Contributed by Reuel Baptista
27 November, 2017
Playing by others’ rules – compulsory data collection and consumer privacy
Data is essential for any company that wants to thrive in the digital economy. Data about customers is particularly valuable because it enables companies to tailor products and services to their customers. Ideally, a consumer should be able to opt out of data collection when using a product or service, thereby protecting their privacy by exercising their autonomy and choosing how they share their personal information. Additionally, the consumer’s ability to use a product or service should not be affected by their decision to opt in or out of data collection. However, the thirst for data, particularly in the technology sector, has seen more companies require their customers to acquiesce to data collection when using their products or services.
A good example of this trend is seen in the mandatory collection of telemetry data by Windows 10. Initially, the operating system required the user to choose between the ‘basic’, ‘express’ or ‘full’ level of telemetry data collection. Critics noted that users could not opt out of telemetry collection and were not clearly told what data was being collected and how it was being used by Microsoft . After the Windows 10 Creators’ Update was released in April 2017, users can now choose between ‘basic’ or ‘full’ telemetry data collection. Microsoft also released information about the data that is collected under the ‘basic’ and ‘full’ setting and how it is used . These changes allow users to make a more informed decision around the level of telemetry data collection they are willing to accept. However, users still cannot opt out of data collection, which continues to concern industry commentators and privacy organisations .
Consumers are presented with a stark choice – they must play by the company’s rules and sacrifice some of their privacy or avoid using the product or service. By not giving consumers the ability to opt out of all data collection, Microsoft, Sonos and other companies that use similar practices are hampering consumers’ privacy by limiting their ability to manage the collection and use of their personal information. This choice is further eroded when a company corners the market for a certain product or service, such as Windows’ dominance in the personal computing market.
The rapid adoption of Internet of Things (IoT) devices by consumers will amplify these privacy concerns. IoT devices rely on constant data collection and transmission in order to function properly. One IoT device manufacturer estimated that the 10,000 households with its home automation system collectively generate 150 million data points every day . These massive datasets enable companies to gain unique insights and make accurate predictions about their customers’ behaviour. Developments such as IoT make the protection of consumer privacy even more essential.
Sometimes, collecting data about consumers can be necessary. For example, in their privacy policies, Microsoft and Sonos state that they use data collected from consumers to improve their products and services. At the same time, the sheer amount and range of data that can be collected and processed about an individual means there needs to be a balance between respecting consumer privacy and providing companies with the data they need to innovate and understand consumer demand.
The rapidly evolving nature of technology means that the balance between privacy and innovation will need to be adjusted regularly. It is up to consumers and regulators to ensure that companies in the technology sector continue to prioritise consumers’ right to privacy over the commercial value of turning people’s lives into countless data points.
 Fahmida Rashid “How Windows 10 data collection trades privacy for security”, 2 December 2016, www.infoworld.com.
 Microsoft “Windows 10 diagnostic data for the Full telemetry level”, 17 October 2017, docs.microsoft.com. See also, Microsoft “Windows 10, version 1709 basic level Windows diagnostic events and fields”, 17 October 2017, docs.microsoft.com.
 See for example the Dutch Data Protection Agency’s comments (https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf) on telemetry data collection in the Windows 10 Creators’ Update and Microsoft’s response (https://ncmedia.azureedge.net/ncmedia/2017/10/Dutch-DPA-Windows-10-Home_Pro_Investigation_Mi.pdf).
 Federal Trade Commission “Internet of Things: Privacy and Security in a Connected World”, January 2015, www.ftc.gov at p. 14.
Comments are closed.