The EU General Protection Data Regulation (GDPR) recently celebrated its first birthday, and similar legislation like the California Consumer Privacy Act (CCPA) is popping up in the United States. With privacy on everyone’s minds, John Deighton, Professor of Business Administration at Harvard Business School, and Frank Grillo, CMO, sat down to discuss where it’s headed—and what it means for business.
JD (John Deighton): At each moment of our lives, we stand somewhere on a spectrum between anonymity and identity. The position we each take on that spectrum is our level of privacy—it’s the needle on the meter that shows where we are in a particular social context. At one end, we keep our data to ourselves and move about anonymously. We can deal with people, but they can’t go after us later if they want to, and they wouldn’t recognize us if they met us by chance. At the other end of the spectrum we deliberately cultivate a persona. We claim an identity fully and publicly and exploit the benefits of a reputation.
In today’s world, there aren’t many people who actually pursue anonymity. Those that do often do so for reasons that involve the law. The rest of us find some sort of value in sharing information about ourselves with others.
FG (Frank Grillo): Yes, many of us are willing to freely trade our privacy for efficiency, convenience, modernization or other value. I always think of Marriott—they know my travel habits, where I like to visit, which of their hotel brands I prefer. They use my data to offer me my preferred brands in hotel search results, greet me by name, put me on the floor I want my room on, provide me with the pillows I like, recommend restaurants nearby that they know I’ll like. It all makes the travel experience so much more pleasant, to the point that I ask, “What else can I tell you about me?”
JD: But now, GDPR has set a standard where that privacy needle on the spectrum is skewing more toward anonymity.
GDPR was written in a way that protects Europeans everywhere in the world. It is so encompassing that it has created incentive for the whole world to converge on these standards—it would be difficult to have one set of standards in Europe and another in the US, for example. This is one of the drivers pushing privacy laws and regulations forward in the USA.
The large players in the data space also see this as an opportunity to protect their market power over smaller startup companies. Legislation like GDPR privileges the companies with large amounts of their own first-party data—the likes of Google, Facebook and Amazon—and impedes the flow of third-party data that smaller businesses depend on today. These big players support legislation like CCPA, in what I see as a monopolistic move.
With these two drivers at play—the wish to have a global standard and the interests of firms with large amounts of first-party data—privacy legislation is nearly impossible to resist. It’s like thinking you could exclude your own private beach from the oncoming tsunami. You just can’t write the rules that way.
FG: So, GDPR has set the standard and regulations like CCPA and others in the Western world are pandering to GDPR. It’s moving all of us back toward anonymity as the norm. That’s great conceptually, but it’s problematic in that, as consumers, we don’t fully understand the value that comes with sharing some of ourselves—of moving more toward identity and being known by others in the world.
JD: There’s another problem, as well: China is a big player here, and China will not respond to the GDPR pressure. It doesn’t need to. The EU community is not that big of a part of the market for Chinese products.
I can see a situation emerging where China uses data to run services around the world that are vastly more efficient and more powerful than those running in other parts of the world. Businesses operating in the EU and the US will be constrained in their use of data by their privacy regulations, but China will not be so constrained and will therefore be able to create superior offerings. Chinese products will rightly seem better to the consumer.
It’s happening already, with Chinese platforms like WeChat. I read in The Wall Street Journal about a director of a firm from Washington, D.C. who had spent some significant time in China. When he came back, he said it was like coming back to the Stone Age. The article quoted him saying, “Not being able to use WeChat, everything felt just old fashioned.”
And consider Alipay—it’s a Chinese payment system that operates around the world. Its owner, Ant Financial, a division of Alibaba, is bigger than Goldman Sachs. Ant offers better consumer banking services in China than we are used to in the West because it exploits China’s lax privacy standards.
Eventually, down the road, I think that GDPR and the American copycats will slowly have to capitulate because China just won’t comply.
FG: In a regime where we place privacy and the ability to be anonymous as the standard, we are actually making the decision to sacrifice our convenience, efficiency, user experience in return for that thing we call privacy. Then there will be entities like China that just don’t respect that right to privacy. While we may find that reprehensible, the customers interfacing with them will still be impressed by their solutions—privacy just isn’t the first thing that comes to mind when you’re trying to get something like a mobile payment done.
JD: It goes back to the CEO of Sun Microsystems who famously said about privacy: “Get over it.” And while it’s worrying, most of us do get over it pretty easily.
FG: First-party data engines like Google and Facebook will be able to compete because they already have access to so much of our information. But where does that leave everyone else? All other brands have to figure out how to provide enough value to the customer that they will be willing to share their data in exchange for that value—like Marriott does for me—so they don’t find themselves at a disadvantage.
Do you think there is opportunity in this moment of tension for entities to split the middle? Say, “I’m going to use your data, show you that I’m using it to deliver you a fantastic experience, and I’m going to earn your trust so that you want to continue to share more data with me.”
JD: Yes, but the challenge with this approach is that you still need significant share of wallet. This plays into the big players getting bigger. A totalitarian regime knows everything about me and can build products and services that can exploit that information. The big guys in our Western markets have lots of touchpoints with us and lots of information on us, so they can use that to deliver better experiences, more convenience, in many areas. Smaller companies don’t have as much data or as many touchpoints with the customer and therefore cannot compete as easily.
Marriott is an interesting example because, back when they acquired Starwood, they increased their touchpoints with the customer, increased what they knew about the customer, and began to compete more effectively on customer experience.
FG: Marriott certainly has scale. I engage with them frequently, both personally and for business, so they have a lot of opportunity to get to know me through first-party data.
Brands without this kind of scale on their own can attempt to create it through partnerships. A specialty retailer or a grocery store, for example, can only deliver so much practical value to a customer—but they can partner with non-competing brands to create breadth of engagement across categories.
JD: I’ve seen a great example of that in the UK with Nectar. The partnership is built on the grocery store Sainsbury as the primary sponsor, and there are about eight other partners involved. These include Argos retailers and Esso service stations. Customers interact frequently at supermarkets and gas stations, so the entire partnership is able to collect a variety of data points that can be used to improve the experience in other locations.
FG: Exactly. When it comes down to it, competing effectively in the world of privacy regulation means delivering value to customers so that they want to freely sharing their information with you in exchange for that value. If you don’t have enough first-party interactions of your own through which you can collect that information, partnership is a great opportunity to gain scale.
The important catch here is that all brands have to commit. If half of the partnering brands fail to deliver exceptional value to the customer, the partnership won’t work. All of the brands in the partnership have to agree to use the shared customer data to create superior experiences.
Edited by Nicole Bump