Data Privacy

The Impact of Big Data on Customer Trust


In a distracted world accustomed to data loss and compromised privacy, where can a marketing professional find the latest research and customer insights?

Instructor Profile

Kelly Martin is Professor of Marketing and Dean’s Distinguished Research Fellow at Colorado State University. She teaches Quantitative Business Analysis across the College of Business MBA Programs. Kelly has twice received the CSU College of Business Excellence in (Graduate) Teaching Award and has been nominated for the CSU Alumni Association Best Teacher Award. Read more about Kelly Martin at the Colorado State University College of Business website.

Four Myths about Managing Data Privacy

The European Union’s General Data Protection Regulations (GDPR) took effect in May of 2018, which forced many managers who previously had not thought much about data privacy to seriously consider how their organization manages such practices.


So too, increasing scrutiny about the way companies transfer data and allow third party use of customers’ personal information have been made salient with Facebook and Google’s recent United States (U.S.) Congressional testimony.

Yet in spite of all this attention, managing the organization’s data privacy practices is no clearer than before these events, and in many ways, is likely to be more obfuscated and confused. As such, the point of this article is to help alleviate some of this confusion by dispelling some common myths about managing data privacy. Once managers can effectively sort through misinformation about these issues, taking steps to lead on data privacy become increasingly attainable.


In sum, navigating today’s technological landscape to promote great consumer data privacy protections is increasingly complex.

All too often, this conversation becomes mired in elements of one of the four myths I describe. Likewise, buying into these myths can prevent organizations from taking important, customer-centric approaches to managing data privacy. By understanding the truths behind these myths, organizations are empowered to avoid significant privacy failures, but also are well-poised to lead on privacy and mobilize it for competitive advantage.

Myth Buster

Click on a Myth Buster to reveal more information:

It is easy to see why many managers believe that worries about data privacy are limited to the large technology companies. Indeed, the livelihoods of big tech firms such as Facebook and Google are critically dependent on acquiring and monetizing consumer data. Given U.S. regulators’ recent moves toward greater understanding and oversight of tech companies’ use of consumer data, it may appear that only these firms have cause for concern.

Yet, technology companies are likely only the tip of the proverbial iceberg for greater data protections and regulations here in the U.S. And once regulators make sense of the complex data infrastructures employed by the big technology companies, applying more stringent rules to smaller and less complex organizations can happen readily. Other industries that appear to be easy targets of future scrutiny involve health care, retail, financial services, and even less intuitive industries such and automobile and insurance. Bottom line, data privacy issues concern all organizations that in some way access and use consumer data of any kind. Getting out in front of future inquiry will only better position companies to formulate effective self-regulation and monitoring ideas, or at a minimum, to have greater involvement and voice in the specific nature of potential government-imposed rules.
Related to the notion of looking beyond technology in managing data privacy involves who within the company manages data privacy policies and practices. Regardless of industry, many firms have treated data privacy practices as falling under the purview of the information technology (IT) team. And while IT certainly plays a critical role, increasingly it is imperative for other firm functions to weigh in. For this reason, my research on privacy over the years has taken a customer-centric approach. This is because thinking about customer effects had been largely ignored in both academic research and business practice. The ways in which customers perceive and respond to data privacy concerns have implications far beyond the work of the IT team.

While customers certainly expect the strongest possible data security protections that are designed and enabled by the IT team, they also want to understand the practical aspects of both costs and benefits to them from providing personal information. They need to know what’s in it for them in exchange for their personal information—not just that this information will be kept safe.

Managing data privacy also involves more that mobilizing the company’s legal team. Again, while legal compliance is nonnegotiable, the voice of the customer often is neglected in this world of covering the organization’s bases and reducing liability. As the GDPR implementation date approached, reports of privacy policy revision through organizations’ legal teams largely dominated the conversation. Yet by solely focusing on legal compliance, organizations are neglecting the true spirit of this regulation. That is, they are ignoring the most important voice— that of the customer. Customers have concrete data privacy concerns that must be focal to any understanding and management of the firm’s practices. I discuss more on this theme in debunking Myth #2.


The typical American consumer tends to get a bad reputation in the privacy domain. Sweeping generalizations about consumers’ overall lack of concern about their personal information take two overarching forms. I will describe both, and briefly debunk both based on my own research and understanding of consumer response in this space. I also share findings about the degree of customer data vulnerabilities that surfaced in my own research. Taken together, this evidence suggests that organizations can no longer claim that consumers simply are unconcerned about how their personal data is accessed, shared, and protected.

First, consumers often are labeled guilty of behaving in way that is referred to as the “privacy paradox.” The privacy paradox stipulates that consumers profess to caring about the safety and protection of their personal information, yet act in contrasting ways by revealing and failing to guard this information—sometimes at a very basic level. When I reviewed dozens of public opinion polls (e.g., Pew, Harris, YouGov) to understand consumer privacy concern, I found a strong consensus that data privacy matters greatly to people. Typically, around 90% of respondents to any given poll report being worried about the safety and integrity of their personal information. Yet this is the same general public that simultaneously fails to use strong passwords or employ two-factor authentication when possible. People also continue to grossly overshare intimate details of their personal lives on social media and often ignore those platforms’ available privacy protections. For an organization managing customer data, how can these inconsistencies be resolved?

One key missing link in this conversation involves how much consumers actually know about how their personal information is used. In a recent review of the privacy psychology literature, my coauthor and I find that much of what is written about the privacy paradox (or even privacy more generally) neglects the key dimension of privacy knowledge. As such, much of what experts label as a paradox can actually be blamed on simple lack of knowledge. The very customers that are oversharing on social media may be unaware of the extent to which they are vulnerable. Using weak passwords and eschewing greater self-imposed data protections also may stem from simply lack of knowledge. Taken together, it is unsafe to assume from their behaviors that consumers do not care about data privacy. Quite to the contrary. This implies that organizations can do more to be better stewards of this data as well as more effective informational and educational conduits to their customers.
The second broad explanation for consumer data privacy perceptions is a hyper-rational explanation known as the “privacy calculus” that stipulates a contrary perspective to the privacy paradox. That is, the privacy calculus perspective argues that consumers are fully informed about the data privacy policies and practices of each organization with which they interact. Although increasingly criticized, some academic and business perspectives operate from an assumption that people have all the information they need to consider costs and benefit of disclosure, weigh each carefully and ultimately make a highly informed decision to share or not for each personal data request.

Clearly, the sheer volume of personal data requests people encounter make this situation highly unlikely. Moreover, increasingly popular ubiquitous surveillance technologies preclude any rational exchange agreement with customers. Finally, the role of knowledge again plays a role as it is impossible for consumers to be fully informed of all possible risks and benefits associated with any single personal data request.

Finally, in my own research, we found that when an organization simply has access to their customers’ personal data, those customers experience strong feelings of vulnerability. Customers report this vulnerability regardless of whether the organization ever uses the information. It appears that mere access to personal data makes customers nervous. Of course, feelings of vulnerability escalate with greater organizational use (and especially sharing) of customer data. However, one key takeaway is that if the firm is not actively using customer data, they should not be collecting it as this appears to needlessly heighten worry. If the organization is and must be using customer data, being transparent about how the data are used and offering customers some tangible controls in data use are key to reducing vulnerability.


As part of my research team’s studies with customer data vulnerability, we examined feelings of vulnerability surrounding an organization’s data breach, or the event of customer data records being hacked, stolen, or otherwise compromised. Not surprisingly, when data are compromised, vulnerability is heighted. We also found that a data breach results in large stock price drops following the announcement. Perhaps even more frightening is that close competitor organizations also experience a stock drop when a rival firm is compromised, proving that organizations can be harmed by data breaches that occur at other firms. Even if they were completely inoculated from a breach themselves, a breach of others creates stock value losses.

We found that again, being transparent and offering customer control can actually soften the harm from a data breach at both the focal or breached firm, as well as among close rivals subject to spillover effects. Putting customer-centric privacy practices in place goes a long way in defending against data breach harm. Yet, surprisingly, few companies seem to take these simple steps in better protecting against data breach harms through the route of the customer. Instead, when companies work to guard against data breaches they typically work to bolster IT and data security. And while these certainly are important baseline protections, evidence shows they are not enough.

IBM and the Ponemon Institute release data breach statistics every year, and each year these numbers swell. Their reporting conveys that simply improving data security practices is not sufficient to avoid data breaches. As evidence, after experiencing an initial data breach, most organizations work diligently to improve IT security. Yet, a previously breached organization has been shown to become increasingly likely to be the target of a subsequent breach, even within the same year. Given these disturbing trends, business analysts maintain (only somewhat tongue-in-cheek) that life’s certainties now include death, taxes, and data breaches.

Operating from the assumption that one’s organization is protected against data breaches is naïve at best and dangerous at worst. Companies need to have proactive and comprehensive data breach recovery plans in place. Beyond the legal and technology ramifications, companies need to involve all firm functions, including but not limited to, engaging marketing and PR to partner with customers for optimal recovery approaches. These include how breach information is communicated as well as how firms work to compensate customers for existing and potential data loss and abuse. Organizations that have data breach recovery plans in place can act quickly and effectively, and help ensure that an already damaging crisis is not greatly exacerbated.


Perhaps a bit ahead of their time, in 2012, Microsoft launched their “Scroogled” campaign as a way to pointedly compare their own strong privacy practices with the more relaxed practices of Google. The campaign’s intent was to draw attention to the fact that Microsoft does not monetize their customer data in contrast to many of their key competitors. It attacked the scanning of Gmail messages, called out paid search advertising, and overall noted Google’s flawed privacy policies. Ultimately, Scroogled did not have a long life (2012-2014) nor did it necessarily alert consumers to these important privacy differences. Yet it remains a critical example: strong privacy protections can be a competitive differentiator.

One might argue that if Scroogled were launched today it would speak to a far more receptive audience. On the tails of massive company data breaches (e.g., Yahoo!, Equifax) as well as growing evidence of consumer data gleaned for nefarious uses (e.g., Cambridge Analytica), I suspect Scroogled would resonate with many more concerned consumers.

As mentioned in debunking Myth #2, consumers lack fundamental knowledge about protecting their personal information and managing privacy settings in an optimal way. Coupled with the increasing complexity of Internet of Things (IOT) technologies with embedded data capturing needs as well as ubiquitous surveillance by these devices, navigating today’s data privacy landscape is increasingly complex. Companies that can intentionally offer stronger and more straightforward data privacy practices and protections are only likely to win with their customers. In the absence of possessing a robust set of data privacy skills themselves, it is more imperative than ever that consumers know companies are looking out for their best interests. Given that so few companies currently position on privacy in this way, the opportunities for leading on privacy appear open for the taking.

Additional Videos

Play Video
Play Video
Play Video
Play Video