Personal data, how much is enough?

We have all heard this cliche statement that "Data is the new oil". Why has Data become so important? I think because we are now at a point where every aspect of a financial transaction is now recorded and this presents a unique opportunity for service providers to milk this data for profit.


Let's put this in context There are some super apps out there which offer every thing possible under the sun from making a peer to peer payment, hiring a nanny, buying a coffee, investing, buying insurance and booking a taxi. These super apps know everything about the person - all their spending habits, savings propensity, expenses for the month and the list goes on.


There are a bunch of algorithms crunching away in a distant cloud and this data is being infused through many data models to churn out behaviour predictions which will eventually lead to some form of cross selling at some point in the future when the user interacts with the app. A great example of this is what we all see on social media apps which we use daily where we get advertising prompts.


As e-commerce and digital transactions are here to stay the significance and protection of personal data is pretty much now a consumer right. For years personal data has been the product which has been commercialised without consent. We as consumers are to blame for not paying for various online services. This has encouraged the proliferation of business models which prey on personal data for their growth. We have given up our data to get free services, not realising the long term impact.


The folks at Cupertino have taken advantage of this gap in the market and have gone about to protect personal data of their customers from third party applications by taking a stance that the customer has the final right to grant permission of their data to the app provider. This kind of market leading leadership and protection of consumer data sets the benchmark for everyone else to emulate.


Personally having seen this implementation taking place through the various prompts which are surfaced up to me on my iPhone, I am quite in shock to see what data is actually being asked for. In the past the data was just taken, and if you tried to block any one of the requested data sharing permissions the app itself would not installed or work properly. With the latest iOS updates it seems that even if I choose not to grant permission the application still installs and works. This just shows you the power of influence platforms have. Either play with the rules set by the platform provider or get out of the platform.


Okay so I digressed a bit from the the theme of this post. As product managers we set the ground rules for the data which is needed for the underlying service to fully operate. Lets take an example of a simple app for ordering food from a restaurant. The proposition is about allowing a customer to order food through the app, making payment and then choosing either to pick up the order or get it delivered. So what are the data points here which are critical for the service and what would be a nice to have?

customer name, address, email, mobile number, payment mode, age, items ordered, time of order, GPS location, gender, date of birth, race, religion, diet restrictions, amount paid, cuisine

Some of you might scoff at the suggested data points. There is no right or wrong answer here so long the product manager is ethically collecting data for the purpose of providing the full feature set of services for a transaction to be completed. This will also depend on the complexity of the the application / service and the roadmap. The guiding principle is that if the data is not being used to deliver a service the data should not be requested for.


Lets visualise how three different apps would pick which data is required.

App A from the Neighbourhood Pizza Place : Allows customers to place an order and pick up the food in 45 mins.


Customer name, address, email / mobile number, payment mode, items ordered, time of order, amount paid

This apps asks for the basic information to complete the transaction. Its very clear that they are not concerned from which location the order comes from so long the payment is made and the customer comes in to pick up the order.


App B from the Neighbourhood Coffee House: Allows customers to place an order and track the delivery


Customer name, address, email / mobile number, payment mode, items ordered, time of order, GPS location, amount paid

As this restaurant is delivering the order to the customer they need to make sure that the address is within the delivery zone and they can also then use the GPS location to display real time tracking of the order.


App C from an Online Food Delivery platform:

Provides delivery for hundreds of restaurants from all across town


Customer name, address, email, mobile number, payment mode, age, items ordered, time of order, GPS location, gender, date of birth, diet restrictions, amount paid, cuisine

The food delivery platform makes money by funnelling orders from its platform to restaurants and takes a cut from the booking and also charges a delivery fee from the person ordering. As such their business goal is to nudge repeat orders across as many restaurants as possible and as many times as possible. To do this they will take a lot more data to build that customer profile so that the cross sell can happen. The question is how much of this kind of activity ethical?


There are sensitivities on asking for some personal data e.g age, gender, race, religion, income, number of people in the household etc. The fact that this data may not be explicitly requested it does not mean that such data points are not being inferred as a data point through complex algorithms and other third party data references which are being injected into the data model. Its very possible to figure out if a person is vegetarian by analysing the meals which were ordered, the same for their income bracket by looking at their spending propensity.


A product manager is responsible for recommending the minimum data set and should be protecting this data from abuse. Treat your customers data as though you treat your own personal data, no one likes to share details about every aspect of their life with a third party. This is why there are now data privacy regulations place all over the world to ensure that personal data is handled with duty of care. Its worth the read to get familiar with what the obligations are also if your product does not have a data privacy statement then that a great reason to invest some time in going through the process.


As ecosystems prosper and apps begin to connect to other third party platforms the definition of who owns the data is getting blurred. The knock on effects of how the third party service provider will use your customers data needs to be examined with a microscope. The data privacy rights of individuals requires that a data privacy report can be provided to the individual and there also needs to be a process in place to delete the data if that is requested (laws permitting).


Data is no doubt a lubricant which allows businesses to offer great services and awesome customer experiences, as such organisations that collect personal data should be responsible to honour the privacy rights of the individual and act as a responsible corporate citizen. The product manager is the first person in this chain who can evaluate what is critical and what is not important.

Recent Posts

See All