Data Privacy Is a Growth Strategy

For years companies have treated customer data privacy as a defensive necessity, something to manage quietly through legal reviews, compliance checklists, and dense privacy notices. The assumptions were simple: Protecting data costs money, slows growth, and limits what firms can do with personalization, targeting, and analytics. New research challenges that thinking. Professors Jordan W. Moffett (University of Kentucky), Natalie Chisam (University of Nebraska–Lincoln), Kelly D. Martin (Colorado State University), and Robert W. Palmatier (University of Washington) conducted three studies to better understand how privacy as a strategy affects brand performance. Examining 280 brands over four years, they linked strong privacy practices (as measured by Osano’s Privacy Monitor, using calculations by lawyers who analyze company policies) to higher customer intent to purchase (as measured by YouGov’s BrandIndex , which draws on surveys of 30 million consumers). Brands with strong privacy practices saw 12.31% higher purchase intent than brands with weak practices. The effect was even greater (255%) for brands that customers already liked. In one experiment 300 U.S. participants read overviews of a fictitious tax services company (Smith Tax Services). Some overviews described weak privacy practices, while others described average or strong ones. The participants then rated their likelihood of using the company, their level of trust in it, and their level of concern about data privacy. When the tax company had weak privacy practices, people’s likelihood to use it was 2.86 on average, on a scale of 1 to 7. With average privacy practices that number jumped to 4.35. With strong ones it rose even higher, to 5.26. That pattern shows that companies that treat customer data responsibly attract more customers and will probably perform better financially. Another study found that the shareholder value of brands that embrace privacy is $869 million higher on average than those that don’t. When those same companies that embrace data security operate in higher-risk situations, such as data breaches, they generate even more shareholder value. The researchers use the term customer data privacy stewardship to describe the approach they advocate. Stewardship involves caring for something on behalf of others over the long term and not exploiting it for short-term gain. The researchers hope this approach allows companies to view data privacy as an opportunity rather than a cost. To become good privacy stewards, organizations should have data privacy practices that (1) are visible to customers, (2) reflect the company’s assumption of responsibility for customer data and legal compliance, and (3) are deliberate and embedded in business operations, not symbolic or one-off actions. This approach moves a company’s privacy practice from the back office to the forefront of its public image. Privacy stewardship creates two psychological effects. The first is what the researchers call perceived privacy benevolence: Customers infer that a firm genuinely cares about their interests and is not exploiting their data for self-serving reasons. The second is reduced privacy concern: Customers feel less anxious about their data being misused or exposed. Together, these forces influence customers’ comfort with engaging with a company, their purchasing behavior, and their loyalty. “Privacy stewardship is not about avoiding mistakes or reacting after breaches. It’s about proactively showing customers that their data is handled with care, restraint, and accountability,” says Chisam. “Brands should think of privacy as a strategic asset that can strengthen trust, deepen relationships, and improve firm performance.” Becoming a privacy steward isn’t about changing a single policy or crafting a clever message—it requires sustained action. The researchers offer the following guidelines for making privacy stewardship real, credible, and commercially meaningful: Don’t expect customers to trust you immediately. Firms cannot simply ask for trust. They must earn it by consistently demonstrating responsible behavior toward data, including collecting only data that’s necessary, using strong security measures, and regularly reviewing and updating privacy policies. Be transparent and communicative. Privacy stewardship is not about publishing longer privacy policies or adding more pop-ups. The goal is to be thorough and clear about your policies. Recognize that customers respond to substance, not noise. Effective stewardship involves providing clear data governance, giving customers some control over data, and aligning actual practices with the company’s stated values. It requires coordination across marketing, product, legal, and technology teams. Companies shouldn’t wait for regulations to be written or problems to emerge. They need to take steps to protect customer data and consistently communicate them to customers. Embed privacy stewardship into everything you do. Show that you care about your customers’ best interests, not just your profits. Make them feel as if privacy is part of the product rather than something layered on top. Tailoring the message is also important. Brands that consumers already like and trust should reinforce the characteristics that make consumers like and trust the brand. Less trusted brands in risky environments should focus on reducing concerns and explaining safeguards. One size doesn’t fit all. A company should match the privacy signals it sends to how customers already see the firm and to the risks they associate with it. “As data plays a bigger role in how companies operate, people will pay closer attention to what firms do to protect their privacy,” Chisam says. “Companies that don’t prove themselves trustworthy run the risk of losing customers and revenue to the competition.” About the research: “Customer Data Privacy Stewardship,” by Jordan W. Moffett et al. (Journal of Marketing, 2025) “Trust Is Built Through Repetition, Not a Single Message” Keith Enright is a partner at Gibson Dunn, a global law firm with offices in 10 countries, and the former chief privacy officer at Google. He spoke with HBR about what privacy stewardship really looks like inside modern companies and how leaders should think about compliance, trust, and innovation. Edited excerpts of the conversation follow. Jori Bolton In your experience, have strong privacy practices resulted in improved business results? Absolutely. When you explain privacy practices clearly and follow them consistently, customers trust you more over time. But there are also practical business implications. Strong privacy practices make it easier to ship new features and introduce new products. You’re less likely to get slowed down by regulators. Compliance becomes expensive when it’s introduced late in product development, because companies are forced to rework features, delay launches, or scrap ideas that violate privacy rules. Many organizations quietly build “compliance debt” by cutting corners to move fast, and that debt eventually hampers future product releases, increases legal exposure, and complicates audits and acquisitions. How do you try to help clients improve privacy stewardship? I guide clients through complex regulatory environments by helping them assess how much legal and strategic risk they can responsibly take while still moving fast. When something goes wrong, I engage directly with regulators, manage investigations, and use the moment to help companies realign their culture and processes around trust and responsible data practices. My work is cross-functional. I work with lawyers, engineers, product leaders, and marketers so that privacy decisions support compliance and other important business considerations. How do you recommend that clients publicly communicate responsible data management? The best way to tell everyone is to make it clear, concrete, and visible in places where customers already make decisions. Start by explaining in simple language what data you collect, why you collect it, and how you keep it safe, without jargon or legalese. Show your work through real actions like publishing easy-to-read privacy summaries, hiring credible experts, offering meaningful user controls, and demonstrating how you fix mistakes. Share stories instead of slogans. For example, tell people how your privacy decision protects users and reduces risk. You should also back your messaging up with consistent behavior over time. Trust is built through repetition, not a single message. What common privacy mistakes do brands make? Companies assume they’re doing a good job simply because nothing bad has happened yet. They get complacent and use phrases like “complete security” or “full privacy” to sound trustworthy. But then they learn that their systems cannot support those guarantees. A lot of breakdowns happen when privacy experts are brought in at the last minute, which forces teams to redo work, delay launches, or publicly change their messaging in ways that hurt trust. Miscommunication also makes things worse. Marketing teams overpromise, and lawyers are seen as roadblocks instead of partners. When that happens for long enough, it leads to data breaches or regulatory investigations. Agencies will question whether the company misled users or failed to take reasonable precautions. Failures are rarely caused by one big mistake; they stem from small ones that pile up until something breaks. What happens when there’s a breach? I have had multiple clients and employers over the course of my career who have had something go wrong—incidents that triggered one or more national investigations and sometimes even hundreds of investigations in parallel. Here’s what I learned: Don’t waste the crisis. Instead use it to fix deeper cultural and structural issues, not just patch the immediate problem. You should bring in people who can diagnose what failed and work constructively with regulators to navigate the investigation. You also need to make sure your promises about privacy match what you can really deliver, because trust drops quickly after a breach and rebuilds slowly. The goal is to come out of the crisis stronger and more aligned, not just less embarrassed.

Data Privacy Is a Growth Strategy

Summary.

Partner Center