Privacy will hit tipping point in 2016

Maksim Kabakou | Getty Images

Concerns about online privacy will reach a tipping point in 2016, prompting regulators to crack down on companies, and consumers to demand greater protection, a new study by Forrester Research predicts.

Businesses that collect, store and use people's data are most at risk of attracting hackers and regulatory oversight, Forrester said in its report released Monday. They also stand to suffer the most when consumers decide to prioritize privacy over convenience, something that is already beginning to shape behavior.

Some of the key predictions for Forrester's 2016 privacy report include the following trends:

Paying for fewer ads, with more privacy

How mobile will transform business in 2016: Forrester

Internet companies may adopt "fremium" models, offering paid ad-free subscription services and more privacy.

Google is well aware of the changing privacy landscape and it's proactively beta testing alternatives to monetizing user data via targeted ads. Google Contributor lets users pay $2-10 per month to see 5-50 percent fewer ads across the sites they visit on all of their browsers and devices.

A portion of the money Google collects goes to the sites they visit, helping to offset lost Google ad revenue. There is a catch for publishers: They can only set up Contributor if they use Google AdSense or Doubleclick for Publishers.

"If Contributor takes off, it won't change how much user data Google collects; it will, however, change the way that Google monetizes users, and that's significant," said Forrester analyst Fatemeh Khatibloo. "If we are paying Google for a service, it turns us from users into customers and that means we can hold Google more accountable."

Khatibloo points out that Facebook could employ a similar strategy, and significantly boost average revenue per user (ARPU). CEO Mark Zuckerberg has said he will never charge users, but Forrester's research suggests U.S. users would be willing to pay $30-60 per year for an ad-free version of the service. Facebook's ARPU today is less than $3 globally, and around $9 in the U.S.

"Let's say even 10 percent of U.S. users adopt this model and 5 percent of European and Asia-Pacific users. Facebook's revenue per user skyrockets in this scenario — it benefits shareholders and users equally. The downside? It's a capped growth strategy, and that scares Wall Street," said Khatibloo.

Ad blocking, the privacy background

Already, 26 percent of U.S. online adults who use a desktop or laptop use an ad blocker like AdBlock or AdBlock Plus in their browsers. It's no surprise that Apple — whose business model is not tied to collecting data — is taking the lead when it comes to deploying ad-blocking tools to mobile devices.

The tech giant's latest operating system includes a native content-blocking feature, where pages load faster and there are no distracting ads.

Read More Public's love for ad blockers infuriating publishers

Forrester is advising clients to re-examine the trackers and cookies that marketers deploy on their sites to make sure they are comfortable with the amount of data being collected. "Most clients we speak to don't realize that a Facebook 'like' button on their homepage means Facebook sees every user's activity, not just the activity of the ones who click the button," Forrester said.

"The ad-blocking conundrum is interesting," said Khatibloo. "On the one hand, publishers deserve to get paid for their content. On the other hand, ad tech has gotten so frustratingly bloated that it's affecting the quality of the publishers' user experience."

One thing is clear, however. "If advertisers and publishers can't fix the ad ecosystem, ad-blocker adoption will continue to grow and dramatically reduce the effectiveness of the behavioral advertising revenue model," the report said.

Who stands to benefit? "The ad-blocking technologies that charge companies to whitelist their sites, of course. But that's a bit like the fox guarding the hen house, isn't it?" said Khatibloo.

There are also companies, says Khatibloo, like Sourcepoint, developing the technology to let consumers choose how to support the content they consume.

It's not just Internet companies in the line of fire.

Regulatory wrath against privacy violators

In early 2016, the European Union is set to approve the new general data protection regulation, which would make companies in violation of the law liable for up to 5 percent of global revenues. In the U.S., companies can expect severe financial penalties as regulators also flex their muscles, a trend already underway.

Forrester highlights two recent examples: Apple agreed to pay a $32.5 million in refunds to customers to settle a Federal Trade Commission complaint it charged for kids in-app purchases without parental consent (FTC versus Apple). Additionally, this year AT&T paid $25 million to settle an investigation into three data breaches (FCC versus AT&T).

The message? Expect more.

"Retailers and Internet "giants" are certainly the ones we hear about most often," said Khatibloo.

Then there are the media and telecommunications companies. "TalkTalk (the mobile carrier) is dealing with a nightmare of a breach right now," she said.

"But the health-care industry, as it becomes increasingly digital, is really struggling to protect user data," said Khatibloo. "'Breaches' are often the result of poor employee habits: leaving a laptop unlocked or taking files home on an unapproved thumb drive, for example."

Smaller companies making devices connecting to the Internet of Things are also treading on shaky ground when it comes to protecting privacy.

"We've already seen how these devices can easily be hacked — their makers just aren't experts at security," said Khatibloo. "I think we'll see a lot of compromised IoT devices over the next few years, largely because there isn't yet a best-practice standard for securing their data."

One company Khatibloo points to as doing privacy right? Disney: "Their policies are clear, the majority of their practices are opt-in, and they're very clear about the value exchange of data collection," she said.

Of course, what may be a painful transition for some businesses represents a giant opportunity for others. The legal industry and the Big Four accounting firms, as well as management consultancies, will reap the benefits of the privacy overhaul Forrester is predicting.

"McKinsey, Accenture, Bain, et cetera will also recognize opportunities as firms make organizational changes to support better privacy throughout their businesses, said Khatibloo.

Another interesting trend Forrester predicts is especially relevant to retailers.

Mobile wallet to change customer data collection

As consumers increasingly adopt mobile payment systems including Apple Pay, Android Pay and PayPal, merchants will receive and store less data than with traditional credit card payment processing. Forrester forecasts that American users will make $83 billion in mobile payments in 2016.

That means merchants will have to manage with relatively anonymous customer transactions and find new ways to collect customer data. Forrester suggests retailers develop loyalty programs, e-receipts and communication preferences to encourage customers to volunteer personal information when they use a digital wallet.

California as incubator of privacy protections

In 2016, two laws signed by California Gov. Jerry Brown will go into effect. They require authorities to obtain a warrant or court order for access to an individual's electronic communications, and will toughen and expand data-breach notification regulations. California is the most populous U. S. state, and residents represent 8 percent of domestic personal consumption spending.

"Some companies will take calculated risks, like assuming that only customers with a California-based IP address actually reside in the state. This approach is wrong, because trying to maintain two different sets of data management rules is hard and expensive, and the likelihood of getting a customer's geography wrong is significant," Forrester said.

Forrester has this advice to businesses: "Don't wait for federal regulation to get your privacy house in order."