Ethical PII Data Practices and Brand Sentiment

of one

Ethical PII Data Practices and Brand Sentiment

Quantitative and qualitative data supporting a correlation between ethical PII (personally identifiable information) data practices and positive brand sentiment and/or consumer trust is presented in the brief below. The research begins with an analysis of consumer sentiment regarding data privacy, before moving onto an examination of data privacy and reputation risk, and an analysis of the repercussions of a data breach with examples provided. The perspective of the big four firms, Deloitte, PWC, EY, and KPMG regarding the future of PII regulation is also briefly summarized.

Consumers and Data Privacy

  • The leading drivers of brand loyalty among consumers are trustworthiness (40%), commitment to data protection (31%), and customer service (30%).
  • Although 78% of consumers have concerns about protecting their personal data and 42% would not share sensitive data with a business, 70% have not read data privacy notices in depth or at all, and 43% are unaware if they have interacted with a business that has had a data breach.
  • Consumer concerns are related to their data being stolen as part of a breach or security deficiency (33%), businesses selling or sharing their data with third parties (26%), internal misuse of personal data (12%), data being used outside of the expected scope (11%), use of data to send irrelevant content (10%), the use of data for COVID-29 tracking and health purposes (7%), and other reasons (2%). In the US 45% of respondents to a survey thought their personal information was compromised within the previous five years.
  • Consumers are "increasingly cynical" about the data protection assertions, intent and practices of companies, and according to Pew Research Center, 70% of US citizens believe their personal data is less secure than five years ago. In a RSA survey on data privacy and security, 75% of respondents stated that they now limit how much personal information is shared online, while a Salesforce survey revealed that 46% of customers believe they have lost control of their personal data.

Data Privacy and Reputation Risk

  • Consumers in the UK (72%) and the US (64%) place blame for loss of personal data on a business more than everyone else, including the hacker, unlike consumers in France (50%) and Germany (41%).
  • A Salesforce survey conducted in April 2019 measured the impact of corporate values on swaying buying decisions. The survey revealed little generational differences regarding loyalties to companies that are trusted and the responsibility of companies to use technology ethically.
  • Privacy is strongly associated with trust by both consumers (75%) and by business buyers (76%). A strong association is also made between trust and security by consumers (77%) and business buyers (79%).
  • Companies that are trusted have more loyalty from both consumers (88%) and from business buyers (90%), while companies that are not trusted will not receive the patronage of 80% of consumers, and 75% of business buyers that do not trust them.
  • Sixty percent of the Salesforce survey respondents stopped buying from a company that did something distrustful, 48% stopped buying from a company on account of privacy concerns, and 72% indicate that they will stop buying from a company if they have privacy concerns.
  • Consumers (78%) are more loyal to companies that are transparent about how data is and isn't being used.
  • Sixty percent of the Salesforce survey respondents stopped buying from a company that did something distrustful, 48% stopped buying from a company on account of privacy concerns, and 72% indicate that they will stop buying from a company if they have privacy concerns.
  • Consumers (78%) are more loyal to companies that are transparent about how data is and isn't being used.

Post Data Breach

  • From the CMO perspective, 71% consider the loss of brand value as the largest casualty of a data breach, while the company can expect a decrease in global turnover of 9%.
  • After a data breach, consumers are most likely to return to retail stores (42%), hotels (20%), banks (17%), social sites (14%), and ride share services (7%).
  • Generational attitude vary, as Millennial (26%) are the least likely to shop in a retail store post a data breach while Generation X (40%) and Baby Boomers (34%) have a more relaxed attitude.
  • Companies should also consider the role of consumer networks, as 85% will relay their experience to other, 33.5% will complain on social media, and 20% will complain on the retailer website.
  • Examples
    • When Target has a data breach in 2013, the company did not notify the public until almost a month had passed. Customers responded by canceling Target cards, and labeling the breach "disheartening."
    • The company's brand index rating recovered to 17.3 in 2018 after dropping to 9.4 in 2014, after the company enhanced account security, limited vendor access, and enhanced monitoring and logging.
    • When Uber decided against disclosing that they had paid hackers after a breach impacting the personal data of 57 million drivers and consumers, aside from being in breach of data protection law in Pennsylvania, the chief security officer was fired, and the company had to pay a settlement of $148 million.
    • This occurred after a series of negative press for the company and a #DeleteUber campaign was created by customers which resulted in the loss of 200,000 users, tripling of the negative perceptions of the brand, and increases in downloads of competitor, Lyft.
    • Conversely, when Canva experienced an attack in 2019, the site was locked down while the attack was occurring, and users of the app were notified regarding what happened, and how their data was impacted.

Big Four Firms on Future PII Regulations

  • The big four firms were identified as Deloitte, PricewaterhouseCoopers (PWC), Ernst & Young (EY), and Klynveld Peat Marwick Goerdeler (KPMG) based on this article from Investopedia.
  • Seventy-five percent of organizations surveyed by FTI Consulting stated that they have changed its data compliance response because of regulatory concerns within the 12 months prior to the survey period. In the financial services' industry, this figure increases to 83%.
  • Although 88% of financial services survey respondents believe their Board or executive committee are committed to, and knowledgeable, about data privacy compliance, only 67% believe they are currently prepared to deal with a data privacy crisis event.
  • Data privacy budgets at 97% of the FTI Consulting survey respondents is set to increase in 2021, with the average increase being 50%.


  • The information security risk to organizations has been heightened as employees increasingly work from home. Deloitte has included this on its list of hot topics to be considered by internal IT audit teams in 2021, stating that a priority area of focus should be data governance, data privacy and associated regulations.
  • The advice to audit teams comprise part of an overall information governance program, inclusive of the requisite infrastructure, that Deloitte advises organizations to adopt as they ensure regulatory compliance. A key component of this program will be policies to ensure that only the required information is retained, and only for as long as it is needed.
  • This advice is centered around Deloitte's belief that "data minimization is quickly rising to the top of the information governance agenda, driven in significant respect by regulations, including the GDPR and NYDFS Cybersecurity regulations."
  • In the US, the lack of an overarching federal rule regarding data privacy, rising consumer interest in the subject, and lobbying from trade groups such as the Association of National Advertisers, has resulted in some states such as California, Delaware, and Vermont, enacting their own data privacy laws. Deloitte expect more states to follow in enacting their own data privacy regulations.

PricewaterhouseCoopers (PwC)

  • PWC lists regulations from the EU and California, state attorney generals, congress, and federal privacy law business and citizen advocates as the six influencers on data privacy in the United State.
  • The General Data Protection Regulation (GDPR) has become the gold standard for the protection of private data, followed by the California Consumer Privacy Act (CCPA) which is being applied by companies across the US (e.g. Microsoft).
  • State attorney generals are expected to impact regulations through their actions related to data breaches, while members of the US Senate are competing to have data protection laws enacted.
  • Advocacy from business is related to the costs and inefficiencies related to inconsistent and fragmented state laws and their desire for harmonized legislation on the subject, citizen advocacy has already borne fruit as the CCPA resulted from the efforts of three citizens.
  • PWC suggests organizations pursue "transparency and preparedness," shift to a privacy by design operating model, and integrate privacy as part of the product design.

Ernst & Young (EY)

  • EY has identified the risk presented by location tracking as one that is increasingly in the crosshairs of public and regulatory scrutiny. This concern is exacerbated by COVID-19 as employees work from home and health data is used to monitor the pandemic.
  • Within the US, as some companies apply the provisions of the CCPA (the CCPA gives residents of California the option to opt out of having their personal data sold to third parties) to the entire United States, which when combined with high compliance costs and associated fines, can disproportionately influence the composition of regulations by other states.
  • EY also expects an increase in data subject access requests (DSARs) as the workforce goes remote. This will require a compliance strategy from firms operating in a regulatory environment that is inconsistent and fragmented.

Klynveld Peat Marwick Goerdeler (KPMG)

  • KPMG see the regulatory landscape as evolving to accommodate public concerns over their privacy, and the secure and legal use of their data in an environment where data protection regulations and penalties are increasing.
  • The firm sees the GDPR as only the first in a wave of privacy regulations that are emerging to accommodate innovation given their technology neutral nature, cultivate the embedding of data protection into product development and organizational practice by design, and to give persons control over their personal data from informing them of their data privacy rights.

Did this report spark your curiosity?