Who Should Win the Tug-of-War over User Data?

This phenomenon was of interest to Sarit Markovich, clinical professor of strategy at the Kellogg School. She’s interested in the relationship between consumer data and public benefit. “That traffic apps became less accurate during the pandemic shows that if you don’t have public data, it’s hurting everyone because there is a public-good aspect to data,” she says.

But the relationship between the acquisition of such data and the public good is a complicated one. Companies can benefit from selling data that individual consumers share while using an app, in which case there’s a large potential commercial benefit to the company but at a cost, or discomfort, to consumers. Or an individual user could use an app only for their own benefit, such as opening a navigation app to plot a route to your destination but then closing the app so it can’t follow you as you drive—a practice Markovich says her father follows. And this, of course, provides no public benefit either.

“That means he gets all the private benefit without contributing to any public benefit, but he’s benefiting from the data others have shared,” Markovich says. This type of dynamic, where people could get the benefit of others’ data without sharing their own, would also apply to contact-tracing apps.

Such scenarios led Markovich to consider who should have more control over consumer data—businesses or users—and when.

From the start, she believed that a nuanced approach would be useful—unlike the black-and-white approaches adopted by many governments. For example, Europe’s General Data Protection Regulation (GDPR) dramatically limits businesses’ control over data, while the U.S. gives companies like Google and Facebook relative carte blanche when it comes to collecting and using data.

“But even having more control over our data as consumers has challenges,” Markovich says. “Like when I’m looking at Europe-based websites to find reading material for my classes, I’m constantly asked if I am willing to ‘accept cookies,’ and I’m trying to be responsible with my privacy, but at some point you just get tired of it and say, ‘Okay, accept all cookies!’ So the control is imposing a cost on the user, and that takes away from the benefits of having that control.”

To take a more systematic approach to understanding how and when to grant users or businesses control over data, Markovich and collaborator Yaron Yehezkel of Tel Aviv University launched a study. They created a model that enabled them to manipulate dimensions including the public benefits of sharing your data and how much discomfort different users felt over sharing specific types of data. Out of that framework came a way of thinking about how much control to assign to users or businesses based on potential public benefits and patterns of discomfort among users.

“There will always be trade-offs among business, consumer, and public benefits,” Markovich says. “Our work helps businesses and regulators think through those in assigning control over data to businesses or individuals.”

A Model of Data Control

It can be hard for researchers to get data from apps like Waze or contact-tracing programs to perform an empirical analysis. So instead of relying on consumer data, they built a mathematical model to explore the above trade-offs.

As they developed their model, the researchers recognized that even on a given platform, consumers will make different data-privacy decisions about different types of information. “You may have no problem sharing your photo or posts on a social-media platform,” Markovich says, “but if the app asks you to share your email address or phone number, that’s where you’re going to stop. We feel more comfortable sharing some data items than others.”

And those aren’t the only important differences to consider. “How uncomfortable people feel will vary across users, too” Markovich says, pointing again to her father’s discomfort with sharing his driving data on Waze versus her more accepting stance, from which she derives a benefit: “If I need to change my route mid-ride, it will let me know.”

Discomfort and Public Benefit

The collaborators then set out to determine who should get more control over the data—businesses or users—based on the type of differences, or heterogeneity, that was most relevant.

A navigation app like Waze or Google Maps, for example, has little discomfort-related heterogeneity in the data items it collects, since information like your location, route, and speed are all pretty similar. So the issue with these apps will most likely be associated with different levels of discomfort among users.

But an app like Facebook, in contrast, would tend to involve differences in discomfort related to specific items. “You may care more about Facebook analyzing your photos and knowing who you are interacting with than Facebook following which ads you click on,” Markovich says. “A given platform will involve both kinds of heterogeneities—across users or data items,” she continues. “But one of those heterogeneities is going to be dominant.”

In their model, they also took into account whether the public benefit associated with the app or platform was high or low—a distinction with important regulatory implications, Markovich explains. Navigation apps have high public benefit, for example, as they can let users know about accidents and traffic jams. On the other hand, Markovich believes an app like Twitter has less public benefit when it comes to user data. For example, providing information on what tweets you read is not necessarily very valuable to other users on Twitter.

A Consideration Framework

Out of this understanding of both discomfort and public benefit, the researchers developed a framework to help specify when control over data should belong to users versus businesses.

For example, they argue that if public benefit is high and discomfort about sharing varies more among users than across data items, such as the case for navigation apps, it’s best to give the business or platform control over data for greater collective benefit. “That’s partly because users can decide whether to join the platform or not,” Markovich says—as illustrated by her father’s decision to often turn Waze off. But if discomfort varies more around data items, as with Facebook, she believes users should have more control.

Additionally, she points out, “as platforms bundle more data items that you are required to share if you join the platform, the inconvenience factor for users goes up.”

A case in point is Facebook’s 2021 announcement that users must allow the platform to collect their personal WhatsApp data, including locations and phone numbers, or risk losing their WhatsApp accounts. So you may have used Facebook before and felt comfortable sharing your pictures and friendship interactions with the company, but now the company also collects data on your phone number and WhatApps usage. Your discomfort level from using the app may have gone up, but you need to agree to this new level if you want to keep using it.

“This strengthens our finding that if heterogeneity is mostly across data items—I care more about sharing my phone number than sharing my photos—regulators should let users have more control over their data,” Markovich says.

A Question of Regulation

The findings have implications for how best to regulate the use of consumer data.

These questions are especially relevant when public health is at stake. For example, Israel is considering releasing data on individuals’ vaccination status for the public good. There’s no easy answer about what’s best or right in such a case, but using a framework like the one Markovich and Yehezkel propose could help leaders think through the trade-offs, with a strong focus on what would drive the most collective benefit.

“They have to consider the trade-offs involved,” she says. “Sometimes if you take control over data away from users, the users will feel their privacy is being invaded. But at the same time, it may be creating way more public benefit that outweighs those costs.”