Privacy by design represents a very difficult to understand business case. Typically privacy falls under the rubric of compliance (i.e. we have to do it to comply with the law). Rarely, do companies willing engage in privacy practices. Why? The business case. What is the bottom line benefit? How do you quantify privacy in $ or euros? Business aren’t willing to spend the extra money up front in extra engineering if they can’t see a tangible return later down the line. Over the last 15 years that I’ve been following privacy issues, it’s clear to me and many others, that very few consumers will pay more for privacy. So why invest in it unless you have to?
As this InfoLawGroup blog post points out the benefit is in brand differention. Consumers may not pay for privacy but when given the option of choosing between equivalent products or services with one that preserves privacy and one that doesn’t they will choose the privacy protective option. In addition to instituting privacy by design, any company must make their privacy protective ways obvious to the consumers. They do this by following the fourth principle of PbD, visibility and tranparency. This entails not just putting their convoluted privacy statement (that no one reads) front and center but giving users information as close to the point of data collection as possible. The study upon which the InfoLawGroup post was based on the rarely used P3P policies and integrating that with search results to give put privacy information up front before consumers invested their time and energy in a site. The study suggests that companies wanting to use privacy as a brand differentiator should be blatant about their policies and not bury them.
Returning to the business case, it’s going to be hard to quantify though those companies with the resources could emulate the study or focus groups to identify how pushing privacy could increase customer confidence and make customers choose their brand over a competitors.
To quote from Ernst & Young’s top 11 privacy trends, “Organizations that ignore the importance of protecting personal information from outside — or inside — will suffer more than financial penalties. They may also see their reputation damaged and their brand negatively impacted.”