Data privacy research reveals “reputation timebomb” waiting to blow up for many brands

Measures taken by companies to protect consumers data are “not working” and are exposing brands to massive reputational risk, according to research commissioned by law firm, Schillings

The study found that company data practices, often owned by marketing and IT teams, are falling short of legal requirements, and in some cases are harming customers by contributing to incorrect online profiles. 

The report, commissioned by Schillings and conducted by cross-party technology think tank, Demos, tracked volunteers as they attempted to reclaim and delete the personal data companies held about them. In doing so, researchers uncovered widespread data ethics challenges at large numbers of companies.  

The study found that up to 65 per cent of companies did not respond to data requests, despite this being a legal requirement under GDPR. Processes to help consumers take control of their data – e.g. cookie banners – “actively seek to dissuade” people from restricting their data permissions . ‘Accepting All’ cookies on websites often includes consent for data to be sold to data brokers – with brands unable to control how this data is then used, exposing them to supply chain risks. Volunteers were “stunned” and “scared” by how widely their data was spread and sold by companies – with one volunteer discovering that 2,242 companies were using their ‘off-Facebook’ interactions to target them with advertising. Volunteers also found inaccuracies in the data profiles created about them online, which can cause real-world problems in scenarios such as applying for credit.

The report concludes that controlling your data footprint online is virtually impossible and the idea that individuals can is “a big lie”.

To create the report, Demos, with support from consumer rights company, Rightly, worked with volunteers to discover how far information about them had travelled online, and how it had morphed along the way.  

Volunteers were helped to exercise their Right of Access (the right under GDPR to ask companies if they are using your personal information and for copies of what they hold) and The Right To Erasure (the right to ask for that data to be deleted – also known as the right to be forgotten). 

The research found a deeply frustrating and confusing process, and an inconsistent picture across data requests to companies. Responses varied dramatically: of all the access requests put out, rates ranged from 65% of companies not responding to one volunteer, to just 10% not responding to another. Under GDPR laws, companies are required to respond to consumer requests, but many did not, or made the process difficult and time-consuming. 

The study also found that processes put in place to help consumers have more control over their information online in fact made them more likely to give it away. The biggest gateway to personal data for most users is the GDPR-compliant ‘cookie banners’ – but Demos concluded that the banner’s design often actively sought to dissuade users from changing data permissions “through nudges to incentivise you to agree to the most permissive settings”. 

The study also found “accepting all” on cookie banners frequently gave companies permission to sell consumer data onto data brokers – creating a black hole in their ability to protect customer data. 

“One of the biggest problems right now is companies gathering enormous amounts of data on people, selling it off to data brokers and even they don’t know where it ends up,” commented one volunteer. 

They added that this made them question whether they wished to continue buying from that company, explaining: “It’s not necessarily that I don’t trust them as a brand not to misuse my data – it’s the fact that I don’t know who they’re selling it to and who that broker is selling it on to.”

Study volunteers were also surprised by the inaccuracy of profile information companies had compiled about them based on their online activity. This ‘propensity data’ is intended to help advertisers target users who are most likely to be interested in their products. However, this data is also used to make decisions which have far-reaching ramifications in the real world, such as whether an individual would qualify for a mortgage or credit card.  

“Our study shows that we’re in the middle of the largest privacy crisis in history and there is a reputation timebomb waiting to blow up many brands,” said Allan Dunlavy, Partner at Schillings. “Brands that are intentionally or inadvertently misusing our data could suffer a serious impact to their reputations, customer base and revenue. We are in a situation where many companies are holding consumer data, not giving people their legal right to access it, and then selling it on into a system they have no control over. The burden is currently on the consumer, rather than the business, to change this but we see the tide turning against companies that are not helping consumers.” 

Dunlavy added that much of the issue was born out of the pandemic. “For many companies, the rush to move to an online business model during the pandemic resulted in shortcuts being taken,” he said. “We are seeing a lot of data privacy codes of practice overlooked despite the best of intentions – with many companies often unknowingly contravening data legislation through poorly set up processes. But with privacy becoming a key focus for consumers, companies need to take these issues more seriously.  

“It’s time every company took a long, hard look at how confident they are of their data ethics. This is a strategic reputational problem that needs addressing in the boardroom – not in isolation by a marketing or IT team.”

Volunteers from the study can been seen in the 40-minute documentary, ‘Accept All: Unacceptable’?, also commissioned by Schillings, which is now available to view on YouTube here. The film sets out to answer the question: Why should we care about online privacy?