Some companies have made the news for collecting and then using customer data in a way that goes against the agreed-upon terms. This is data misuse.
By Michael Akuchie
Last year, Meta — the parent company of the social media platforms, Facebook and Instagram — was fined £344 million ($400 million+) by the Irish Data Protection Commission for utilising forced consent to drive its personalised advertising campaign. The fine came after complaints from Austrian and Belgian authorities were lodged about how the company uses customer data to enhance its advertising. The issue was that Meta updated its Terms of Service, asking new and existing users to accept the revised terms if they wanted to use its platforms.
But this updated Terms of Service included a clause that if accepted, alongside the other terms, allowed Meta to use the data for personalised advertising, which means the algorithms will recommend products and services to users based on their preferences. The Irish Data Protection Commission saw this as a breach of the General Data Protection Regulation (GDPR), one of the world’s strictest data privacy laws.
Data is the new gold in the world of advertising today and companies have realised this. With data, they can understand their target audience better and then design the right products and services to meet their needs. However, some companies have made the news for collecting and then using customer data in a way that goes against the agreed-upon terms. This is data misuse.
It is worth mentioning that Meta is not the only high-profile data misuse case. In 2021, retail giant Amazon was served a hefty fine of €746 million ($887 million) by Luxembourg’s National Commission for Data Protection because it was accused of manipulating customer data for targeted advertising. In 2023, popular social media platform TikTok was also fined €345 million ($370 million) by the Irish Data Protection Commission for breaching child data privacy laws under the GDPR. Regarding TikTok, the Irish data privacy watchdog claimed that the social media platform did not provide enough clarity on how it used children’s data, thereby raising alarm over their privacy. Telecom giant T-Mobile publicised the terms of a class action settlement in 2022 following a major data breach which affected nearly 77 million people the year before. The breach led to a sizable chunk of T-Mobile customer data being put on sale in an online forum frequented by cybercriminals.
There are three main kinds of data misuse; commingling, personal benefit, and ambiguity. Commingling happens when a business collects information from a particular demographic for a specific purpose and reuses the data for a separate project. A classic example is when a company collects data for research and development but still repurposes the data for marketing. This kind of misuse is prompted by the fact that the company can easily access the data and use the information as they please from their end.
Unlike commingling, the personal benefit type of data misuse happens when one or more company workers with access to consumer data abuse the information for their needs. For instance, they could sell the data to rival companies and dark websites, thereby exposing people to various cyber crimes including identity theft, phishing, and credit card fraud.
Data misuse done out of ambiguity refers to the situation where an organisation is unable to explain clearly how it collects data and what it intends to do with customer records. Ambiguity gives the company free rein to do just about anything with the data since it does not shed light on the reason behind the collection.
Data misuse opens up a world of negative possibilities that affect both companies and customers. Companies risk being the recipient of multiple lawsuits and a future of legal battles that will not only give them bad press but could reduce the confidence of investors. They also risk being fined hefty sums by regulatory bodies as seen in the case of Meta and the Irish Data Protection Commission, as is the case with Amazon TikTok and T-Mobile.
For customers, the consequences of data misuse are equally distressing. They risk being victims of cyber crimes such as identity theft and phishing. While identity theft is the act of using someone else’s personal or financial information to commit a crime, phishing refers to the practice of sending emails designed to look like they originated from a genuine source to deceive unsuspecting targets into revealing sensitive details such as credit card info and account passwords. Another notable consequence of data misuse is that it negatively impacts the trust customers have in a company. A serious case of data misuse could cause users to stop patronising a brand, thereby reducing profit which could cause operational problems for the company in the near future. A confirmed case of data misuse could also make it difficult for companies to reach customers because the latter may be unwilling to give consent.
As seen in this essay, data misuse can cause detrimental problems to both companies and customers, making it an issue that should be avoided at all costs. Today, we supply personal information to websites for virtually everything on the internet, such as opening a bank account, making an online payment, and creating a custom website. Upon collecting these data, companies must not only safeguard the information from internal and external threats but ensure that they are used as intended. Organisations should also strive to comply with the existing privacy regulations by making their terms and conditions free of ambiguous clauses. Adopting these strategies will help them to stay on the right track with customers and regulators.
Companies must honour the trust that users have conferred on them by protecting and utilising personal data correctly. A major step in proactively managing data will be to avoid any form of ambiguity in how a company collects and uses data. Companies should endeavour to be transparent in how they handle customer data as it not only helps them to avoid regulatory issues but it affirms users’ faith in them. Proper in-house security measures should also be adopted by organisations to discourage employees from selling customer data to the dark web or rival companies which would give them access to business’s trade secrets and intellectual property. Some strategies to do this include limiting access to customer data to employees with certain clearance levels and implementing multi-factor authentication as part of the criteria to access the data.
Michael Akuchie is a tech journalist with four years of experience covering cybersecurity, AI, automotive trends, and startups. He reads human-angle stories in his spare time. He’s on X (fka Twitter) as @Michael_Akuchie & michael_akuchie on Instagram.
Cover Photo: Virgin Media Data Breach