When discussing identity protection online and the rights & responsibilities that we carry as ordinary customers, a common issue is raised: are we entitled to know what an online service does with our personal data?
The obvious answer is “of course” – even if the “we respect your privacy” statements of many service providers is tantamount to saying “of course your data is safe in our hands – we’re not going to give it to anyone else. But, hey, this is a service provided free to you so you’ll just have to trust that we are using your data to provide you with an awesome service…”
Your average customer, consciously or not, enters the Faustian pact in exchange for the free service. The service can offer you something for free because they make they money from investors and speculators who see that a big – very big – database of information on users is something that has marketable value. Whether it is providing profiling information for advertisers or selling on your data to third parties, there is money to be had. At a major CRM conference a few years back, one senior analyst had run some figures and estimated that each data field about a person has a market price of at least $150. Whilst I would dispute the figures, it is clear that the potential for increased market value of personal data will increase exponentially with the size of the user base: holding rich data on a few hundred people isn’t going to impress anyone – once in the realm of the millions, then people start taking notice.
When it comes to putting a company’s balance sheet together, calculating the value of intangible assets is something of an art, and even the best guidelines in the business are prefaced with comments such as “it’s worth whatever someone is willing to pay for it”. There is no evidence that the same isn’t true when it comes to assessing the value of all the personal data that some online services accumulate. Their whole business model is predicated on it. Sometimes the value only becomes apparent when you lose the data and end up being sued – the cost of the pay-out and your total legal bill will give you a fair assessment of what the market value is seen as for the personal data lost or compromised.
So, for the sake of argument, imagine turning the tables a moment. Instead of a company’s base of customer records and data being considered as a pure intangible asset, imagine it being considered on the liability side of the comapny balance sheet – and that the proportionate liability increased with the number of customers and complexity of data being held. Such companies would then need to put in place detailed plans for the protection of their customers’ data, explain clearly how, where and when the data is (re-)used before accountants would be able to reduce the liability.
With data breaches becoming more common and more spectacular, investors should seriously ask themselves whether they are in the business that they thought they were – for social networks read: data harvesting and mining; and if they are, whether they feel sufficient safeguards are in place to protect valued intangible assets from being a major liability.
Another knock-on effect of this would that other business models, that truly place a premium on the protection and control by customers of personal data and demonstrate this through their online practices, ought to be evaluated more favourably: a service that gives users total control of their data would indeed be managing valuable assets and ought to be recognised as such.