SessionCam News, Views and Updates

The Ethics of Data Analytics: A Balancing Act Between Privacy and Customer Service

The Ethics Of Data Analytics: A Balancing Act Between Privacy And Customer Service

The Ethics of Data Analytics: A Balancing Act Between Privacy and Customer Service

The data collected on individual consumers is rapidly increasing in scope and depth, and this trend will undoubtedly continue as technology becomes a larger part of our lives. The ethical collection of this data within this shift is an important issue that businesses need to take into account, as there is a fine line between the use and misuse of data in many cases.

Setting up a Privacy Policy is the first step towards governing ethical data collection in your business, but this is just the foundation. Internal privacy practices, ethical expectations for staff, and regular auditing of privacy practices are all crucial to maintaining an ethical data collection regime.

The Purpose of Data Analytics


Data on screen

Image: Photo by NEC Corporation of America with Creative Commons license


Data analytics is the practice of collecting, analysing, and interpreting customer data to detect trends and patterns, with the aim of enhancing business productivity and revenue.

In most cases, businesses are collecting data for dual purposes, not just to increase business profits and market more effectively, but also to provide a more tailored and focused customer experience. With 94% of customer insights and marketing professionals agreeing that personalisation of customer experience is “‘important,’ ‘very important,’ or ‘extremely important’”, this type of approach is the key to remaining competitive.

For example, the customer service provided by the Ritz-Carlton is well-known for being over-the-top extreme, for the customer’s benefit. Their CRM system is extensive, and entirely designed to put the care and comfort of their guests first.

However, the CRM is not always useful in every situation: in one case, “a waiter overheard a gentleman musing with his wife, who was in a wheelchair, that it was a shame he couldn’t get her down to the beach. The waiter told maintenance, who passed word, and the next afternoon there was a wooden walkway down the beach to a tent that was set up for them to have dinner in.”

In that situation, the customer experience was still the only thing that mattered, but the fact that the information had been obtained by overhearing a private conversation was put to the side. This is where the question of ethics comes in – is it okay to do something for the benefit of a customer (or even the benefit of the business) without the customer being aware that you are using their data to do so?


Ethics and Privacy


Most of the issues with data analytics arise as a result of a lack of information provided to customers. This can be in the form of non-disclosure of what is being collected, what the purpose of the collection is, or who is collecting the data. This is the point at which collecting customer data can stray from what is ethical.

The reality is that all organisations are “just people”, and different people will have different ideas about what is ethical.

“The ethics around gathering customer information are at best gray,” notes business growth expert Meridith Elliott Powell. “Given that this is a new, somewhat unchartered area, there is still a lot of leeway companies have in the methods they use—and perhaps lines they cross—when gathering data.” A large gulf may also exist between what the customer views as ethical, and what the company views as ethical – so who decides what the right thing to do is?

This is where the law comes in. At a baseline, if you are complying with relevant data privacy laws intended to protect consumers, you can have more certainty that what you are doing is in line with the ethics of what most consumers would expect. Let’s take a look at the laws in the US and EU as examples of what kind of requirements you may expect.


Data Collection Laws


In the US, the most well-known data protection law is the California Online Privacy Protection Act (CalOPPA). This law applies to website operators or online service providers who are dealing with the data of California residents.

CalOPPA’s first requirement is that website or service operator must “conspicuously post its privacy policy on its Web site, or … make that policy available”. CalOPPA also requires certain clauses to be covered in your Privacy Policy, such as how users can change their information, how the website or service operator will notify users of changes to the policy, and how the operator responds to “do not track” requests.

In the EU, the EU Data Protection Directive is currently in force, and applies to businesses based in the EU that are collecting the data of EU citizens. Its requirements are similar to CalOPPA, but are far more extensive. It requires that data must be kept only as long as necessary, must only be collected for specific, lawful purposes, and the data must not be transferred to a country outside the EU unless that country is deemed to provide “adequate” protection for the data.

However, the EU Data Protection Directive will soon be replaced by the EU General Data Protection Regulation, which will include more stringent requirements on notifying individuals about data collection, new roles such as the Data Protection Officer role, and broader scope, in that it will apply to anyone collecting the data of EU citizens, not just businesses based in the EU.

It’s also important to remember that collecting more data is not necessarily better. Particularly when relevant laws are also considered, it is clear that from a policy perspective governments expect businesses to collect only what they need to serve their purposes, and not excess unnecessary information. Another question to consider is what industry standards apply – for example, when collecting healthcare information there is a whole other set of laws, regulations, and standards that are relevant and important for health organisations to consider.

Internal business ethics should also play a role, and should be established from the CEO to set a company-wide expectation of ethical behaviour. For instance, businesses should have in place procedures where customer data is accessed on a need to know basis only, and CRM information is not available across the organisation.


Have a Good Privacy Policy


The basics of what your Privacy Policy should contain is covered by the relevant data privacy laws in your country. Clauses that you need to cover that would meet the requirements of both US and EU law would be:

  • Disclosing the identity of who is collecting the information
  • Providing a notice that personal data will be collected fairly and only for stated purposes
  • Describing what information you are collecting
  • Outlining how customers can keep their personal data up-to-date and correct, or make other changes
  • Listing contact details for:
    • your business,
    • your Data Protection Officer
    • any relevant supervisory authorities
  • Specifying for how long you will keep data
  • Explaining how the customer can access the data
  • Clarifying whether the data might be transferred outside of the US or EU, and if so, where it could go and how it would be protected
  • Including the effective date of the agreement
  • Describing how “do not track” requests will be handled and respected
  • Specifying how and when you will notify individuals of changes to your Privacy Policy
  • Providing details about any third parties which may also collect user data via your website or service, or who may access data collected by your business

If you don’t already have a Privacy Policy, TermsFeed can help you to create one.

The next issue to consider is getting consent to your Privacy Policy and ensuring that customers are made aware of what your privacy practices are. Customer trust and customer relationships will suffer if they want to find out how you deal with their private information, but are unable to. Or, even worse, if you disclose that you are collecting extensive data, but they don’t see your disclosure, customers may feel as if the question has been slipped past them. Without consent, data collection is just creepy, and is not a good look for your business.

For those using SessionCam on their websites, this should be disclosed to customers, and should be noted in your Privacy Policy.

Get Consent

The issue of consent is not just important from a customer perspective, but also from a legal perspective. It is crucial to ensure that your users are legally bound by your privacy policy, by giving them reasonable notice of policy or terms and getting their clear agreement to it in some way.

Most websites use a method called browsewrap. Browsewrap is where a link to the privacy policy is provided, but the user is expected to find it themselves by browsing through the website. In most cases a browsewrap agreement would not be legally binding on the customer, as they have not had reasonable notice of the terms nor shown their agreement.

Here is an example of browsewrap from Evernote:




You can see that the Privacy Policy is not highlighted in any way to the customer, and is simply presented in small text at the bottom of their website page.

A much stronger method (from a legal perspective) is called clickwrap. Clickwrap is where the user presses a button or checks a checkbox with a statement saying “I agree to the privacy policy”. Most businesses display a clickwrap agreement as a pop-up when the user arrives at the website, or as part of their account creation form or mailing list sign-up.

Here is an example of clickwrap from YouTube:




When displaying your Privacy Policy to customers to get their consent, ensure that particularly important clauses are highlighted. For example, you should ensure that your liability clauses are in bold, and that any particularly detailed data collection processes (such as using SessionCam) are fully disclosed, brought to the user’s attention, and explained so that they know the purpose of the collection.




The ethical issues around data collection and use may at times appear confusing, and it can sometimes be hard to know how to do the right thing. Following relevant data privacy laws is a good starting point, followed by a general respect for the customer’s interests. Ensure that you only collect what you need to, protect that data well, and clearly disclose to customers in your Privacy Policy what exactly you are doing, and for what reason.


Bio: Leah Hamilton is a qualified Solicitor and writer working at TermsFeed (, where businesses can create legal agreements in minutes using the Generator.

Leave a Reply

Your email address will not be published.

Back To Top