Oversharing or over sharing? Millennials and data privacy


  • Millennials have grown up on technology, they readily shop online and share on social media.
  • They require organisations justify asking for their personal information by providing value in return.
  • Knowing that breaches can happen, Millennials expect corporate transparency and strong data-protection policies.

Article content

The security of personal information submitted online is a hot-button issue. We investigate how generation Y approaches privacy.

Millennials are a driving force in today’s digital marketplace. They’re shopping online while scrolling through their emails for deals and discounts. They like and share products across all social media channels. And they’re filling out forms and submitting orders at the tap of a fingertip or click of a mouse, entrusting their contact and payment information to just about any company. 

We know that older generations are typically far more hesitant to part with their personal details online. Are Millennials overconfident or naive about the security of their personal information?

How Millennials are different

In considering Millennials’ expectations, we must first look at what differentiates this generation from those that came before. Millennials are digital natives, born and raised on a stream of information. They’ve grown up with the internet. They’re not afraid of technology and have happily integrated it into every aspect of their lives.  

While digital natives live and breathe technology, only some are aware of how their devices work. “When you’re teaching a large security class – and I have taught them – it goes from complete boredom on one end because they’ve got no interest, and complete boredom on the other end because they already know everything you’re trying to tell them,” says Professor Jill Slay, director of the Australian Centre for Cybersecurity.

Those who are tech-savvy are aware of the risks of data interception and loss, and they’re the ones who take steps to secure their personal information – using virtual private networks (VPNs) when browsing and services that encrypt their data. Those who aren’t savvy often don’t know how to add this layer of personal security.

Digital natives who are unfamiliar with the back-end workings of their electronic world usually follow two trends: they limit what personal information they share over the internet; second, they only entrust their information to service providers they perceive as having a sound security set-up.

Personal data as currency

“When it comes to the security of personal data, everyone is concerned – but younger generations tend to want more details and to be more actively involved in deciding what information they are willing to trade for benefits,” Commonwealth Bank of Australia’s Head of Business Unit Cyber Architecture and Application Assurance, Brendan Hopper, says.

“Younger generations tend to want more details and to be more actively involved in deciding what information they are willing to trade for benefits.” 

Brendan Hopper, Head of Business Unit Cyber Architecture and Application Assurance, Commonwealth Bank of Australia

In Hopper’s experience, younger customers want to know why an organisation needs each item of personal information about them. Asking for details without providing a good reason will alienate these customers. However, when given a strong reason, digital natives may open up to sharing additional information. In this case, says Hopper, “the younger generation sees personal data almost as a form of currency”.

Reputation matters

However, Millennials are only likely to hand over this currency if they think their service provider will store it securely, and this perception can vary from industry to industry. While insurance providers and banks are often seen as safe information keepers, it still comes down to the individual brand’s reputation: past performance shapes customer expectations.

An organisation can enhance its reputation by adopting a transparent data-handling policy. Using a dedicated channel such as a page on its website or app, an organisation can map out what data it collects and why, how it’s stored, and who has access to it. Patrick Kelso, A consulting CTO/CISO for SME and Non-Profit Enterprises with a background in financial institutions, recommends giving customers the power to have their personal data deleted.

“You should be making sure people know what information you have, who else has access to it and in what circumstance they can make you remove that information, even if there’s no law,” Kelso says. “Make it a voluntary thing: ‘if you want that information gone, we’ll delete it’.”

Transparency and reporting

Kelso also says brands can perform audits of their privacy procedures and post the findings to show how these procedures adhere to the Australian Privacy Principles under the Privacy Act (1988).

Hopper notes that younger generations have also grown up with security breaches. While they accept breaches will happen occasionally, digital natives want to know how their service provider will take action to protect their interests.

“One example is mandatory breach reporting,” says Ajoy Ghosh, CISO for icare, the NSW government’s insurance and care services provider. By making reporting mandatory, it orients the organisation’s culture towards protecting the client, and this reinforces trust.”

Of course, every business should have a security framework worthy of the trust it inspires in digital natives. “If you have the data, you need make sure access is restricted, that it’s always encrypted, and if you’re transferring it from one computer to another, the data is encrypted during transfer as well,” Kelso says. “And these are all well-established, proven technologies that are easy to use.”

Between strong digital measures and an open dialogue with clients, service providers maintain the confidence of both tech-savvy and tech-shy Millennials – as well as everyone else.