As FCC fines T-Mobile, AT&T and Verizon $196M for selling users’ real-time location data, the natural question arises: if the first failure is selling user data without consent and the second is losing control over who ends up with it, how should companies actually police both ends of the chain?
Vaidotas Šedys, CRO at Oxylabs, shares his insights on the situation.
1. What does this case reveal about how user data is really handled?
The issue is that companies sold user data without consent — users were never informed it was happening. Situations like this break the transparency contract between a service provider and its users.
And yet, even in cases when everyone is on board and disclosures are in place, things can still go wrong. A single bad actor slipping through the vetting process can expose data in ways no privacy policy anticipated — which is why the safeguards around who gets access matter just as much as the consent given upfront.
Among other things, situations like these remind us of the importance of robust KYC (Know-Your-Customer) processes.
2. How can companies prevent these situations from happening in the first place?
Companies that handle sensitive data have an ethical obligation to know their customers and partners. For them it’s crucial to determine who they are dealing with and why those users want access in the first place. Missing just one bad actor can bring significant financial and reputational damage. This is where a strong KYC strategy comes into play.
3. What does a robust KYC strategy look like?
A coherent KYC strategy has 3 parts: identity verification, use-case review and ongoing due diligence.
The first part is about checking legal entities, documentation, public information, and asking follow-up questions. The second part focuses on the use-case. What will the customer do with the product/tool/information? Does the explanation make sense? Last, but not least, comes due diligence: as customers may change direction or expand activities, providers should periodically check if everything is disclosed.
About the expert:
Vaidotas Šedys is the Chief Risk Officer at Oxylabs, a market-leading web intelligence collection platform. With over 10 years of experience in payment and digital risk management, he has established himself as an influential voice in the web data-gathering industry – speaking at SXSW and authoring numerous articles, including four previously published on Security Boulevard, and pioneering methods to ensure ethical and secure SaaS business processes. Before joining Oxylabs, Vaidotas spent seven years at Western Union, where he began as a Risk Analyst and later led both the Digital Risk and Digital Payments teams. Today, at Oxylabs he oversees business areas related to internal and external risk management, vendor risk management, cybersecurity and other areas to proactively counter emerging threats.