The Privacy Perils of Data Overload: Understanding and Mitigating the Privacy Risks of Hyper Data Collection
In an era marked by rapid technological advancements, organizations are collecting data at an unprecedented speed and scale. This “Hyper Data Collection” of personal data, driven by motives such as identity verification, age verification, and customer personalization, has created extensive data dossiers on individuals. While such practices can enhance service delivery and user experience, they can also inadvertently introduce additional privacy risks to organizations that may not be prepared to make the necessary changes to mitigate these new risks. The accumulation of newly collected personally identifiable information (PII) may require an update to existing data risk strategies and resources for its protection, juxtaposed with the increasing regulatory demands for transparency and minimizing data collection. This article delves into the privacy perils associated with Hyper Data Collection and outlines strategies for organizations to mitigate these risks.
Risk #1 - Bypassing the Importance of Actual Knowledge
Hyper Data Collection often accumulates vast amounts of data, sometimes without a direct or actionable purpose. This overshadows the fact that companies may have collected so much information that they may already have “actual knowledge” of the information they need to take action on Data Privacy issues needed for decision-making processes. For example, in 2022 US Federal Trade Commission (FTC) fined WW International, Inc., formerly known as Weight Watchers, and a subsidiary called Kurbo, a family weight loss app, 1.5 million dollars for improper data collection and handling of data for children under the age of 13. For example, a child may have created an account where they confirmed to be age 13 or over, but the evidence was found where users, through their use of the app over time with additional data being provided to have given the company enough “actual knowledge “ for the organization to have been able to ascertain that some children on the site were not 13 and over as initially claimed. For example, a child may have entered the app as if they were 13 or older but talk about their 8th birthday party on the app. Regulators are increasingly using companies Hyper Data Collection practices against them and making them more accountable for all the data they collect including the “actual knowledge “ they may have due to Hyper Data Collection, to ensure they follow Data Privacy regulations.
Here are some Strategies for the Mitigation of “Actual Knowledge” Data Privacy Risks:
Implement data minimization principles, ensuring that only data with a clear and necessary purpose is collected
Enhance data governance policies to prioritize the collection of actionable, relevant data over sheer volume
Regularly audit data collection practices to eliminate redundant or irrelevant data collection efforts
When dealing with data in sensitive data categories or sensitive groups like children, organizational processes should be developed to take advantage of the ability to analyze the “actual knowledge” that organizations possess about individuals
Risk #2 - Collecting Data Without a Clear Purpose
The Hyper Data Collection practice of collecting data indiscriminately, without a defined objective, not only dilutes the usefulness of the data (for example, it is harder to find a needle in a haystack when you are creating a bigger haystack) but also exposes organizations to unnecessary privacy and security risks. Hyper Data Collection creates an increased data management burden without the benefit of actionable insights or purposeful utility. For example, as of January 2024, up to eight states in the US have “age verification” laws, and some of these states require that adults, not children, submit their identity documents like a driver's license to prove they are of legal age to consume content on websites that have at least 30 percent of its content made for adults. The result of this data Hyper Data Collection of identity documents from adults will be that organizations that may never have needed to collect PII in the past now will need to do so to comply with these new laws while these organizations may not be well equipt to protect the identity data they collect and maintain. Also, how long is that data retained once the identity process has been completed? Will this data be used for other purposes? How will the data I provide be protected? These are all valid and vital questions that organizations should answer as they collect more personal data.
Here are some Strategies for the Mitigation Risk of Collecting Data Without a Clear Purpose:
Establish clear data collection policies that define the purpose of data collection activities upfront
Train staff on the importance of purpose-driven data collection to foster a culture of privacy by design
Use privacy impact assessments to evaluate the necessity and impact of data collection practices on privacy
Create an “end of life” data strategy that has triggers for when data is no longer needed
Make clear what your data retention strategy is to anyone who provides personal data to your organization
Risk #3 - Creating Unnecessary Privacy Risks
The more personally identifiable the information collected, the higher the privacy risks for individuals. For example, when organizations create a login customer journey when a user wants to make a purchase or sign up for a service, they should ask themselves what information is required to complete the transaction and why the data is required. If collecting someone’s email address and phone number is unnecessary to provide goods or services, then make this information optional or eliminate this data request to greatly reduce your organization’s risk of collecting and retaining this information. The tendency to do Hyper Data Collection necessitates increased efforts in determining what should be collected and why to help organizations greatly minimize Data Privacy and Data Protection Risks.
Here are some Strategies for Mitigation of creating Unnecessary Privacy Risks:
Consider collecting only the data vital to complete transactions by default. and only collect data that is needed
Adopt data anonymization or pseudonymization techniques to protect PII if applicable for downstream data uses
Ensure compliance with global data protection regulations (e.g., GDPR, CCPA) to align data collection practices with legal requirements
Engage in transparent data collection practices, including clear communication with data subjects about the use of their data and the measures taken to protect it
The phenomenon of Hyper Data Collection presents a dual-edged sword for organizations. On one hand, it offers the potential for improved identity verification, enhanced customer experiences, and operational efficiencies. On the other, it introduces significant privacy risks that can undermine trust and lead to legal repercussions. Organizations can mitigate these risks earlier by adopting a more measured, purpose-driven approach to data collection while still leveraging data for meaningful insights and rapid advancements. The key lies in striking a balance between data utility and Data Privacy, ensuring that the pursuit of data does not come at the expense of individual rights and protections, and helping organizations make Data Privacy a Business Advantage.
