麦肯锡：消费者数据的机会和隐私的必要性（英文版）

©PhilSharp/GettyImages

April2020

RiskPractice

Theconsumer-dataopportunityandtheprivacyimperative

Asconsumersbecomemorecarefulaboutsharingdata,andregulatorsstepupprivacyrequirements,leadingcompaniesarelearningthatdataprotectionandprivacycancreateabusinessadvantage.

byVenkyAnant,LisaDonchak,JamesKaplan,andHenningSoller

2Theconsumer-dataopportunityandtheprivacyimperative

Asconsumersincreasinglyadoptdigitaltechnology,thedatatheygeneratecreatebothanopportunityforenterprisestoimprovetheirconsumerengagementandaresponsibilitytokeepconsumerdatasafe.Thesedata,includinglocation-trackingandotherkindsofpersonallyidentifiableinformation,areimmenselyvaluabletocompanies:manyorganizations,forexample,usedatatobetterunderstandtheconsumer’spainpointsandunmetneeds.Theseinsightshelptodevelopnewproductsandservices,aswellastopersonalizeadvertisingandmarketing(thetotalglobalvalueofdigitaladvertisingisnowestimatedat$300billion).

Consumerdataareclearlytransformingbusiness,andcompaniesareresponsibleformanagingthedatatheycollect.Tofindoutwhatconsumersthinkabouttheprivacyandcollectionofdata,McKinseyconductedasurveyof1,000NorthAmericanconsumers.Todeterminetheirviewsondatacollection,hacksandbreaches,regulations,communications,andparticularindustries,weaskedthempointedquestionsabouttheirtrustinthebusinessestheypatronize.

Theresponsesrevealthatconsumersarebecomingincreasinglyintentionalaboutwhattypesofdatatheyshare—andwithwhom.Theyarefarmorelikelytosharepersonaldatathatareanecessarypartoftheirinteractionswithorganizations.Byindustry,consumersaremostcomfortablesharingdatawithprovidersinhealthcareandfinancialservices,thoughnoindustryreachedatrustratingof50percentfordataprotection.

Thatlackoftrustisunderstandablegiventherecenthistoryofhigh-profileconsumer-databreaches.Respondentswereawareofsuchbreaches,whichinformedtheirsurveyanswersabouttrust.Thescaleofconsumerdataexposedinthemostcatastrophicbreachesisstaggering.Intwobreachesatonelargecorporation,morethan3.5billionrecordsweremadepublic.Breachesatseveralothersexposedhundredsofmillionsofrecords.Thestakesarehighforcompanieshandlingconsumerdata:evenconsumerswhowerenotdirectlyaffectedbythesebreachespaidattentiontothewaycompaniesrespondedtothem.

Proliferatingbreachesandthedemandofconsumersforprivacyandcontroloftheirowndatahaveledgovernmentstoadoptnewregulations,suchastheGeneralDataProtectionRegulation(GDPR)inEuropeandtheCaliforniaConsumerPrivacyAct(CCPA)inthatUSstate.Manyothersarefollowingsuit.

Thebreacheshavealsopromotedtheincreaseduseoftoolsthatgivepeoplemorecontrolovertheirdata.Oneinteninternetusersaroundtheworld(andthreeintenUSusers)deployad-blockingsoftwarethatcanpreventcompaniesfromtrackingonlineactivity.Thegreatmajorityofrespondents—87percent—saidtheywouldnotdobusinesswithacompanyiftheyhadconcernsaboutitssecuritypractices.Seventy-onepercentsaidtheywouldstopdoingbusinesswithacompanyifitgaveawaysensitivedatawithoutpermission.

Becausethestakesaresohigh—andawarenessoftheseissuesisgrowing—thewaycompanieshandleconsumerdataandprivacycanbecomeapointofdifferentiationandevenasourceofcompetitivebusinessadvantage.Themainfindingsofourresearcharepresentedbelow.Wethenofferprescriptivestepsfordatamapping,operations,andinfrastructure,aswellascustomer-facingbestpractices.Thesecanhelpcompaniespositionthemselvestowinthatcompetitiveadvantage.

Amatteroftrust—oralackthereof

Consumerresponsestooursurveyledtoanumberofimportantinsightsaboutdatamanagementandprivacy.First,consumer-trustlevelsarelowoverallbutvarybyindustry.Twosectors—healthcareandfinancialservices—achievedthehighestscorefortrust:44percent.Notably,customerinteractionsinthesesectorsinvolvetheuseofpersonalandhighlysensitivedata.Trustlevelsarefarlowerforotherindustries.Onlyabout10percentofconsumerrespondentssaidthattheytrustconsumer-packaged-goodsormediaandentertainmentcompanies,forexample(Exhibit1).

Abouttwo-thirdsofinternetusersintheUnitedStatessayitis“veryimportant”thatthecontent

Exhibit1

Consumersviewhealthcareandinancial-servicesbusinessesasthemosttrustworthy.

Respondentschoosingaparticularindustryasmosttrustedinprotectingofprivacyanddata,%(n=1,000)

Mediaandentertainment

HealthcarePharmaceuticals/Retail

Advanced

electronics

Aerospaceanddefense

Automotive

andassembly

Consumer

medical

packaged

goods

Oiland

gas

Electricpower/naturalgas

Financial

services

Technology

Public

sectorandgovernment

Telecom-

munications

Agriculture

Travel,transport,

andlogistics

4444

22

19

17

17

18

12

12

1413

11

10

10

10

10

Source:McKinseySurveyofNorthAmericanConsumersonDataPrivacyandProtection,2019

oftheiremailshouldremainaccessibleonlytothosewhomtheyauthorizeandthatthenamesandidentitiesoftheiremailcorrespondentsremainprivate(Exhibit2).

Abouthalfoftheconsumerrespondentssaidtheyaremorelikelytotrustacompanythatasksonlyforinformationrelevanttoitsproductsorthatlimitstheamountofpersonalinformationrequested.Thesemarkersapparentlysignaltoconsumersthatacompanyistakingathoughtfulapproachtodatamanagement.

Halfofourconsumerrespondentsarealsomorelikelytotrustcompaniesthatreactquicklytohacksandbreachesoractivelydisclosesuchincidentstothepublic.Thesepracticeshavebecomeincreasinglyimportantbothforcompaniesandconsumersastheimpactofbreachesgrowsandmoreregulationsgovernthetimelinefordata-breachdisclosures.

Otherissuesareoflesserimportanceingainingtheconsumer’strust,accordingtothesurvey:thelevelofregulationinaparticularindustry,whetheracompanyhasitsheadquartersinacountrywithatrustworthygovernment,orwhetheracompanyproactivelysharescyberpracticesonwebsitesorinadvertisements(Exhibit3).

Consumerempowermentandactions

Giventhelowoveralllevelsoftrust,itisnotsurprisingthatconsumersoftenwanttorestrictthetypesofdatathattheysharewithbusinesses.Consumershavegreatercontrolovertheirpersonalinformationasaresultofthemanyprivacytoolsnowavailable,includingwebbrowserswithbuilt-incookieblockers,ad-blockingsoftware(usedonmorethan600milliondevicesaroundtheworld),andincognitobrowsers(usedbymorethan40percentofinternetusersglobally).However,ifaproductorserviceoffering—forexample,healthcareormoneymanagement—is

Theconsumer-data

opportunity

andthe

privacy

imperative

3

4Theconsumer-dataopportunityandtheprivacyimperative

Exhibit2

Consumerprivacyandprotectionconcernsvarybytypeofdigitaldata.

Relativeimportancebydatatype,%ofrespondents(n=792)

Veryimportant

Somewhat

important

Nottooimportant

N/A

Contentofemail

6813154

Identityofemailcorrespondents

6216166

Contentofdownloadediles

5519215

Locationdata

5416264

Content,usageofonlinechatrooms,groups

51122215

Websitesbrowsed

4623283

Searchesperformed

4425274

Appsandprogramsused

4027285

Timesofinternetusage

3317455

Source:Internet&AmericanLifeProject,PewResearchCenter

criticallyimportanttoconsumers,manyarewillingtosetasidetheirprivacyconcerns.

Consumersarenotwillingtosharedatafortransactionstheyviewaslessimportant.Theymayeven“votewiththeirfeet”andwalkawayfromdoingbusinesswithcompanieswhosedata-privacypracticestheydon’ttrust,don’tagreewith,ordon’tunderstand.Inaddition,whileoverallknowledgeofconsumerprivacyisontherise,manyconsumersstilldon’tknowhowtoprotectthemselves:forexample,only14percentof

internetusersencrypttheironlinecommunications,andonlyathirdchangetheirpasswordsregularly(Exhibit4).

Evolvingregulations

Privacyregulationsareevolving,withamarkedshifttowardprotectingconsumers:theGDPR,for

example,implementedinEuropeinMay2018,givesconsumersmorechoicesandprotectionsabouthowtheirdataareused.TheGDPRgivesconsumerseasieraccesstodatathatcompaniesholdaboutthemandmakesiteasierforthemtoaskcompaniestodeletetheirdata.

Forcompanies,theGDPRrequiresmeaningfulchangesinthewaytheycollect,store,share,anddeletedata.Failuretocomplycouldresultinsteepfines,potentiallycostingacompanyupto4percentofitsglobalrevenue.Onecompanyincurredafineof$180millionforadatabreachthatincludedlog-inandpaymentinformationfornearly400,000people.¹Anotherwasfined

$57millionforfailuretocomplywithGDPR.Asideeffectofthisregulationisanincreasedawarenessamongconsumersoftheirdata-privacyrightsandprotections.AboutsixintenconsumersinEuropenowrealizethatrulesregulatetheuseoftheirdata

1ThefinewasimposedbytheInformationCommissionsOffice,theBritishdataregulator,andiscurrentlyunderregulatoryprocessreview.

Exhibit3

Consumerstrustcompaniesthatlimittheuseofpersonaldataandrespondquicklytohacksandbreaches.

Respondenttrustbypractices,%(n=1,000)

Donotaskforinformationnotrelevanttotheirproduct52

Reactquicklytohacksandbreaches

50

Donotaskfortoomuchpersonalinformation

48

Proactivelyreportahackorbreach

46

Haveatrustworthybrand

43

Donotcollectpassivedata(eg,clickorbrowsinghistory)

43

Havehadfewhacksorbreaches

42

Donotusetrackingcookies

41

Promoteprivacyfortheirproducts(eg,2-factor

authentication)

36

Havetrustworthyleaders

35

Donotoperateincountrieswithuntrustedgovernments

32

Areconsideredtrustworthybyfamily,friends

32

Sharetheirapproachtoprotectingdata

31

Arepartofahighlyregulatedindustry

28

Headquartedinacountrywithatrustedgovernment

28

Publicizetheirconsumer-privacyinterest

20

Source:McKinseySurveyofNorthAmericanConsumersonDataPrivacyandProtection,2019

Theconsumer-data

opportunity

andthe

privacy

imperative

5

6Theconsumer-dataopportunityandtheprivacyimperative

BeyondEurope

Exhibit4

Consumerconcernsoverdatacollectionandprivacyaremounting,butfewtakeadequateprotectiveprecautions.

Respondentstakingaction,%(n=792)

Clearedcookiesandbrowserhistory

64

Deletedoreditedpastinternetposts

41

Setbrowsertodisableorturnofcookies

41

Notusedwebsitebecauseitaskedforrealname

36

Usedtemporaryusername,emailaddress

26

Postedcommentswithoutrevealingidentity

25

Askedsomeonetoremoveanintrusivepost

21

Maskedidentity

18

Usedapubliccomputertobrowseanonymously

18

Usedafalseoruntraceableusername

18

Encryptedcommunications

14

Usedservicethatallowsanonymousbrowsing

14

Giveninaccuratepersonalinformation

13

Source:Internet&AmericanLifeProject,PewResearchCenter

withintheirowncountries,anincreasefromonlyfourintenin2015.

TheGDPRhasbeenconsideredabellwetherfordata-privacyregulation.EveninEurope,policymakersareseekingtoenactadditionalconsumer-privacymeasures,includingtheePrivacyregulation(anextensionofGDPR),whichfocusesonprivacyprotectionfordatatransmittedelectronically.Itsstatusasaregulation(ratherthanadirective)meansthatitcouldbeenforceduniformlyacrossEUmemberstates.TheePrivacyregulationislikelytobeenactedin2020.

GovernmentsoutsideEuropehavealsobeguntoenactdata-privacyregulations.InBrazil,forexample,theLeiGeraldeProteçãodeDados,orLGPD(GeneralDataProtectionLaw)willgointoeffectinAugust2020.Brazil’spreviousdata-protectionregulationsweresectorbased.TheLGPDisanoverarching,nationwidelawcentralizingandcodifyingrulesgoverningthecollection,use,processing,andstorageofpersonaldata.WhilethefinesarelesssteepthantheGDPR’s,theyarestillformidable:failingto

opportunity

andthe

privacy

imperative

7

Theconsumer-data

complywiththeLGPDcouldcostcompaniesupto2percentoftheirBrazilianrevenues.

IntheUnitedStates,theCaliforniaConsumerPrivacyAct(CCPA)wentintoeffectinthestateinJanuary2020.Itgivesresidentstherighttoknowwhichdataarecollectedaboutthemandtopreventthesaleoftheirdata.CCPAisabroadmeasure,applyingtofor-profitorganizationsthatdobusinessinCaliforniaandmeetoneofthefollowingcriteria:earningmorethanhalfoftheirannualrevenuesfromsellingconsumers’personalinformation;earninggrossrevenuesofmorethan$50million;orholdingpersonalinformationonmorethan100,000consumers,households,ordevices.

TheCCPAisthestrictestconsumer-privacy

regulationintheUnitedStates,whichasyethasnonationaldata-privacylaw.Thelargestfineformishandlingdatawas,however,issuedbytheUSFederalTradeCommission(FTC).

Complianceinvestments

Companiesareinvestingheftysumstoensurethattheyarecompliantwiththesenewregulations.Intotal,FortuneGlobal500companieshadspent$7.8billionby2018preparingforGDPR,accordingtoanestimatebytheInternationalAssociationofPrivacyProfessionals.Companieshavehireddata-protectionofficers,anewlydefinedcorporatepositionmandatedbytheGDPRforallcompanieshandlinglargeamountsofpersonaldata.Despitethesemeasures,fewcompaniesfeelfullycompliant,andmanyarestillworkingonscalablesolutions.

Acentralchallenge—particularlyforcompaniesthatoperateinternationally—isthepatchworknatureofregulation.Requirementsareverydifferentfromonejurisdictionormarkettoanother.Toaddressregulatorydiversityandanticipatefutureregulations,manycompanieshavebegunsystematizingtheirapproachtocompliance.Somehavebeguncreatingregulatoryrolesandresponsibilitieswithintheirorganizations.Manyaretryingtoimplementfuture-proofsolutions.RatherthanmeetingCCPArequirementsonlyinCalifornia,MicrosoftisapplyingthemtoallUScitizens,though

otherstatesdonotyethavepoliciesasrestrictiveastheCCPA.Thispracticewillprobablybecomemorecommon,asmanycompaniesareusingthemostrestrictivelegalrequirementsastheirownstandard.FormostcompaniesintheUnitedStates,thismeansfollowingCCPA’sguidelines.

Anotherdifficultaspectofprivacyregulationhastodowiththedeletionandportingofdata:regulationsallowconsumerstorequestthattheirdatabedeletedorthatenterprisesprovideuserdatatoindividualconsumersorotherservices.Formanycompanies,thesetasksaretechnicallychallenging.CorporatedatasetsareoftenfragmentedacrossvariedITinfrastructure,makingitdifficulttorecoverallinformationonindividualconsumers.Somedata,furthermore,maybelocatedoutsidetheenterprise,inaffiliateorthird-partynetworks.Forthesereasons,companiescanstruggletoidentifyalldatafromallsourcesfortransferordeletion.

Proactivestepsforcompanies

Severaleffectiveactionshaveemergedforcompaniesthatseektoaddressenhancedconsumer-privacyanddata-protectionrequirements.Thesespanthelifecycleofenterprisedata,andincludestepsinoperations,infrastructure,andcustomer-facingpractices,andareenabledbydatamapping.

Datamapping

Leadingcompanieshavecreateddatamapsorregisterstocategorizethetypesofdatatheycollectfromcustomers.Thesolutionisbestdesignedtoaccommodateincreasesinthevolumeandrangeofsuchdatathatwillsurelycome.Existingdata-cataloginganddata-flow-mappingtoolscansupporttheprocess.

Companiesneedtoknowwhichdatatheyactuallyrequiretoservecustomers.Muchofthedatathatiscollectedisnotusedforanalyticsandwillnotbeneededinthefuture.Companieswillmitigateriskbycollectingonlythedatatheywillprobablyneed.Anothernecessarystepistowriteorrevisedata-

8Theconsumer-dataopportunityandtheprivacyimperative

Companiesshoulddevelopclear,standardizedprocedurestogovernrequestsfortheremovalortransferofdata.

storageand-securitypolicies.Thebestapproachesaccountforthedifferentcategoriesofdata,whichcanrequiredifferentstoragepolicies.

Offurtherimportanceisthegrowingappetiteforappliedanalytics.Today,leadingcompaniesneedrobustanalyticspolicies.Giventheproliferationofadvancedmachine-learningtools,manyorganizationswillseektoanalyzethehighvolumesofdatatheycollect,especiallybyexperimentingwithunsupervisedalgorithms.Butunlesscompanieshaveadvancedmodel-validationapproachesandthoughtfullypurposedconsumerdata,theyshouldproceedwithextremecaution,probablybyfocusingspecificallyonsupervised-learningalgorithmstominimizerisk.

Operations

Leadingorganizationshavedevelopedidentity-andaccess-managementpracticesforindividualsaccordingtotheirroles,withsecurity-accesslevelsdeterminedfordifferentdatacategories.Aboutone-thirdofthebreachesinrecentyearshavebeenattributedtoinsiderthreats.Thisriskcanbemitigatedbyensuringthatdatasetsareaccessibleonlytothosewhoneedthemandthatnoonehasaccesstoallavailabledata.Eventhemostrobustpracticesforidentityandaccessmanagementcanfail—somebreachescanbecausedbyindividualswithapprovedaccess—soadditionalactivitymonitoringcanbehelpful.

Toactquicklywhenbreachesdooccur,organizationswillwanttopressure-testtheircrisis-responseprocessesinadvance.Peoplewhowillbeinvolvedintheresponsemustbeidentifiedandastrongcommunicationsstrategydeveloped.Oneofthe

highestpredictorsofconsumertrustisthespeedofcompanyreportingandresponsewhenbreachesoccur.Indeed,mostnewregulationsrequirecompaniestodisclosebreachesveryquickly;theGDPR,forexample,mandatestheannouncementofabreachwithin72hoursofitsdiscovery.

Companiesshoulddevelopclear,standardizedprocedurestogovernrequestsfortheremovalortransferofdata.Theseshouldensureexpeditedcompliancewithregulationsandcoverconsumerrequestsfortheidentification,removal,andtransferofdata.Theprocessesshouldsupportdatadiscoveryinallpertinentinfrastructureenvironmentswithinacompanyandacrossitsaffiliates.Mostcompaniestodayusemanualprocesses,whichcreatesanopportunityforstreamliningandautomat