In the information age, data management ethics is a growing concern for businesses.
Nearly every aspect of our lives can be commodified in the form of user data. We are compelled and encouraged to share personal information so regularly that most of us hardly register it.
Participating in society now requires trading data to access essential services, programs, and goods. Nearly every system and business we depend on is built on leveraging that data. Navigating this reality and weighing ethical implications is no easy task for business leaders — but it’s vital. Here’s what you need to know.
Once given to data brokers, there’s no telling whose hands sensitive information might end up in, or how it might be used. We all know and accept that advertisers want as much information as possible to serve more relevant ads to their target audiences. That’s no surprise.
But what happens when personally identifiable information, religious or political affiliations, geolocation data, and social connections are all accessible to whoever will pay for it? What are the implications when that information could put individuals at risk?
This is precisely what the FTC is asking in its federal case against geolocation data broker Kochava. According to Ars Technica, the complaint alleges the company sells a substantial amount of sensitive identifying information and precise geolocation data without their users’ knowledge or consent.
The data is allegedly not anonymized and easy to link to specific individuals, harming consumers “by invading their privacy and by causing ‘an increased risk of suffering secondary harms, such as stigma, discrimination, physical violence, and emotional distress.’"
Big tech companies have seen a notable uptick in data requests from government entities in recent years, according to a recent article published in Forbes. Data from Surfshark indicates that between 2013 and 2022, governments around the world have steadily increased their requests for information from Apple, Google, Meta, and Microsoft, “with 2022 seeing an increase from 1.6 million to 2.2 million—a rise of around 38%.”
In 2022, 147 governments worldwide requested user data from the tech giants. “Between them, U.S. and the EU authorities request data the most, accounting for 58% of all accounts of interest from 2013 to 2022. The U.S. accounted for nearly 3.3 million user data requests.”
Privacy legislation varies regionally, and policy changes are easy to miss if you aren’t following the conversation closely. Compliance with regional privacy laws is often complex. Failing to take it seriously can be costly, though, so it’s worth it to be proactive. Keep tabs on evolving policies to ensure your business is legally and ethically handling consumer data.
The Harvard Business Review outlines several examples of data mishandling that resulted in legal consequences and negative social attention. Among them was Clearview AI’s practice of selling access to its facial recognition databases to law enforcement without giving its users the opportunity for informed consent, or verifying the accuracy of their algorithm.
This violated the Australian Privacy Act, gaining unwelcome attention in 2021 when the country’s regulatory body ruled against them. As a result, Clearview AI was required to stop collecting and to remove existing photos taken in Australia.
Even if the purpose of a data request isn’t hidden or nefarious, the method of obtaining and releasing that data matters.
Businesses can protect their customers and their own interests by prioritizing a few ethical practices. The Harvard Business Review explores these in depth in their Ethics article. They advise focusing on five critical issues: “the provenance of the data, the purpose for which it will be used, how it is protected, how the privacy of the data providers is ensured, and how the data is prepared for use.”
Here's how you can address these challenges in your business:
Know where data came from and verify that it was obtained legally.
Ensure that informed consent was given by the user.
If data is being repurposed, make sure the original source of the data would agree to its use for a different purpose than was announced or implied.
Be clear about how you’ll protect user data, and establish clear guidelines for how long it will be kept and who is responsible for destroying it.
Establish who will have access to identifiable information, how data will be anonymized, and who will have access to the anonymized information.
Know how data is cleaned and how data sets are combined to preserve anonymity.
Be transparent about how the accuracy of your data is being verified and improved when necessary.
Have a plan for managing missing data and variables.
Put a cybersecurity plan in place to handle potential data breaches. Make sure you train your team to adequately handle those, too, and regularly review your cybersecurity practices.