Professional Documents
Culture Documents
Cybersecurity Series 2019 Cps
Cybersecurity Series 2019 Cps
NOVEMBER
CISCO 2019
CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Consumer
Privacy Survey
The growing imperative of getting
data privacy right
1
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Contents
Introduction 3
Results 4
Conclusion 13
2
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Introduction
Most people today understand it's beneficial and often necessary to provide certain
personal information to companies and applications they use in order to receive the
benefits of products, services, and business relationships. At the same time, they're
increasingly concerned about protecting their privacy and personal data.
1 Australia, Brazil, China, France, Germany, Italy, India, Japan, Mexico, Spain, UK and US. 3
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Results
Insight 1: People care about privacy, they expect to pay more for products and
and a surprisingly large number have services with better protection. Among these
already taken actions to protect it respondents, nearly half (48%) indicated they
had already switched companies or providers
Over the past few years, the public has because of their data policies or data sharing
become more vocal in expressing that they practices. Putting all these attributes together,
care about data privacy. The big question we have a segment of 32% of all respondents
has been whether they are willing to act, who care about data privacy, are willing to
for instance, by giving up certain benefits act, and have already taken action to protect
or paying more to have stronger protection their privacy. (See Figure 1.)
and control. On one hand, many experts
Figure 1 The Privacy Actives Segment
and the media have expressed the view that
N=2601
there are very few users who take actions to I care
protect their own privacy.2 On the other hand,
user awareness has recently increased in • I care about data privacy
the wake of the EU’s GDPR – which requires 84% • I care about protecting others
• I want more control
disclosures to users about their rights – and
constant headlines of data breaches affecting
billions of records and millions of users. and I’m willing to act
With this Cisco Consumer Privacy Survey
of 2019, we sought to better understand • I am willing to spend time and
80%
user behaviors and how far they are willing money to protect my data
• This is a buying factor for me
to go (and have gone) to protect their data • I expect to pay more
privacy. Based on the survey responses, we
have identified a surprisingly large segment and I’ve acted
of the population that indicates it cares about
data privacy, is willing to act, and in fact has
• I have switched companies or
already acted. This segment, which we are
calling “Privacy Actives”, accounts for nearly
48% providers over their data policies
or data sharing practices
one-third of all respondents.
are willing to act to protect it. They are willing These Privacy Actives are not only sizable,
to spend time or money to keep their data they also represent an attractive demographic
safe, they see data privacy as an important for companies selling to them. Compared
factor influencing their buying decisions, and to the rest of the survey respondents, the
2 Sample headlines: “You don’t care enough about your data. This is why”, World Economic Forum,
June 26, 2018. “Why You Don’t Care About Internet Privacy”, Medium.com, May 24, 2018. “Privacy
is Completely and Utterly Dead, and We Killed It”, Forbes, August 19, 2014. 4
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Privacy Actives are younger: 61% of them Perhaps even more importantly, Privacy
are under age 45 versus 46% of other Actives see respect for privacy as core
respondents. (See Figure 2.) They also do to the brand of the companies with which they
more of their shopping online (32% vs. 23%). do business. Ninety percent say they believe
how their data is treated is indicative of the way
Figure 2 Percentage aged 18-44
Privacy Actives vs. others they will be treated as a customer; and 91%
N=2601 won’t buy from a company if they don’t trust
100% how their data will be used. (See Figure 3.)
80% The emergence of the Privacy Actives
segment also helps explain some of the
60%
61% more interesting findings from the Cisco
40%
46% 2019 Data Privacy Benchmark Study. That
study highlighted that 87% of companies are
20%
experiencing sales delays caused by their
0% customers’ privacy concerns. (See Figure
Privacy Actives Others 4.) People today are more concerned about
Source: Cisco Consumer Privacy Study - 2019 privacy; they are asking more questions about
Figure 3 Attitudes of Privacy Actives versus others what data is collected, how it is used, who
N=2601 has access to it, and how long it is retained.
The fact that more consumers are willing
How they treat data is how they treat me
to choose (or change) providers shows
evidence consistent with this trend.
Privacy Figure 4 Organizational respondents experiencing
Actives
90% delays in their sales cycles due to
customers' data privacy concerns
Percent of respondents, N=2064
Others
67%
13%
Yes
0 20% 40% 60% 80% 100%
No
Won’t buy if don’t trust how data is used
87%
5
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
6
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
In future research, we’ll continue to monitor health or safety warnings that could
the Privacy Actives segment, including its size, benefit you and your family.
demographic makeup, and behaviors.
• Sharing personal information from
Insight 2: Privacy regulation provides your social networks (e.g., Facebook,
“guardrails” for innovation and helps Twitter) that could be aggregated
build trust and anonymized to improve the
health of the overall population.
A second area of focus in the survey was
• Sharing personal information about
to understand consumers’ interest and
your past purchases combined with
acceptance of emerging business models
relevant health information to enable a
that might involve using their personal data
retainer to suggest products (e.g., shoe
in new ways that could benefit the individual style) that would be best for you.
or society at large. Some users find these
models invasive, while others find them
acceptable. We wanted to better understand
this dynamic, and also wanted to understand
whether privacy regulations play a role in
user acceptability. While each of the models
“ Data privacy and
protection differentiates
we tested included using personal data in business today. Do it
a potentially unanticipated way, each also
right, you stand out. Do
included a personal or societal benefit. The
models we tested included: it wrong, and you will be
• Sharing personal information from
your home or your car in exchange for
called out.
John N. Stewart
”
receiving health or safety warnings that
could benefit you and your family. SVP, Chief Security and Trust
Officer, Cisco
• Allowing a smart home speaker (e.g.,
Alexa, Echo) to “listen” for personal
information in exchange for receiving
7
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Figure 6 Average comfort level with six new business models, by country.
N=2601
80%
70%
70 69
60% 60
52
50% 46
46
41
40%
34 33
32
30% 27 27 26
23 25
21 21 19 18
20% 18 16 18
13 12
10%
0%
Australia Brazil China France Germany India Italy Japan Mexico Spain UK USA
Source: Cisco Consumer Privacy Study - 2019 Respondents not aware of GDPR Respondents who are aware of GDPR
• Sharing personal information from Privacy regulations, to the extent people are
your workplace (e.g., your location and aware of them, seem to play an important
movements) that could be aggregated role in making users more comfortable with
to improve the efficiency and safety of how their data might be used. Specifically,
the work environment for everyone. respondents who were aware of privacy
• Sharing personal information about regulations (like GDPR) indicated they were
your current geographic location in much more comfortable with these potential
exchange for promotional offers and new business models than those who were not
pricing advantages from local stores. aware. Averaged across all six of these models,
38% of respondents who were aware of GDPR
Survey respondents were generally not supportive were comfortable with them versus only 24% of
of these new business models. Despite the respondents who were unaware of GDPR.
potential personal or societal health and safety
benefits associated with the models, 36% to Interestingly, this increase in comfort level
47% (depending on the model) indicated they was consistent across every country in the
were not comfortable having their data used study. While there are differences as to the
in this way, while only 26%-31% indicated absolute comfort level, each geography
they were comfortable. (See Figure 5.) As a result, showed higher comfort levels among the
companies seeking to introduce products and respondents who were aware of GDPR.
services using personal data in new ways should When privacy controls are clearly identified
make sure they have considered and addressed (e.g., in a specific law or standard), they
customers’ potential data privacy concerns. seem to be beneficial for both consumer and
corporate activities. (See Figure 6.)
8
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
In the Cisco 2019 Data Privacy Benchmark customers, but sometimes their short-term
Study, 42% of companies indicated that profit motives interfere. Many consumers might
their privacy investments enabled agility and accept they are also partially responsible for
innovation at their companies. By knowing what their decisions on when and how they share
they couldn’t do from a privacy perspective, their data, but they might struggle to understand
they were much freer (and in some cases, exactly what is being done with their data.
compelled) to pursue new ideas on what they While respondents were somewhat split on the
could do. These results do not imply that every question of who is responsible for protecting
regulation would be beneficial to corporate data privacy, most selected federal government
innovation or to consumers. Too much, too (45%), followed by the individual user (24%)
prescriptive, or inconsistent regulation could be and companies (21%). (See Figure 7.)
costly, burdensome, and confusing for both Figure 8 Overall sentiment regarding
companies and users. Nonetheless, it appears the impact of GDPR
that at least some regulation provides benefits N=941
industry associations, or individuals – should Source: Cisco Consumer Privacy Study - 2019
have primary responsibility for protecting Indeed, all three would seem to have an
personal data. Governments can provide important role to play in protecting personal
regulation and oversight, but confusing or overly information. Governments can oversee
broad regulation can also become burdensome what companies are doing, companies can
on companies and individuals. Companies set and follow appropriate data policies
have a responsibility to protect the data of their anchored in the principles of transparency,
Figure 7 Who is primarily responsible for fairness, and accountability, and individuals
protecting data privacy can take steps to protect their own privacy
N=2601
and accept responsibility for the choices they
make. With more respondents indicating they
3%
7% wanted the government to be responsible,
21%
perhaps it's not surprising that those familiar
45%
with GDPR felt it had a very positive impact.
An overwhelming majority of respondents
24%
expressed a positive view of the GDPR, with
55% of respondents in favor and only 5%
National Government Companies Associations of respondents expressing a negative view.
Individual User Local Government (See Figure 8.)
Source: Cisco Consumer Privacy Study - 2019
9
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Although there is some variation across their personal data as a result of GDPR, 59%
countries, there is generally a very positive said they have a greater ability to exercise
view of GDPR among consumers worldwide their rights regarding data, and 47% said they
with very little negative sentiment. (See have greater trust in companies that use their
Figure 9.) Respondents were also asked data. On the negative side, 47% expressed
about whether GDPR was effective in meeting notification fatigue and said they receive far too
various privacy goals for the individual. Fifty-two many meaningless privacy-related notifications
percent said they felt they had more control of as a result of GDPR. (See Figure 10.)
UK 6% 48% 46%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Note: For Australia, Brazil, and Japan, the number of respondents familiar with GDPR is relatively small, so the margin of error is
significant. The results are included because the margin of error is still much smaller than the percentage differences between
respondents with positive and negative sentiment.
10
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
70%
36% 67%
60% 64%
50% 56%
48% 48%
40% 42%
30%
30%
20% 25%
22%
20%
17%
64% 10%
12%
0%
Aware Not aware AU Brazil Japan USA China Mex Italy France India Spain Ger UK
11
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Figure 12 Ability of users to protect their data and reasons why they think they can’t
Left: N=2601 Right: N=1129
70%
43% 73%
60%
50%
40% 49%
46%
41% 41%
30%
20%
57% 10%
0%
Too hard to figure out If I want the Feel my personal Don’t trust Don’t understand
what companies are service, I have to data is already companies to follow what service
No Yes actually doing with accept how my available stated policies choices are
my data data is used
12
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
Conclusion
The results of this survey, combined with new business models. This further validates our
past Cisco data privacy research, suggest a previous research showing companies are seeing
new framework for measuring the benefits these benefits from their privacy investments.
and return on privacy investments. Interviews
with privacy decision-makers show that 3. Reducing sales friction.
companies and their governance entities Having more customers care about privacy and
(board of directors) have generally focused being willing to act can also create friction in a
on legal compliance and avoiding the potential company’s sales cycle. Potential customers are
of regulatory fines and penalties. Our recent increasingly asking questions about how their
findings suggest an even broader value model data will be used when choosing a vendor. If
for capturing the business benefits of privacy, companies don’t have transparent and easily
including the following areas. understood information, they will see significant
delays and lost opportunities in their sales cycles.
1. Attracting and retaining customers
who care about privacy and are 4. Enhancing the overall attractiveness
willing to act. of the company.
This research shows the vast majority of people Shareholders and investors are also beginning to
care about protecting their privacy, and a third understand the increasing importance of privacy
are already acting by switching providers when to a company’s brand and value, and they will
one falls short. This segment represents an reward those companies who get it right.
attractive portion of the customer base, as they In conclusion, organizations should
are younger, more affluent, and more online think of the value of privacy broadly,
than the rest of the population. Customers are beyond compliance and risk
increasingly seeing data privacy as a critical part avoidance. For many organizations,
of the brand of a company, and companies need privacy has now become a critical
to invest in privacy to make sure their customers business imperative.
understand and are comfortable with their data
practices and policies. If not, customers will
migrate to other companies with which they are
more comfortable.
13
CISCO CYBERSECURITY SERIES 2019 Consumer Privacy Survey
In our new approach to thought leadership, Cisco Security is publishing a series of research-
based, data-driven publications under the banner Cisco Cybersecurity Series. We’ve expanded
the number of titles to include different reports for security professionals with different interests.
Calling on the depth and breadth of expertise of threat researchers and innovators in the
security industry, the reports in the 2019 series include the Data Privacy Benchmark Study, the
Threat Report, and the CISO Benchmark Study, with others published throughout the year.
For more information, and to access all the reports and archived copies, visit
www.cisco.com/go/securityreports.
Consumer
Privacy Survey:
The Growing Imperative of Getting
Data Privacy Right
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to
this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1876404)
14