February 8, 2021

12 Ways For Tech Companies Using Consumers’ Data To Earn Their Trust

In the remote-first era of Covid-19, the potential for and frequency of cyberattacks has increased significantly. With data breaches regularly hitting the headlines, many consumers are wary of giving tech companies access to their personal data.

So how can a tech brand anticipate this and assuage the concerns of consumers who are reluctant to share personal information? Below, 12 members of Forbes Technology Council shared tips for companies that want to build trust with consumers when it comes to using their personal data.

1. Invest In Blockchain Technology

I love the idea of a blockchain-based profile that puts the control around how their personal data can be consumed completely in the hands of the user. It would be even better if such a profile could actually help the user monetize sharing of their data. - Michael FultonExpedient

2. Adopt A ‘Privacy By Design’ Approach

We must ensure that the collection and use of private data are intentional and explicitly communicated to consumers. If a personal data element is not required, then it is imperative that we do not collect it in the first place. Adopting a “privacy by design” approach to process and application development is a key method for maintaining compliance and building confidence with consumers. - David StapletonCyberGRX

3. Share Case Studies Of Brands That Trust You

Building trust is hard in general, but especially in the current, all-remote situation. One of the most effective ways to convince customers is to show them case studies of companies that already trusted you, especially well-known brands within a similar niche. - Robert KrajewskiIdeamotive

4. Apply Transparent Data Use Standards

Consumers view tech companies as independent operators, each with their own business agenda for personal data. Tech companies can create trust by creating joint, transparent standards that they apply to the use and management of personal data. With Big Tech signing on to a universal set of data use standards, consumers can better understand how their data is used. - Micheal Goodwin[email protected]

5. Show That You Value Personal Data

Choose who to do business with based on how seriously they take security. That includes providing two-factor authentication and guarantees of refunds for any losses they cause. The best way to convey your serious attitude with personal data is to show that you value it. For example, give the consumer something of value in return for their data instead of just asking, “Can I have it because I benefit?” - Mike LloydRedSeal

6. Work With Policymakers On Data Governance

Industry and government need to work together to create a clear, enforceable and definitive framework for data governance. With businesses all using the same playbook, consumers will have their faith restored in the use of data and how it is regulated. Not all data, nor its uses, are the same, so consumers need to ensure their data is used in a responsible and authorized way. - Sam AmraniOlvin

7. Have A Third Party Audit Your Security

First, be sure to collect only the data that’s needed and be really transparent about how and why you are doing it. After that, you can work with a third party to periodically audit your site’s security and fix any vulnerabilities, which will likely show up as your software develops. Reiterate your commitment to cybersecurity in as many user touchpoints as you can, and you’ll be well on your way! - Nacho De MarcoBairesDev

8. Obtain Consent Before Collecting Data

Consent is critical. By relying on consent-based data collection methods, companies can collect data with the consumer’s explicit permission. Consent management databases can also help to build trust by transparently showing what consumer data is being used for and giving consumers the continuous option to remove consent at any time. - Sanjoy MalikUrjanet

9. Adopt Policies That Favor Consumer Privacy Concerns

With its General Data Protection Regulation, the European Union is showing that consumers do actually value their privacy. So adopting policies that favor customer privacy concerns over extra profit from selling their data—and being clear about that choice—will help build trust. Be transparent. State your privacy policy clearly and in a way that the average, non-technical user can understand, and then hold to your own policies. - Saryu NayyarGurucul

10. Show Social Proof On-Site

We build trust with our customers by showing social proof on-site. When your audience can see verified trust seals and reviews from countless customers, they are much more likely to trust your business. You can even grab testimonials from high-profile clients and put them on your homepage or landing pages to show that well-known people trust your brand. - Thomas GriffinOptinMonster

11. Establish Transparency Through Clear Communication

To build trust with your customers, you must establish transparency. Are you deploying a new software update? Clearly explain why and what the new features are to your users in plain language. Do new data regulations affect how you collect and use customer data? Let your clients know right away. It sounds simple, but transparency is the foundation of trust. - Marc FischerDogtown Media LLC

12. Reiterate Your Message Often

Reiterate your message as often as necessary. If your customers are concerned about their personal data within your system, every touchpoint is an opportunity to reiterate your commitment: every email, every press release and every blog post. Mention one specific way you protect their data at a time, and focus on your overall commitment to security. - Luke WallaceBottle Rocket

This article was published on Forbes.com

April 20, 2020

Accelerate Your Business: the Privacy Payoff

AB-375 California Consumer Privacy Act (CCPA)¹ went into effect January 1, 2020, generating a lot of conversation with consumers and businesses. At the heart of the CCPA and similar regulations is the need to protect sensitive information. The only way to adequately protect data is with clear knowledge of all the data a business touches. The upside is that the effort required to map out the flow of data can have long-term benefits to a company if approached correctly.

There are three main ways that we can tackle privacy: Privacy as a Requirement, Privacy as an Experience, and Privacy as an Accelerator. Here’s what we mean by each one.


PRIVACY AS A REQUIREMENT

The CCPA is merely the latest in a long list of regulations that companies must comply with, and it most certainly will not be the last. Most of us are familiar with HIPAA, PCI, and GDPR by now, but the landscape continues to evolve with new laws coming such as New York’s SHIELD Act² or existing requirements getting enhanced like with proposed changes to the National Automated Clearing House Association’s (NACHA) Operating Rules³.

Compliance with the ever-expanding network of rules and regulations can be a challenge for most companies and one that understandably is viewed as either a burden or cost center. The primary focus and motivation during implementation efforts is to either avoid penalties or protect current investments. Generally, this task ends up being one more to-do on an already overloaded employee’s day.

The most common method of compliance is focused on meeting the minimum requirement to satisfy an audit. We have all seen the dense, legalese agreements that are constantly bombarding us as we browse the web. A recent publication from Pew Research indicates that more than 50 percent of Americans are asked to agree to privacy policies on a weekly basis⁴. Shockingly, only thirteen percent of Americans understand most of what these policies are saying. Fifty-five percent only understand some while thirty-two percent understand very little or none of what is being asked or presented to them⁵. It should come as no surprise then that these policies are rarely read⁶, and even then, are only partially read through and truly understood⁷.

This all works together to create a rather forgettable experience for the consumer while leaving the company in an arguably worse position than it started as it only incurred costs in the effort to comply with new privacy demands while obtaining little tangible benefit. This also misses an exciting opportunity to engage with consumers.


PRIVACY AS AN EXPERIENCE

Consumers are increasingly concerned about the security of their data⁸, as well as with how that data is used by companies⁹; both are central concerns of privacy legislation like the CCPA. The traditional approach of Privacy as a Requirement is insufficient to address these concerns but taking a customer centric approach would have a noticeable impact.

Imagine taking something as mundane as regulatory compliance and turning it into a competitive advantage. The average American is already inundated with terms and agreements to the point of indifference. The countless drab documents we are asked to look at in the course of our daily lives is mind numbing. By taking an approach focused on User Experience (UX)¹⁰, we can do something truly unique: stand out in a customer’s mind with our privacy policy.

Merely satisfying the letter of the law misses an important opportunity with our customer. By seeing things through the eyes of the consumer, by truly getting in touch with their motivations, we come to the understanding that there is a lot more to this conversation with the customer. We have an opportunity to build trust in our brand, a chance to shift ourselves out of the homogenous glut of monolith enterprises that dictate terms to faceless masses.

We have the ability to empathize with the customer and tell them with our service and products that we understand their concerns around privacy. We want to work with them in protecting their data, in being good stewards of the information that they have entrusted to us.

Great businesses are able to energize their customers this way. It becomes a key differentiator in a crowded market. When there is surprise and delight for the end user, especially coming from something normally seen as boring, it can leave a lasting impression on a customer.

As compelling as a consumer-centric implementation may be, however, there is one more approach to privacy, and this one can supercharge your business: Privacy as an Accelerator.


PRIVACY AS AN ACCELERATOR

To understand how privacy can accelerate our business, we first need to understand the nature of data debt. Data debt is related to technical debt but deals exclusively with information. Data debt contributes to waste in our organization as we struggle with things like stale data, incomplete data, and forgotten data.

Stale data can lead us to take the wrong action based on what we thought was good analysis. Incomplete data can render us unable to take action when we want to. Forgotten data is probably the most troublesome as it exposes us to risks that we are not even aware we are taking.

A quick way to think about data debt is to imagine a garage that is popping at the seams with junk. The garage door is unable to close and there is a bicycle tire sticking out the crack. Our lawnmower is giving us problems and we want to get to our tools to work on it, but they are buried under years of neglect.

Contrast this with an organized garage: the floor is spotless; everything is in the proper place and easily identified. Now it only takes you a second to find what you need to coax the mower back to life. It took some work to get the garage into this state, and it takes effort to keep it that way, but the long-term benefits in productivity are easily worth the investment.

In the same way, we want to pay off our data debt by organizing our data. Taking the time to audit and catalogue our data will help us uncover things like stale data, incomplete data, forgotten data, and more.

The acceleration factor is when you start using the catalogue. Development teams are able to quickly identify sources of data they need and share with other teams such as marketing, leading to reduction of wasted efforts. It aids in system architecture as you are more easily able to identify contexts and domains for your applications.

Perhaps the biggest win is “speed to compliance,” or the ease of being able to satisfy legal obligations. CCPA section 1798.130(a)(2), for example, gives a business 45 days to respond to a consumer’s request for information. The Privacy as an Accelerator mindset put you in a position where that information is easily accessible. Or consider CCPA sections 1798.130(a)(6) and 1798.135(a)(3) which require the business to ensure individuals interacting with consumers are fully aware of the legal requirements and are able to assist the customer with their request. Add a little Privacy as an Experience to that customer interaction and you are looking at a new Net Promoter®¹¹.

Another consideration is how we utilize data when we architect our applications. Domain Driven Design¹² is a popular methodology that advocates separating the concerns, or domains, of your applications. By adhering to this design philosophy, you can untangle some of the data spaghetti that is commonly found in enterprise systems everywhere.

Identity, for example, could be broken down into “Person”, “User”, and “Profile”. The Person domain would contain all the sensitive information: name, social security, birthday, and other PII. The User domain would handle things like permissions, activity logs, and credentials: everything needed for someone to interact with a system. The Profile domain would be the public presentation of that user to the world including things like the avatar, alias, and biography.

It is worth examining the User domain a bit more here as it will help us better understand the advantages of Privacy as an Accelerator. While there is usually debate over what constitutes PII, a more useful way to think of it would be in terms of the future requirements. PII definitions are changing and the direction is usually to include more and more under the protection umbrella.

When thinking about an application, think about what it really needs for a user to interact with it. A typical application does not need to know anything about who the user is, it only needs to work on the concept of a user. As far as the program’s algorithms are concerned, a random string is just as good as a person’s name. While we might want to display the user’s real name during the normal course of operation, if we have separated the concerns of Person and User in the system, we will be in a position to easily remove a consumer’s personal information without compromising the functionality of our application. Then we would be left with a user entity that we can still interact with in our system, but it can no longer be tied back to a real consumer.

Speed to compliance and separation of concerns also translate to business agility by future-proofing us against regulatory change. Rather than the next regulation taking up valuable time and resources to tackle, you will be in a proactive position to adapt to the changing landscape. There will undoubtedly be changes that still have to be made, but the effort will be considerably less than if we were still wallowing in data debt.

A thorough map of data with your data catalogue, well-structured applications that each have their own domain, engaged teams that are trained on their responsibilities and the tools provided by the company: each of these are examples of practices that serve to accelerate your company’s ability to adapt to change.


WHAT THIS CAN MEAN FOR YOUR BRAND

CCPA represents an attempt by California to respond to the rapidly evolving challenges consumers face in an increasingly connected world. There are already several other proposals on the horizon and consumer sentiment is in favor of more government intervention¹³ in the name of protecting the individual’s right to privacy.

By moving past the traditional approach of Privacy as a Requirement and into the future of Privacy as an Experience and Privacy as an Accelerator, we can position ourselves to take advantage of both positive customer sentiment as well as newfound business agility through paying off data debt.

Copyrights

Net Promoter, Net Promoter Score, and NPS are trademarks of Satmetrix Systems, Inc., Bain & Company, Inc., and Fred Reichheld.

Citations

[1]: “AB-375 California Consumer Privacy Act”, California Legislative Information, accessed April 20, 2020 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

[2]: “New York SHIELD Act”, The New York State Senate, accessed April 20, 2020 https://www.nysenate.gov/legislation/bills/2019/s5575

[3]: “Supplementing data security requirements”, NACHA, accessed April 20, 2020 https://www.nacha.org/rules/supplementing-data-security-requirements

[4]: “A majority of Americans are asked to agree to privacy policies at least monthly, including a quarter who say this happens daily”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-01-2/

[5]: “About two-thirds of U.S. adults who read privacy policies say they understand at least some of them”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-04/

[6]: “About one-in-five Americans say they always or often read privacy policies before agreeing to them”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-02-2/

[7]: “Only a minority of Americans who read privacy policies say they read them all the way through”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-03/

[8]: “Seven-in-ten Americans say their personal information is less secure than it was five years ago”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020https://www.pewresearch.org/internet/2019/11/15/how-americans-think-about-privacy-and-the-vulnerability-of-their-personal-data/pi_2019-11-15_privacy_1-03/

[9]: “Most Americans are not confident that companies would publicly admit to misusing consumers’ data”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-05/

[10]: “User experience design”, Wikipedia, accessed April 20, 2020 https://en.wikipedia.org/wiki/User_experience_design

[11]: “Net Promoter”, Wikipedia, accessed April 20, 2020 https://en.wikipedia.org/wiki/Net_Promoter

[12]: “What is Domain-Driven Design?”, DDD Community, accessed April 20, 2020 https://dddcommunity.org/learning-ddd/what_is_ddd/

[13]: “Most Americans think there should be more government regulation of what companies can do with personal data”, Americans’ attitudes and experiences with privacy policies and laws, Pew Research Center, accessed April 20, 2020 https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/pi_2019-11-14_privacy_4-08/

April 20, 2017

Becoming PCI Compliant with Bottle Rocket

For mobile experiences that accept credit card payments, clients need to host data with a Payment Card Industry Data Security Standard (PCI DSS) compliant hosting provider. What’s the deal with PCI exactly? Bottle Rocket has helped clients become PCI compliant, so we’ll fill you in.

What is PCI Compliance?

PCI compliance certifies that an environment or organization follows standards that make sharing credit card data safe for consumers. The standards of PCI compliance apply to companies of any size that utilize credit card transactions. Every organization, whether responsible for or hosting cardholder data, must meet PCI standards in order to be PCI certified.

Bottle Rocket is responsible for following PCI standards for our client work that involves payments. Our policies fit PCI standards so we and our partners can acclimate easily to the most secure and up-to-date environment.

Why Do I Need to be Compliant?

Depending on your business need, there can be several reasons why PCI compliance is important. The PCI Security Standards Council has 12 PCI compliant requirements, but these three goals of PCI compliance illustrate how meeting PCI standards serves the business and customer.

  • Build and/or maintain a secure network – With a firewall and enhanced password and security measures, your entire network is safer when you meet PCI standards.
  • Protect cardholder data – Protecting stored and transmitted customer data, you earn and maintain trust for your brand…and avoid any issues with the law.
  • Maintain a Vulnerability Management Program – Developing or maintaining secure systems and applications keeps your business running smoothly in support of protecting cardholder data.

How Do I Become PCI Compliant?

There are out-of-the-box compliance solutions, but it’s best to work with organizations who have PCI experience. Businesses with one or more compliant environments who have guided others to compliance offer valuable insight. You’ll need it because things can become complicated—quarterly system and firewall scans, evidence collection, the list goes on. Bottle Rocket helps you make sense of all these criteria to reach your PCI goals. Ultimately, you’ll also need to provide evidence that you’re protecting data.

Bottle Rocket, for instance, provides more than 100 pieces of evidence annually showing our employees who work in environments that involve payments undergo background checks, are trained in compliance, and that our network of third-party partners working with payments also meet PCI standards. We update our clients on network scan progress since we help them become and remain compliant too. For more detailed information, check out this PDF from the PCI Security Standards Council.

Email us with your PCI questions – we can help turn your questions into a secure mobile experience.

© 2021 Bottle Rocket. All Rights Reserved.