video games. We spend trillions of dollars annually on online purchases. These are just a few places where we willingly provide an organization or service with our private and personal information.

The various types of consumer data collected (i.e., personal, engagement, behavioral, etc.) can be used in many ways. For example, when an organization understands your buying behavior, they can send you targeted advertisements. If an app is experiencing bugs and crashing, the data collected can help development teams create stronger tech.

With all this data being captured and used, whose job is it to keep your data private and safe? This question is both easy and complicated to answer. On one hand, it is everyone’s job (including you, the consumer) to keep data private and safe. We control how much information we want to share and who we share it with. Once we share our data with an organization, it becomes their job to protect it. This is accomplished through data governance, which includes proper data management, consumer data privacy and data security.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Given that it is everyone’s job to keep data safe, how do you understand an organization’s practices with the data, what data they will collect and how they will secure it once they collect it? This is where transparency notices come in. It is important that, as a consumer, before giving data to an organization, we educate ourselves on their practices. That information can be found in the privacy notice, which should be clearly posted online and include information such as what data is being collected, how it is being used and how it is being kept secure.

It is easy to assume that data privacy and data security are the same. While connected, they are different and play a unique role in keeping your data safe.

What is data privacy? 

Data privacy is the protection of personal data from those who should not have access to it and the ability of individuals to determine who can access their personal information.

When many refer to data privacy, they refer to the appropriate usage, storage, retention, access and protection measures of data within an ecosystem. It is generally associated with personal information (PI) and sensitive personal information (SPI). However, laws and regulations are broadening to include non-sensitive personal information as well as engagement and behavioral data.

  • Sensitive personal information (SPI): Information directly connected to an individual, such as Social Security number, full name and email address
  • Non-sensitive personal information or personal information: Information that is easily accessible and could be found in public records such as date of birth, phone number, etc.
  • Engagement data: Information collected when a consumer engages with social media, a website or a marketing campaign (i.e., website visits, click-through rates (CTR), social engagements through likes, comments, shares, etc.)
  • Behavioral data: Information collected on how a consumer interacts with a website through purchase history, abandoned carts and subscription renewals/cancellations

Who owns consumer data? 

“The world’s most valuable resource is no longer oil, but data.” — Clive Humby

Therefore, the question of who owns consumer data is both interesting and contentious. The ownership of this data is slippery and consistently evolving.

We tend to think of data as property, believing that we, the consumer, have the right to mandate how it is used. The organization where we share our data believes it is their property to control, manage, retain, learn from, etc. According to Cameron F. Kerry and John B. Morris of Brookings, Treating data like property fails to recognize either the value that varieties of personal information serve or the abiding interest that individuals have in their personal information even if they choose to ‘sell’ it. Data is not a commodity. It is information.” They state that “personal information is in demand precisely because it has value to others and to society across a myriad of uses.” 

Therefore, no one “owns” consumer data. Instead, we should all view ourselves as data stewards. In viewing ourselves as data stewards, mindsets should shift. Data is no longer a commodity to exploit but rather a tool to safeguard and learn from within the confines of mutually agreed-upon data usage terms. It is important to remember that there are people behind all the data we collect and use. 

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Over the course of the last decade, we have seen a shift in the regulatory landscape to reflect these views. The most impactful was the passing and implementation of the General Data Protection Law (GDPR) in the European Union (EU) in 2018, and since then, many other countries and states have followed suit with similar regulations, all of which focus on consumer or individual rights. 

With an increase in regulations and more informed consumers, it is now more important than ever for organizations to implement data governance and risk frameworks to truly understand data flows, new technologies (such as generative artificial intelligence (GAI)), security of data and compliance with regulatory obligations. Without robust programs like these, truly understanding your data and doing the right thing becomes impossible. 

Whose job is it to protect consumer data?

We look to the government to enact laws and regulations to enforce the protection of data. We look to companies and organizations to properly handle, store and protect our data. And we need to look at ourselves as stewards and protectors of our data. Everyone plays a role in the protection of data. It is a shared responsibility!

As consumers, we opt to share our data every time we leverage a tool or service where data is collected. We are the first line of defense. We decide if we believe an organization, platform, social media or website is worthy of attaining and storing our data.

Once we pass our information to those organizations, they have a duty to secure and protect it. This is usually done through a data protection framework. This framework consists of elements of data privacy and data security. This is accomplished by creating internal policies that align with laws and regulations that focus on how organizations collect, store, manage, share, retain and delete data. This step in the process generally falls on the data privacy teams because there is no privacy without security

The next step is the application of data privacy policies and ensuring that data (at rest or in transit) is protected from unauthorized access, exploitation, fraud or theft. This phase is generally covered through information security and cybersecurity best practices.

The final piece of a data protection framework is security awareness training. It is extremely important to create a data security strategy that remembers to educate teams. Human error is always a threat to an organization. Keeping your teams trained on privacy and data handling best practices reduces the risk of accidental data mishaps.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Education also falls to consumers as well. Understanding your rights and obligations is important, which means you can no longer just pass your data blindly. With data being the most valuable resource, it is crucial to understand who you are giving it to, how it will be used and how it will be protected.

Final thoughts on consumer data privacy

No one truly owns consumer data, but it is everyone’s job to protect it. Consumers must be vigilant in what data they share and where they wish to share it. Organizations must protect consumer data by implementing data governance, data privacy methodologies, contractual obligations and security solutions.

Consumer data is a valuable commodity that can uncover deeper insights that bring great value to organizations. The management of consumer data can lead to positive or negative outcomes. Strong data protection, with transparent data handling information, can elicit deep confidence, respect and trust in your product or services, which every organization should strive to attain and maintain. In the current landscape of more informed consumers, increased regulatory obligations and new technologies such as GAI, appropriate data governance, data privacy and security strategies are market differentiators crucial to corporate strategy.

Brooke Satti Charles
Brooke Satti Charles

Brooke Satti Charles is the Director of Risk and Compliance at Cengage Work. She is a problem solver, a decision maker, and a strategic and creative thinker. She enjoys finding (and fixing) the needle in the haystack to achieve aggressive and targeted business and financial objectives.

She has over 18 years of experience developing, implementing and managing business transformation initiatives built to identify and mitigate risk, drive organizational maturity, and bridge the gap between information technology and business.

Her expertise spans diverse industries and organizations, including the insurance sector, financial services, information technology and education. Her specialties include conducting comprehensive research and analysis to provide business-enhancing solutions, engaging stakeholders in cross-functional and international roles to formulate and deploy implementation plans, identifying and tracking financial crime and security trends, and developing intelligence products using dark web and open source research.