In November, Californians voted to pass Proposition 24, a ballot measure that imposes new regulations on the collection of data by businesses. As part of the California Privacy Rights Act (CPRA), individuals will now have the right to opt out of the sharing and sale of their personal information, while companies must “reasonably” minimize data collection to protect user privacy.
For companies like Apple, Facebook, Uber and Google, all of which are headquartered in California, these new requirements may seem like a limitation on their existing data collection capabilities.
Looking more closely, it’s a nuanced story: By not only meeting the demands of these new regulations but exceeding them, companies have an opportunity to differentiate themselves from competitors to grow their bottom line, thanks to new technologies that put data privacy in the hands of consumers.
Take Apple, the world’s most valuable tech company, as an example. When Google and Facebook — two of Apple’s largest competitors — were under fire for exploiting customer data, CEO Tim Cook saw an opportunity to turn privacy into a competitive advantage.
The tech giant rolled out a suite of new privacy-maximizing features, including a new Sign In With Apple feature that allows users to securely log in to apps without sharing personal information with the apps’ developers. More recently, the company updated its privacy page to better showcase how its flagship apps are designed with privacy in mind.
By not only meeting the demands of these new regulations but exceeding them, companies have an opportunity to differentiate themselves from their competition.
This doubling down on privacy took center stage in the company’s marketing campaigns, too, with “Privacy Matters” becoming the central message of its prime-time air spots and its 10,000+ billboards around the world.
And of course, the company could hardly resist taking the occasional jab at its data-hungry competitors:
"The truth is, we could make a ton of money if we monetized our customer — if our customer was our product," said Cook in an interview with MSNBC. "We’ve elected not to do that."
Apple’s commitment to privacy not only puts them in a stronger position to comply with new CPRA regulations. It also sends a strong message to an industry that has profited off of customer data, and an even stronger message to consumers: It’s time to respect personal data.
The growing demand for privacy
The prioritization of consumer data privacy comes out of a need to address growing consumer concerns, which have consistently made headlines in recent years. Attention-grabbing stories such as the Cambridge Analytica data privacy scandal, as well as major breaches at companies such as Equifax, have left consumers wondering whom they can trust and how they can protect themselves. And the research is pretty conclusive — consumers want more out of their businesses and governments:
Only 52% of consumers feel like they can trust businesses, and only 41% worldwide trust their governments (Edelman).
85% of consumers believe businesses should be doing more to actively protect their data (IBM).
61% of consumers say their fears of having personal data compromised have increased in the last two years (Salesforce).
It’s hard to say exactly how this trust crisis will manifest in the global economy, but we’ve already seen several large boycotts, like the #DeleteFacebook movement, and a staggering 75% of consumers who say they won’t purchase from a company they don’t trust with their data.
And it’s not just Big Tech. From loyalty programs and inventory planning to smart cities and election advertising, it’s hard to overestimate the appetite — and effect — of using data to optimize processes and drive behavioral change.
As we look toward a new data-driven decade, however, we’re starting to realize the cost of this big data arms race: Consumers have lost trust in both the private and public sectors.
Private sector initiatives like Apple’s strengthened commitment to privacy, alongside public policy legislation like the CPRA, have the potential to not only build back consumer trust but to go even further beyond the minimum requirements. Thanks to new technologies like self-sovereign identity, companies can transform their data privacy policies, while cutting costs, reducing fraud and improving customer experiences.
The value of SSI
Self-sovereign identity (or SSI) leverages a thin layer of distributed ledger technology and a dose of very advanced cryptography to enable companies to prove the identities of their customers, without putting privacy at risk.
At its simplest, SSI is a way of giving consumers more control over their personal information. It offers a way for consumers to digitally store and manage personal information (in the form of verifiable credentials) that are issued and signed by a trusted authority (like a government, bank or university) in a way that can never be altered, embellished or manipulated. Consumers can then share this information when, where and with whom they wish as a way of proving things about themselves.
While sharing digital records online is nothing new, SSI changes the game in two fundamental ways:
Organizations can capture the required data, without overcollection. Unlike the physical credentials we carry in our wallets, like driver’s licenses and insurance cards, a digital verifiable credential can be divided into individual attributes, which can be shared separately.
The classic example is walking into a bar and showing the bouncer your driver’s license to verify that you are of legal age. The card reveals the necessary data, but it also includes information that the bar has no business knowing — such as your name and address. With verifiable credentials, we can share proof of age without revealing anything else.
For sensitive cases, self-sovereign identity even allows us to cryptographically prove something about ourselves without revealing the actual data. In this case, we could provide a yes/no answer to whether we are of a legal age, without revealing our date of birth.
For individuals, data minimization represents a great stride forward in privacy. For organizations, it’s a way of avoiding the massive liability of storing and securing excess personally identifiable information.
Correlation becomes much, much harder. While there are those who say privacy is a myth and our data will all be correlated anyway, self-sovereign identity protects us against many of the leading concerns with other digital identity solutions.
For example, if we look at other tools that give us some level of data portability, like single-sign-on, there is always a concern that a single player in the middle can track what we do online. There’s a reason those Facebook ads are eerily relevant: They know every site and app we have signed into using our Facebook profile.
With SSI, there’s no one player or centralized registry in the middle. Verifiers (those requesting an identity verification) can verify the authenticity cryptographically, meaning they don’t have to “phone home” to the original credential issuer and the credential issuer has no way of knowing when, where or to whom a credential was shared. No correlatable signatures are shared, and your digital identity is truly under your control and for your eyes only.
As a result, the consumer benefits from better privacy and security, while businesses benefit from:
Reduced fraud, with better, more accurate data verification at the time of account creation.
Reduced friction, with a dramatically faster sign-up process.
Reduced costs, both from time savings and from smarter KYC compliance (which normally costs large banks $500 million+ each year).
Increased efficiency, with less back-and-forth verifying third-party data.
Better customer experiences, with the ability to create a personalized, omnichannel customer experience without data harvesting.
And it’s not science fiction, either. Several major governments, businesses and NGOs have already launched self-sovereign solutions. These include financial institutions like UNIFY, Desert Financial and TruWest, healthcare organizations like Providence Health and the NHS, and telecom and travel giants like LG and the International Air Transport Association.
It’s not clear how soon the technology will become ubiquitous, but it is clear that privacy is quickly emerging as the next competitive battleground. Newly passed regulations like CPRA codify the measures companies need to take, but it’s consumer expectations that will drive long-term shifts within the companies themselves.
For those ahead of the curve, there will be significant cost savings and growth — especially as customers start to shift their loyalty toward those businesses that respect and protect their privacy. For everyone else, it will be a major wake-up call as consumers demand to take back their data.