Online shopping has always been convenient, but during the Covid-19 pandemic, it became essential. Amazon's Prime service now has more than 200 million members across 23 countries. Many people regularly shop online for everything from groceries and clothes to books and electronics. This, combined with the fast growth of streaming platforms and other online services, has led to increased concerns about data privacy.
For one thing, many websites collect vast amounts of data, whether a user buys a product or not. Email addresses, phone numbers and dates of birth are just a few examples of the information that can be gathered. More data is collected by the browsers people use, via third-party cookie trackers in Google Chrome, for example — a practice that will be phased out by 2024. Meta, the social media giant that owns Facebook, is also a specialist in tracking web activity to feed its advertising network, although privacy features introduced by Apple in 2021 now make it much harder to track the more than 1.2 billion iPhone users.
Consumers are becoming increasingly aware of the importance of online privacy, and businesses must rethink their strategies for a future that doesn't include cookie trackers and mobile-app tracking. Regulators are also becoming more proactive and creating rules, such as the EU's updated General Data Protection Regulation (GDPR), that grant consumers more rights to decide what happens with their data.
Privacy risks online
There are two main privacy risks to individuals online: data getting into the hands of an adversary, and organizations using information without consumers' permission, explains Caroline Carruthers, CEO of the global data consultancy Carruthers & Jackson.
Both areas are already covered by legislation, she says. "Cybercrime is obviously illegal and covered by anti-fraud laws, and incorrect use of data is forbidden as part of regulation, such as GDPR in the EU and the California Consumer Privacy Act in the US."
Payment data is especially valuable to cybercriminals. While services like PayPal can help protect this sensitive information, it is hoped that the concept of tokenization will make online shopping more secure. Adoption of the technology is increasing, with India having launched a new mandate in late 2022 that makes tokenization a standard in the country.
Tokenization allows two parties to exchange sensitive information, such as credit card details, via a randomly assigned number, known as a "token". Although it's still relatively new, this technology could be useful both for businesses and users, says Michael Tegos, product marketing manager at Opera, makers of the Opera web browser. "It can help speed up transactions and improve customer experience, because the users don't have to keep entering their payment details, potentially exposing themselves to phishing scams or errors. It mitigates the risks of a data breach because, even if the token data is stolen, bad actors can't use it."
This system also makes compliance easier to manage for businesses. "The process is approved by the PCI Security Standards [Council], which sets security standards for organizations who accept credit card payments," Tegos adds.
Data protection
For businesses that collect customer details online, protecting that data is the highest priority. That feeling of security is key to building the trust that keeps customers coming back to the site. Surveys by the company Treasure Data in the UK, Germany, France and the US found that people expect marketing campaigns to adapt to their changing priorities and needs due to the current cost-of-living crisis.
Taking this into account, Andrew Stephenson, Treasure Data's director of marketing for EMEA and India, thinks responsible brands should implement a two-track strategy: "Communicate the value exchange of data sharing to consumers and operate within ethical boundaries using the right technology."
Measures businesses can take to look after customer data include ensuring it is stored correctly and securely, as well as making sure that access from within the organization is limited to the right people, in line with regulations, Carruthers says. "Of course, tokenization also helps, and e-commerce sites should work together with big payment companies, such as PayPal or Mastercard, to bolster safety mechanisms."
It is also important for individuals to do what they can to protect their own data, says Jake Moore, global cybersecurity adviser at ESET, a data protection company. He advises creating a separate email address and using a VPN when shopping. "At the very least, private browsing can mitigate the risk of sharing personal information."
Websites must offer detailed privacy policies, and individuals should read them when using online services, advises Colin Hayhurst, CEO of the privacy-focused search engine Mojeek. "People should always ask questions about where their data is going and why."
The choice of browser makes a difference, with alternatives to Google Chrome available that are less likely to track your online activity. If you are worried about your browser, take the time to read its privacy information pages, or use one that respects privacy, such as DuckDuckGo, Nigel Jones, co-founder of The Privacy Compliance Hub advises. For Apple users, the obvious choice is Safari, which includes tracking prevention tools, while Brave and Firefox are also considered privacy-friendly alternatives.
Taking back their data
As people become more aware of their privacy and of the implications of data-hungry websites and applications, consumers and businesses both have a role to play. This is especially important as technology develops and concepts such as the metaverse and 5G start to become reality.
Jones thinks people are beginning to recognize that some businesses have been abusing their privacy rights. Now, they're fighting back. As a result, privacy credentials are becoming a unique selling point for businesses, but these need to be built in from the start, Jones says, such as the way Apple is actively selling products based on the iPhone's privacy protection credentials. "Product engineers and designers need to build privacy into their processes, because if they don't, they will lose out to companies that do."