Data ethics is a set of principles for how we should collect, store, use and process personal information. In practice, ethical data collection means following principles that align with global privacy laws (like the GDPR) and meet modern customer expectations:
- Respect: We respect peopleās rights by collecting data lawfully and treating peopleās information with care. Fairness: We avoid biases in how we collect and analyse data that could lead to unfair or discriminatory results.Ā
- Transparency: Weāre open and honest. This helps build trust between people and the organisations that collect their data.
- Control: We make it easy for them to control their own information.
This is very important because our world relies on decisions made using data. Organisations must remember that collected data is essentially borrowed from users and must be returned when requested. Using ethical data practices builds trust with users and encourages them to provide consent.
How did we get here?
Problems with the misuse of personal data emerged early in the digital age, prompting governments to consider implementing laws that protect data privacy. The process gradually accelerated in the 2010s. The European Union (EU) took a big step in 2016 by passing the General Data Protection Regulation (GDPR).
Because the EU, one of the worldās largest markets, took this so seriously, it got the attention of many other governments. What drew the attention of the general public and really sped things up was the rise in data breaches and privacy scandals around the same time GDPR became law.
Facebook and Cambridge Analytica scandal
The most significant of these was the 2018 scandal involving Facebook and Cambridge Analytica. It was revealed that Cambridge Analytica had improperly accessed Facebook user data and used it for political advertising without their knowledge or informed consent.
The news caused people to become much more concerned about how their personal information was being handled and who had access to it. It also led to more and stronger calls on governments to create and enforce stricter data rules. The scandal highlighted the importance of prioritising privacy and ethical analytics that align with GDPR requirements. It also showed how quickly people can turn against companies that fail to respect user privacy.
Project Nightingale and Google
Google also faced ethical scrutiny due to its collaboration on “Project Nightingale” with a national healthcare provider. The goal of this project was to gather health data from millions of patients.
But there were two glaring problems with this. First, the data included highly sensitive personal information, such as lab results, diagnoses, and hospital records. And second, it was being collected without the direct knowledge or consent of the patients themselves.
Prompted by significant public backlash, regulators took a closer look at the collaboration and implemented changes. Project Nightingale continued, but with guardrails put in place to promote transparency, privacy, and personal data security. These rules include the Health Insurance Portability and Accountability Act (HIPAA).
Torontoās Sidewalk Labs
Another year, another country and another scandal involving Googleās parent company, Alphabet. In 2020, Alphabet brought ethical data practices and privacy-first analytics into the spotlight again with Sidewalk Labs, a controversial smart city project in Toronto. The initiative aimed to build a high-tech neighbourhood, but it faced massive public backlash.
The main concerns were about the quantity and nature of data to be collected from residents and visitors. They also didn’t have clear answers about how this data would be used, stored, and protected. There were concerns about constant surveillance and the potential for private information to be exploited.
The project eventually scaled back its ambitions significantly but ultimately failed to gain public support. However, this and the other two examples are reminders that innovation and progress must go hand in hand with strong ethical data practices and transparency.
Sidewalk Labs’ proposed design for Parliament Slip, south-east of downtown Toronto Ā© Sidewalk Labs
A different world
These events helped create the world we know today. Three-quarters of the world’s governments have passed data privacy laws or data protection regulations, many of which are based on the EU’s GDPR. They also heightened awareness of data privacy issues and made people realise why they should demand responsible data collection practices and privacy-first web analytics.
What does ethical data collection look like?
For over a decade, we’ve discussed data privacy extensively. This has given us a good idea of what ethical data collection should be. It begins with six fundamental principles:
- Transparency
- Choice and control
- Privacy and security
- Fairness and equity
- Data minimisation and purpose limitation
- Accountability and responsibility
1. Transparency
Transparency requires being upfront and clear about the personal data you collect and how you use it. Transparent practices make sure that people fully understand what happens and how youāre using their data from the moment it’s collected. A GDPR-compliant privacy notice is a good start.
Ethical data collection also involves clear privacy policies that are easy for visitors to find, read and understand. People feel more comfortable sharing their information when they know exactly how it’ll be used and for what reasons.
2. Consent and control
Here, the focus is on ensuring that people have genuine choice and power over their data. Depending on your region and the type of data:
- Some activities requireĀ consent.
- Others may rely onĀ legitimate interestsĀ or other lawful bases.
Ethical analytics also aligns with national ePrivacy rules, which regulate tracking technologies independently from GDPR. In most EU countries, ePrivacy laws require prior consent before tracking.
When consent is required, organisations must obtain valid, informed consent before collecting any personal information. This fulfils the “informed” requirement in informed consent by clearly explaining what data will be collected and for what intended purpose.
It also requires companies to provide simple and accessible ways for people to withdraw their consent at any time. Data owners should also be able to update their consent preferences, access their data, and request its deletion at any time. This promotes a culture of respect, trust and empowerment.
To simplify the process, you can integrate your analytics platform directly with a consent manager platform (CMP) to automatically collect and manage user consent.
ā Explore our Consent User Guide to learn more about consent and privacy in Matomo.
3. Privacy and security
Safeguarding private data with strong security features, such as secure hosting, encryption, firewalls and access controls, prevents data breaches and builds customer trust. Regular security updates are vital to stay ahead of threats.
To protect customer privacy and strengthen data security measures, there are two main techniques to mention:
- Anonymisation: Removes all personal details, creating anonymised data, ensuring that no individual can be re-identified using reasonably likely methods.Ā
- Pseudonymisation: This replaces direct identifiers with codes, allowing you to link data without it pointing directly to individuals.
Both methods help organisations use data responsibly while protecting privacy. Companies should also restrict internal access and train employees on proper data handling.
4. Fairness and equity
Organisations need to make it a point to understand how their data practices impact different groups, then work to prevent negative outcomes.
Fairness involves using data in a way that respects the rights of users and promotes privacy. This involves regularly reviewing systems and processes for bias and implementing the necessary controls and safeguards.
5. Data minimisation and purpose limitation
Organisations should have a clear and specific purpose for all the data they collect. Avoid collecting more personal information or data than necessary. For instance, on a newsletter subscription signup page, if you only need an email address, don’t ask for a home address or phone number.
Also, if you collect data for a specific reason, donāt use it for a different purpose later without the ownerās consent, unless you can rely on another legal basis. This ensures that data is used responsibly, as people expect.
āĀ Learn how to disable the visits log and visitor profilesĀ in Matomo to enhance privacy.
6. Accountability and responsibility
Under an ethical data collection mandate, organisations must take care of their usersā personal data, follow data protection rules and have systems in place to ensure that they do. This goes beyond just obeying laws. It means actively taking steps to protect data privacy and showing that your internal controls and privacy policies are effective.
Itās vital to clearly define whoās responsible for data practices within an organisation. Everyone, from top management to individual employees, should understand their role in protecting data. This helps create a culture where data privacy is a key part of how an organisation works, not just something added on later.
The business case for ethical data collection
All of that is seen from the consumer’s perspective, but whatās the business case for organisations to prioritise privacy and data ethics?
Embracing a strong code of ethics around privacy and data sharing builds trust with customers. When people know their data is handled responsibly through responsible, minimalist analytics, theyāre more likely to engage and become loyal customers.
Ethical principles and strong data governance can be a competitive advantage. Companies known for respecting privacy and implementing ethical marketing practices stand out in the market. This can attract new business and strengthen existing relationships.
Thirdly, ethical data practices help with long-term success. By considering ethical impacts, following data protection rules, and being transparent with users, organisations can avoid costly fines and legal problems. This proactive approach enables them to stay ahead of changing laws and keep operations running smoothly. Ultimately, it’s about smart business that benefits everyone.
The other side of the coin
The potential risks and negative impact of a major data breach underscore the importance of ethical data collection.
For example, the 2017 Equifax breach exposed the personal information of millions of people. The company faced substantial financial penalties, including a multi-million-dollar settlement agreement with the U.S. Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and various U.S. states. But the real damage was in the market: news of the breachĀ caused Equifaxās stock price to dropĀ by nearly a third.
A year later, the Marriott group disclosed a similar data breach affecting hundreds of millions of guests. In addition to the regulatoryĀ settlement of $52 million with the FTCĀ and various states, the companyās share price also suffered as a result.
These incidents show that when personal data is mishandled, consumers often lose trust, stop using the companyās services, and share their negative experiences with others. This can devastate a business and make it very hard to win back customers.
A call to action
So there you have it. Adopting ethical data collection practices and GDPR-compliant analytics isn’t only the right thing to do, but also essential for maintaining trust and credibility. And not doing so may very well turn out to be an existential threat.
Respecting user privacy through privacy-first analytics and cookie-free tracking helps businesses build trust with customers and gain a competitive advantage. Luckily, ethical analytics solutions make this much easier.
Download our Ethical Marketing Guide for a deeper dive into privacy-first practices and more actionable strategies.
Or if youāre ready to try a privacy-first, ethical analytics solution, you can start your 21-day free trial today ā no credit card required.
