This column is part of Globe Careers' Leadership Lab series, where executives and experts share their views and advice about leadership and management. Follow us at @Globe_Careers. Find all Leadership Lab stories at tgam.ca/leadershiplab.
A number of high-profile cases involving violations of online privacy have raised public alarm. Home Depot made headlines in 2014 when a massive theft of its consumer credit and debit card database affected more than 56 million customers. And Target was in the spotlight a few years ago for sending a teenage girl coupons for baby gear – before her parents even knew she was pregnant.
Fuelling the trend is the fact that, from a consumer perspective, the risks of sharing our information online have increased exponentially – but this is not widely recognized. To make a fully-informed decision about what information to should share online on any given occasion, a fully-rational consumer must go through three important decision-making steps.
First, she needs to employ the appropriate mental model to think about 'information sharing' as a risky prospect – similar to the risks of contracting disease on exposure to contaminated food, the risk of a side-effect after consuming medication or the risk of losing money when trading in risky assets.
Second, she needs to use available information to quantify the risk and identify the possible outcomes. There is usually limited information to enable this, but a lot of information in disclosures and privacy policies exists that would allow her to identify harmful outcomes.
Third, the consumer would need to integrate the 'identified risk level' with the 'outcome information' to arrive at a judgment as to whether the benefits of sharing her information exceed the potential harm. Unfortunately, decades of research show that most humans lack both the cognitive apparatus and the motivation to go through these steps, for three reasons.
1. We are limited processors of information.
2. We are highly susceptible to cognitive laziness.
3. We are increasingly displaying impulsive behaviour online.
These thinking deficiencies can be thought of as 'cognitive gaps,' and a simple way to think about them is to treat them like physical deficiencies – say, for instance, a broken ankle. In such a scenario, once corrective action has been taken, two things must happen: the now-handicapped person must be provided with a mobility device and work with a physiotherapist to strengthen the injured area; and the patient must be placed in a safe environment to minimize further injury.
Both of these concepts can be applied to 'cognitively-handicapped' online consumers. In terms of equipping the consumer, the first step is to sensitize people to the notion that sharing information online constitutes a potential risk. Nutrition is similar to consumer privacy in that the benefits and consequences are intangible, hard to assess individually, and delayed in time. Yet the food industry has done a good job in sensitizing people to health risks, via nutrition labelling: a standardized format facilitates comparison between food items, standardized language provides common terminology, and the briefness of the labels enable consumers to quickly find what they are looking for. A similarly simple, standardized privacy label could serve as a useful tool to help consumers easily assess and compare risks in the digital space.
To make the online environment safer, one example of a padding strategy would be to set the defaults on online websites to the highest level of consumer privacy. Similarly, the default setting on mobile devices might be to 'turn location devices off.' A second tactic might include the use of reminders or decision points to nudge users about the potential risk associated with sharing information online.
It is important to focus privacy efforts not just on consumers, but also on the providers of online content. For example, firms could offer products or services that explicitly make consumer privacy a central part of their value proposition. If consumers begin to recognize the importance of privacy and have the ability to measure the privacy quality of a given company, there would be increased demand for higher levels of security – which in turn might push privacy as a central value proposition for all online businesses.
Restaurant hygiene grade cards are an example of how this could work. When Los Angeles County introduced grade cards to be displayed in restaurant windows, its health inspection scores increased, consumers became more sensitive to food hygiene, and the number of hospitalizations due to food-borne illnesses dropped by 13 per cent. The grade cards were successful in convincing restaurants to incorporate hygiene as an important value proposition in their business. Likewise, we believe that the use of 'privacy badges' or a privacy-rating system would nudge businesses to create a safer environment for their customers.
If consumer groups work with governments and businesses to build up the three pillars described herein – equipping consumers, padding the environment and making privacy a core value of business – the data revolution can deliver on all of its promises without compromising the safety of the consumers who are enabling it.
Reprinted with permission from the Winter 2016 edition of Rotman Management, published by the University of Toronto's Rotman School of Management. rotmanmagazine.ca