What data can, and should, small businesses collect about their customers?
Last week, we held our fifth Responsible Data Use Advisory Council meeting. These meetings, held quarterly, are an opportunity to discuss emerging trends around responsible data use for small businesses.
As we move into our second year, the council is evolving too.
Samuel Burmeister of Tall Books has regretfully stepped back from the council to focus his efforts on his growing business. We’ll miss Sam’s passion and expert contribution to the group.
We also welcomed two new council members: Anna Johnston, Principal at Salinger Privacy, and Felicity Pereyra, Founder of Elevate Strategies. Anna and Felicity each bring unique skills and experience to the council. Anna, recognised globally for her work in shaping the future of privacy, data protection and data ethics and data management issues, is herself a small business owner specialising in privacy compliance. Felicity, with a background in analytics consulting on political campaigns up and down the ballot, is also now a small business owner with a passion for data ethics specialising in data analytics strategy.
Anna and Felicity join existing council members: myself, Laura Jackson of Popcorn Shed (business owner), Maribel Lopez of Lopez Research (technology analyst), Wyndi and Eli Tagi of WE Mana (advisors) and Aaron Wittman of XBert (app developer).
I always feel energised after these meetings and in this one we had a fascinating discussion around data collection minimisation. Collection minimisation is about understanding what data you need from your customers to provide your product or service, being clear with them on the purpose of collection, and not collecting more data than required. It is a key concept underpinning responsible data use.
Privacy by design
Anna kicked off the discussion by asking the group to think about the (over) collection of gender data. While knowing the gender identity of customers can be useful for marketing and product development, it is rarely necessary to collect this data when providing a product or service. Requiring someone to share their gender identity without a proper reason can be annoying, or even deeply alienating for non-binary people. In some cases, it can also be unlawful!
Even if customers don’t express frustration or complain about excessive collection of their data, we know that they push back in other ways. The group talked about the fact that in online retail, a significant proportion of customers will give false information to questions that are irrelevant to their purchase. This leaves the business holding junk data that may lead to bad decisions.
Council members turned to how businesses can tread the middle ground of collecting the data they need, but not overstepping. For example, licensed venues can choose to accept digital IDs that verify a person is of legal drinking age without disclosing their address and date of birth – rather than taking scans or copies of patrons’ driving licences, which creates an unnecessary privacy and security risk. Small business owners should consider how this applies to their own business – in other words, how to collect the data you require in order to do business, while ensuring you’re not collecting anything unnecessary.
While many businesses collect more data than they actually need, there may be legitimate reasons for collecting particular data fields. Wyndi commented that she and Eli work with Maori and Pasifika-owned small businesses, and collecting information about ethnicity is important to them in their mission to effectively support and champion these communities. The group agreed providing clarity about the purpose for collecting certain data fields was really important. Additionally businesses need to carefully consider the reasons for collecting sensitive data such as ethnicity, religious status, political affiliation or sexual orientation, as there are additional obligations and protections in place for these types of data.
The group also discussed that one of the reasons single-sign-on services like Google, Meta, or Amazon are becoming popular, is so people can log in or complete a transaction without handing over their information. However Maribel observed that when integrating with one of these services, it is important to be mindful of what data they are collecting about your customers and how they intend to use it.
The case for voluntary data collection
Several members noted that, as small business owners, they have a commercial incentive to gather as much valuable data as possible, but as customers, they’re not always comfortable with sharing personal information. In general we agreed that applying the customer perspective is important. As a customer, is this data necessary for the product or service? Would I feel comfortable sharing this information with this business? How will the business use the data? Would a customer trust us to keep their data safe?
One solution is to make data collection voluntary, rather than mandatory – let customers choose which non-essential data they choose to disclose. This would encourage businesses to be more deliberate in how they use data, and to explain their data use cases more clearly to their customers. For instance, is the business collecting data simply for marketing purposes, or is there a clear benefit to the customer?
Looking ahead
The conversation certainly raised some interesting discussion points, particularly around what small businesses could do to improve their data collection practices. It was interesting to see the council members wear two different ‘hats’ with different perspectives – both as consumers, and small business owners. I’d encourage any small business owner to pop on their consumer ‘hat’ when thinking about what data they need to collect – what would you be comfortable with, as a customer – and apply those principles to your own business.