Discussions about privacy often devolve into lamentations about how complex the privacy regulatory landscape is, and for good reason. More than 130 countries have privacy laws,1 and enterprises may also need to comply with sector-specific privacy laws and regulations, e.g., for healthcare-related data. While being compliant is imperative, it should not be the ultimate goal of privacy professionals. Compliance should be the floor and not the ceiling for privacy programs, and acting ethically should be a larger priority. Considering ethics alongside compliance can enable enterprises to better support consumers, act fairly and transparently, and build trust with data subjects.
Why Ethics Matters
Existing privacy regulations have varying degrees of coverage and varying consumer protection. Consumers may have the right to file a lawsuit in certain jurisdictions, while in others, they have no legal recourse in the event of enterprises not adequately protecting their data. But consumer protection should not be based on jurisdiction, and the burden of privacy belongs to enterprises, not end users.
Most consumers are not privacy experts; privacy is the responsibility of enterprises, not consumers. Acting ethically requires that enterprises take on the burden of protecting their consumers, even if applicable laws and regulations do not mandate it.In September 2024, concern grew over the social media platform LinkedIn changing user settings to default to allowing permission for the site to use personal data and content to train generative artificial intelligence (AI) models.2 Many users found out about this change to settings through social media posts, not through direct communication by LinkedIn. However, LinkedIn users in the European Union, European Economic Area, and Switzerland were not automatically enrolled in sharing their data. But why do people in certain regions have more privacy- and intellectual property-preserving default settings? Taking advantage of customers in certain jurisdictions simply because the law does not protect them is unethical, and relying merely on compliance requirements to guide enterprise activities can lead to this abuse.
Direct-to-consumer Internet of Things (IoT) devices are also liable to be rife with ethical issues. A watch geared toward parents that collects location, video, audio, and vitals is on the market in the United States with no privacy policy for the watch or its associated app.3 There is no way for buyers of this watch to know what happens to the sensitive, granular information the device collects. One review website calls this watch a “worthwhile purchase,”4 despite the unavailability of a privacy policy. Parents may purchase this watch with their children’s best interests in mind, but the watch developers may not have the same priorities as their customers. Many app developers require unnecessary permissions for functionality, e.g., a social media app requesting access to health information.
Most consumers are not privacy experts; privacy is the responsibility of enterprises, not consumers. Acting ethically requires that enterprises take on the burden of protecting their consumers, even if applicable laws and regulations do not mandate it. Unfortunately, ethics is not highly valued in many industries. Only 15% of respondents to an ISACA survey about cybersecurity said that honesty is an important soft-skill trait for security professionals.5
Compliance is not Synonymous With Ethics
Enterprises can be compliant with all applicable laws and regulations but still not behave ethically. A study on vehicle manufacturers’ privacy practices exemplifies this: All 25 car manufacturers investigated in a privacy report received a failing privacy score in a study done in the United States. These car companies can collect information about users’ medical history, sex life, and genetic information, and most of them share or sell data.6 These vehicle manufacturers claim that users have consented to this excessive data processing, in some cases simply by being inside the car. Other than not purchasing the car or being inside the car, consumers do not have much ability to oppose this excessive data collection. Car manufacturers (in the United States at least) were able to get away with this excessive data collection because no law or regulation prohibited it,7 but the practice is viewed by many as unethical, highlighting how being compliant does not necessarily mean acting ethically.
Additionally, the mere presence of a privacy law or regulation does not mean enterprises will comply. Some have argued that paying a lofty fine or penalty is simply the cost of doing business.8 Enterprises whose business model relies on unethical privacy practices may find that fines and penalties are considerably lower than the cost of compliance would be. One enterprise that has created a facial recognition database has regularly been hit with fines and even been banned in certain countries, but the cost of compliance would outweigh the revenue it earns from its current-state operations.9
Proactivity vs. Reactivity
Enterprises whose sole goal is mere compliance are in a reactive position; the privacy regulatory landscape is rapidly evolving, so enterprises prioritizing compliance above all else have to deal with constantly shifting goalposts.
ISACA’s State of Privacy 2025 report, which contains findings from ISACA’s most recent privacy survey, has insights from privacy professionals around the world.10 The survey asked respondents if their board of directors viewed privacy programs as compliance driven; ethically driven; a competitive advantage; or some combination of compliance, ethics, and competitive advantage. Numerous trends emerged when looking at the respondents who said their board viewed privacy programs as being purely compliance driven.
The rapidly changing nature of the privacy regulatory landscape has made the role of privacy professionals more stressful. But those at enterprises that are purely compliance driven tend to feel more stressed: 68% of respondents at enterprises whose boards view privacy from a compliance perspective said their role is more stressful now than 5 years ago, compared to 63% for total respondents.
While compliance is essential, having a primarily compliance-driven approach to privacy does not simplify compliance activities. In fact, survey results hint at the opposite. Only 36% of respondents whose boards view privacy purely from a compliance perspective feel confident in their organization’s ability to ensure the privacy of its sensitive data compared to 44% for enterprises whose boards view privacy from an ethical perspective.
Enterprises with boards that view privacy from a purely compliance-driven perspective are also less likely to use AI for privacy-related tasks. Only nine percent of those whose boards view privacy as compliance driven use AI for privacy tasks, compared to 11% of total respondents and 14% of respondents whose boards view privacy programs ethically. Forty percent of respondents in organizations that were primarily compliance driven said they have no plans to use AI for privacy-related tasks compared to just 24% organizations whose boards viewed privacy ethically.
The reason for this disparity may be the lack of regulatory guidance around the safe and ethical use of AI. While some laws and regulations exist around the use of AI, they are not very prescriptive. Enterprises relying on compliance to guide their activities may be reluctant to use AI because they do not have a starting point for safe, ethical use of the technology, making them more reluctant to adopt it. Additionally, the resource-intensive nature of AI could be at odds with organizational environmental, social, and governance initiatives.
To be fair, some enterprises may have to operate from a compliance focus rather than an ethical focus due to a lack of resources. With fewer tools and staff at their disposal, some privacy teams may not have the bandwidth to do more than just the bare minimum compliance requirements. Figure 1 compares some differences between enterprises whose boards view privacy as purely compliance driven vs. survey totals. This may indicate that prioritizing ethics can require more resources and that some enterprises with limited resources prioritize compliance over ethics. Given the consequences associated with noncompliance, it is understandable that some enterprises focus on legal mandates rather than ethical imperatives.
Ethics as a Competitive Advantage
While enterprises must consider compliance, ethics can set them apart from competitors who disregard ethical concerns. Nearly half of consumers surveyed in the United States (45%) consider themselves to be ethical consumers.11 Organizations that prioritize ethics can better connect to consumers who value ethics, which can potentially improve revenue.
Prioritizing ethics can also make compliance-related obligations easier to attain. Twenty-nine percent of survey respondents in enterprises with compliance-driven boards find it easy or very easy to identify/understand privacy obligations compared to 37% of respondents with boards that view privacy ethically. Better understanding and meeting compliance requirements can allow enterprises to avoid the reputational harm that comes with high-profile noncompliance incidents and the loss of trust with customers.
Twelve percent of survey respondents indicated that they experienced a material privacy breach in the last 12 months, but 14% of respondents whose boards view privacy as compliance driven experienced a breach. This indicates that solely focusing on compliance does not necessarily mean that data subjects are protected, once again highlighting that compliance is not necessarily a guarantee of data protection.
Conclusion
Privacy professionals have a plethora of laws and regulations with which they may need to comply. Prioritizing compliance is important, but it should not be the end-all-be-all goal for enterprises. Pursuing ethical objectives and compliance requirements can help to ensure that privacy programs are more comprehensive and better protect privacy. Enterprises that value ethics can help create a digital world that is safe, trustworthy, and more user friendly.
Endnotes
1 Apacible-Bernardo, A.; Fischer, L.; “Identifying Global Privacy Laws, relevant DPAs,” IAPP, 19 March 2024
2 Davis, W.; “LinkedIn is Training AI Models on Your Data,” The Verge, 18 September 2024
3 Mozilla Foundation, “Angel Watch”
4 Habas, C.; “Angel Watch Review,” Safe Wise, 8 July 2024
5 ISACA®, State of Cybersecurity 2024, 1 October 2024
6 Caltrider, J.; Rykoiv, M.; et al.; “It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy,” Mozilla Foundation, 6 September 2023
7 Some US legislators are working toward proposing legislation to protect driver privacy. See press release “Merkley Launches Effort to Protect Driver’s Privacy,” 26 September 2024
8 Maniaci, M.; “Huge Government Fines Are Just the Cost of Business,” Medium, 22 June 2023
9 Corder, M.; “Clearview AI fined $33.7 Million by Dutch Data Protection Watchdog Over ‘Illegal Database’ of Faces,” Associated Press, 3 September 2024
10 ISACA®, State of Privacy 2025, January 2025. The report will be available after 21 January 2025 at https://www.isaca.org/resources/privacy
11 Fleck, A.; “Where Do U.S. Consumers Stand on Ethical Consumption?,” Statista, 5 June 2024
SAFIA KAZI | AIGP, CIPT
Is a privacy professional practices principal at ISACA. In this role, she focuses on the development of ISACA’s privacy-related resources, including books, white papers, and review manuals. Kazi has worked at ISACA for more than 10 years, previously working on the ISACA Journal and developing the award-winning ISACA Podcast.