Striking a Balance Between Value and Privacy in the Data Market

Using technology leaves a trace, and that trace is invaluable for anyone who is after one’s disposable income. That is the new nature of the virtual world of ecommerce. A series of services trade convenience for information, leaving what is known as a digital footprint. The aggregate, almost endless quantity of consumer data is the main source of inspiration for many business strategies and has revolutionized a spectrum of domains ranging from marketing to product development. Whether Netflix is suggesting a movie a user may like or Amazon is recommending camping gear after a conversation about weekend activities, consumer data is the source of all marvels. But this comes at a price. The data-driven, now data-centric landscape has given rise to serious concerns about how information is gathered, retained, handled, and disposed of. User privacy is at the heart of many conversations in streaming service boardrooms. Organizations are navigating this complex domain with one word in mind: Balance. Can they balance harnessing the value of data with protecting consumer privacy? What is the balance between the price of privacy and the value of convenience?

A Fine Balance

Many factors can explain the exponential growth of awareness around consumer data privacy in the last decade. First, the rise in frequency, impact, and—more important—commonality of high-profile data breaches, such as the 2017 Equifax incident affecting 147 million people¹ and the 2018 Marriott breach exposing up to 500 million guest records.² These incidents put millions of consumers at risk of identity theft, financial fraud, and monetary loss. Trust in an organization’s ability to safeguard sensitive information has been eroded, and the public now needs assurance beyond mere statements and annual reports that strong data protection measures are in place. At the same time, organizations have multiplied their data collection power through the rapid progress of technology, and most of that collected data is personal data. Examples are everywhere, from Amazon Echo, a single device that can collect data about multidimensional patterns (e.g., a user’s favorite music, shopping transactions, daily routines), to more and more elaborate platforms monitoring most user behavior through tracking pixels.

As privacy concerns started mounting, authorities worldwide introduced regulations that mandate data protection with varying degrees of stringency. Some common examples include the EU General Data Protection Regulation (GDPR)³ and the US State of California Consumer Privacy Act (CCPA).⁴ These regulations—some with financial enforcement powers, some without—have raised the standard for data privacy, security, and management, prompting organizations to take stock of how they handle data, from acquisition to disposition. Recent surveys also indicate that data privacy has taken the front seat in consumers’ minds, with 68% of global consumers expressing concern about their online privacy⁵ and 92% of Americans worrying to some extent about their data privacy when using technology.⁶

Even with privacy risk in mind, the promise of data should be recognized. Data is shaping not only enterprises and the consumer experience, but society as a whole. Use cases are rivaling in ingenuity and convenience, such as Target using purchase history to predict customer life events and adapting their micro-marketing campaigns accordingly⁷ or Progressive Insurance leveraging telematics devices to personalize car insurance rates based on driving behavior.⁸ Enterprises are becoming lifestyle partners, and data is the currency of this relationship. With data-driven insights, enterprises can tailor products, services, and communication to each consumer, resulting in greater satisfaction, retention, and demand. This mutually beneficial relationship can also be illustrated through the example of Spotify’s artificial intelligence (AI)-generated playlists, which analyze user listening history to create personalized music recommendations.⁹

Healthcare is another application with promising results. The Mayo Clinic uses advanced data analytics to increase the likelihood of treatment success, with strict privacy protocols providing a safety guardrail to protect patients’ integrity.¹⁰ On the other side of the industry spectrum, financial giants such as JP Morgan¹¹ apply multiple layers of security to customer financial data, all while leveraging it to detect potential fraud via transaction patterns. Across industries, successful utilization of data boils down to striking a balance between data utility and consumer privacy to leverage what is needed without risking trust—and it takes skill.

Data Privacy in Action: From Principles to Practice

Harnessing data for business value while preserving customer privacy is a dynamic science that relies on multiple principles. First, data minimization:¹² Organizations must collect just enough data to derive meaningful insights and nothing more. Determining where to draw that line depends on the type of data, its source, and its quality. Another principle is transparency, as providing clear and digestible information on how the data is collected and used is key to gaining and maintaining consumer trust. It is like a moral contract. Compliance is also critical as regulatory pressure continues to increase in complexity and intensity, making it challenging to navigate privacy regulations and implement appropriate compliance measures, especially when an organization operates in multiple jurisdictions. Finally, security comes into play, as the technical controls to prevent breaches and data loss need continuous investment in resources, maintenance, and evolution.

To leverage data in alignment with these principles, organizations have adapted their products and value chains. Consider Apple's Privacy Nutrition Labels,¹³ which provide clear, easily digestible information about app data collection practices. Google has adopted differential privacy techniques in its Chrome browser to collect useful aggregate data while protecting individual user privacy.¹⁴ Microsoft's Azure Confidential Computing¹⁵ allows organizations to process sensitive data in the cloud while keeping it encrypted, even during computation.

Organizations are also experimenting with implementing privacy-enhancing technologies (PETs). Case in point, PayPal uses tokenization¹⁶ to process payment transactions without exposing actual credit card numbers. Similarly, Meta offers interoperable encryption that allows secure messaging across its portfolio of platforms.¹⁷ Companies such as Intel¹⁸ and AMD¹⁹ are developing secure enclaves in their processors to create trusted execution environments for sensitive data processing.

Creating a Conducive Environment

Much of the responsibility for balancing data value with privacy protection falls upon the organization and its leadership, as it should inform the strategic and operational decisions made every day. However, a supportive environment is also crucial to achieving the value–privacy balance. It starts with a clear, scalable regulatory framework that allows methodical implementation of data collection, usage, and protection controls, without impeding innovation and economic growth. Responsibility for such a framework lies with the authorities, typically governments. It also relies heavily on industry cooperation and a space favorable to professional bodies that can set standards in coordination, rather than hyper-fragmented, unsynchronized best practices that vary in granularity and scope, which would have the opposite effect, encouraging self-regulation and inaccessibility of what should be an industry imperative.

Emerging Trends in Data Privacy and Protection

Over the next decade, notable trends are likely to shape the future of consumer privacy and the use of data. Industry leaders have integrated this balance into their operations. Consider Tesla, which has been dubbed a “data company”²⁰ for its utilization of vehicle fleet data to improve autonomous driving. Meanwhile, healthcare providers use federated learning to improve diagnostic models, without the need to share sensitive patient data with other institutions.²¹

AI Regulation and Governance
The use of AI in data analysis is growing, and decisions must be made through a strong privacy protection lens—one that considers both algorithmic transparency and fairness. The adoption of the EU AI Act²² in 2024 set a precedent for AI-centric regulation globally, resulting in a movement of anticipation and preparation for stricter requirements when it comes to the transparency, fairness, and accountability of AI in data processing. The regulatory framework in the European Union, and the ones that would follow, such as the UK AI Opportunities Action Plan,²³ are expected to have a significant influence on how organizations handle AI-driven data processing globally.

Enhanced Protection for Vulnerable People
Vulnerable people often pay a double price in the data economy: first in how their data is collected (often without their knowledge), then how it shapes decisions affecting their lives, which, again, often makes their vulnerability even more acute. This is especially true for children, and the privacy reforms enacted by the US State of California in 2024 tend to confirm that. Specifically, Senate Bill 1223²⁴ expanded "sensitive data" to include neural and biometric information, and the attempted AB 1949²⁵ would have required explicit authorization to process minors' data. These efforts have prompted the industry to adapt by implementing, for example, stronger age verification controls and consent systems.²⁶

Advanced Privacy Technologies
PETs are gaining traction as part of the solution to achieve a value–privacy balance. For example, with fully homomorphic encryption (FHE) and data clean rooms,²⁷ data sharing and analysis activities can be conducted without exposing personal information. Use cases such as these allow organizations to achieve the value–privacy balance that is key for responsible data exploitation. In the cases of Intel and AMD, secure enclaves in their processors create trusted execution environments for sensitive data processing to take place.

Regulatory Harmonization and Enforcement
More awareness of data protection challenges results in more regulation, which means, without harmonization, more complexity. Standardizing, or simply aligning, requirements would streamline compliance for multinational organizations operating across jurisdictions. Achieving full alignment is a daunting task in terms of negotiation, translation, and cooperation, but the upside presents a strong value proposition, as simpler, worldwide requirements would make data privacy capabilities easier to build. Furthermore, in the past 5 years, the regulatory landscape witnessed an uptick in enforcement activity, with a significant rise in privacy-related lawsuits and regulatory actions.²⁸ This trend is expected to continue, not necessarily due to a lack of compliance, but because more cases will be encountered and discovered through PETs and additional audits. Regulators will likely be more and more aggressive in enforcing data privacy laws and imposing substantial penalties for noncompliance.

Practical Implementation Steps

There are several steps organizations can take to ensure that they are prepared for emerging privacy trends.

Assess and Classify
Organizations must enhance their privacy practices with a comprehensive, layered approach that combines proactive assessment, clear policies, and ongoing training. Essentially, this takes the form of privacy impact assessments to be conducted by the enterprise. These assessments assist organizations in a structured manner to identify their potential privacy risk in the data ecosystem and help develop the appropriate policies to counter them.

The next stage of assessment is the deployment of complex data classification systems, which have the added advantage of contextual awareness. In contrast to simple classification rules, a contemporary framework can track data usage in real time. For instance, if customer service representatives frequently need to reference certain fields together, the system could automatically suggest grouping these fields and apply consistent privacy controls. This privacy-by-observation approach helps align protection measures with real operational needs.

Manage the Data Life Cycle
Building on this foundation, organizations need clear data life cycle management powered by intelligent tracking. Consider a system that maintains a data biography, tracking not only when data was collected but also how it transforms and combines with other data over time. This biographical approach helps organizations understand the full privacy implications of their data use. In a specific instance, it is possible that unremarkable location data, when integrated with product sales records for a certain duration, can divulge secretive details that necessitate enhanced safeguarding.

Build Privacy Into Resilience Plans
Organizations can also integrate privacy fire drills into incident response. These exercises would replicate different types of data breaches. Such mock training sessions would necessarily consist of situations where the breach vulnerability is not readily apparent, such as a third-party vendor slowly leaking the data. A privacy incident post-mortem is just as essential. This procedure sheds light on the causes of privacy-related close calls or minor events and assists in corruptive breach prevention.

Distribute Privacy Expertise
When implementing such strategies, rather than depending solely on the appointed privacy champions, organizations must endeavor to disseminate privacy expertise throughout their teams. This means creating hands-on opportunities for all employees to work with privacy tools and technologies in safe testing environments. When people discover the capabilities and limitations of privacy measures through direct experience, they develop an intuitive understanding that goes beyond following prescribed rules. A customer service representative who has experimented with data anonymization techniques, for example, will make better decisions about handling sensitive information than someone who is merely abiding by a policy document.

The goal is to develop what one might call privacy muscle memory across the organization—where protecting personal information becomes as natural as locking the door after leaving home. This distributed expertise makes organizations more resilient, as they do not have to depend on a handful of privacy specialists who might leave or be unavailable when needed. It also leads to better privacy solutions, since people who work directly with data and customers can spot potential issues and opportunities that might not be visible from a purely theoretical perspective.

This strategy identifies a fundamental verity regarding privacy in contemporary establishments: It is too essential and wrought with nuance to be thrust on a group of advocates alone. Every individual engaging with data should become competent in its effective protection.

Augmented training could be achieved via shadowing-style privacy programs where employees from respective departments observe various roles in privacy decision making. A member of the marketing team can, for example, shadow the security team to appreciate the technical aspects of data collection decisions, while the IT team can visit the customer service department to gain a clearer understanding of the effect of privacy controls on operations.

Use Advanced PETs
Beyond these techniques, organizations have an option to embed PETs such as federated learning, where machine learning models are trained on distributed data without centralizing sensitive information. Through data separation, enterprises can still retain insights while personal data remains under the control of individual users. The other alternative is differential privacy budgeting, where organizations explicitly track and limit the cumulative privacy impact of their data analysis over time.

Aim for Sustainable Privacy Governance
Enterprises might as well be utilizing the privacy debt-tracking approach in privacy governance, just as software developers use the technical debt. Here, temporary privacy compromises are made in the quest to complete day-to-day operations, but it is ensured that these exceptions are documented correctly and addressed over time. For instance, one could plot an emergency if some configuration data were attached to a data access management gear. The incident would be labeled a privacy debt, which would need to be paid by using the appropriate controls or otherwise improving the process.

The third-party audit process can be improved through constant monitoring as opposed to point-in-time assessment. The automated tools routinely examine privacy-related changes in the systems and processes, prioritizing them for user review. This way the whole assurance process is more interactive and lends itself to a quick response.

Last, organizations should consider the establishment of a privacy innovation fund—resources specifically reserved for the exploration of new technologies and processes for privacy preservation. This ensures that privacy protection is dynamic and adjusts to new technology and emerging confidentiality expectations.

The crux of the matter is establishing a privacy framework that behaves like a living thing and is self-learning and self-adapting. Privacy is not merely a compliance issue, but a vital and dynamic aspect of the organization that needs constant rethinking and renewal.

Conclusion

In the digital economy of today, the balancing of data and consumer privacy has emerged as both complicated and vital. Organizations can capitalize on data through ethical means by endorsing privacy-oriented designs, harnessing technology, and creating an enterprise culture where data is managed responsibly. Enterprises that effectively maneuver this by adapting to the rules of regulation and fast-increasing consumer expectations will see the most success in a market where consumers seem to care more about privacy by the day.

However, organizations must be one step ahead of new developments, especially in areas such as AI regulation, vulnerable users’ privacy, and PETs. The first organizations to adopt these modifications while maintaining current privacy practices will be the best at tackling shifting privacy landscapes and assuring their stakeholders.

A data ecosystem profitable for enterprises and society is the endgame. This ecosystem must be driven by the needs of the consumer to build trust, increase innovation, and drive economic growth in the digital age.

Endnotes

¹ Federal Trade Commission, “Equifax Data Breach Settlement,” USA, November 2024
² Finkle, J.; Panchadar, A.; “Marriott's Starwood Database Hacked, 500 Million May Be Affected,” 30 November 2018
³ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [GDPR])
⁴ Cal. Civ. Code § 1798.100 et seq.
⁵ Fazlioglu, M.; “Most Consumers Want Data Privacy and Will Act to Defend It,” IAPP, 22 March 2023
⁶ TrustArc, “Data Privacy: Major Concern for Consumers” 
⁷ Duhigg, C.; “How Companies Learn Your Secrets,” The New York Times, 16 February 2012
⁸ Progressive, “What Is Usage-Based Insurance?”
⁹ Spotify, “AI Playlist Is Rolling Out in Beta in the US, Canada, Ireland, and New Zealand—Get Started With These Pro Tips,” 24 September 2024
¹⁰ Murphy, S.; “Mayo Clinic’s Data-Driven Quest to Advance Individualized Medicine,” 30 October 2024, Mayo Clinic
¹¹ PYMNTS, “Collaborative Defense: The Role of ‘Intelligent Friction’ and AI in Fraud Prevention,” 13 August 2024
¹² Engfeldt, H.; Dehareng, E.; “Data Minimization: An Increasingly Global Concept,” IAPP, 7 May 2024
¹³ Apple, “Privacy – Labels” 
¹⁴ Google, “Privacy and Terms” 
¹⁵ Microsoft, “Azure Confidential Computing” 
¹⁶ PayPal Developer, “Payflow Gateway Tokenization” 
¹⁷ Meta, “Messaging Interoperability” 
¹⁸ Intel, “Intel SGX: Enclave
¹⁹ Kammel, F.; Ylinen, M.; et al.; “Confidential Kubernetes: Use Confidential Virtual Machines and Enclaves to Improve Your Cluster Security,” 6 July 2023
²⁰ Mixson, E.; “Tesla: Automaker or Data Company?,” AI Data and Analytics Network, 16 November 2020
²¹ Ng, D.; Lan, X.; et al.; “Federated Learning: A Collaborative Effort to Achieve Better Medical Imaging Models for Individual Sites That Have Small Labelled Datasets,” Quantitative Imaging in Medicine and Surgery, vol. 11, iss. 2, 2021, p. 852-857
²² Future of Life Institute, “The EU Artificial Intelligence Act: Up-to-Date Developments and Analyses of the EU AI Act” 
²³ Deniston, K.; “What Is the Impact of the New “AI Opportunities Action Plan” on UK AI Regulation? Our 3 Key Insights,” Bird & Bird, 17 January 2025,
²⁴ Legal.io, “California Extends Data Privacy Protections to Brain Waves with SB 1223” 
²⁵ Digital Democracy, “AB 1949: California Consumer Privacy Act of 2020: Collection of Personal Information of a Consumer Less than 18 Years of Age” 
²⁶ Dumitrascu, M.; “Age Verification and Data Protection: Far More Difficult than it Looks,” International Association of Privacy Professionals, 7 January 2022
²⁷ Massey, A.; Data Clean Rooms: A Taxonomy & Technical Primer, Future of Privacy Forum, USA, 2024
²⁸ RadarFirst, “11 Privacy Regulatory Enforcement Trends

Adam Ennamli, CSP, ITIL

Is the chief risk, compliance, and security officer at the General Bank of Canada, where he leads enterprise-wide risk programs. Drawing on 15 years of leadership experience across global financial and technology institutions including Morgan Stanley, Thomson Reuters, and the National Bank of Canada, he specializes in transforming risk management and compliance frameworks. Ennamli has pioneered innovative approaches to cybersecurity, sustainability, and regulatory compliance that directly impact strategic growth.