The Data Trap: Why Collecting More User Data is Risky and Unnecessary

In an era where digital transformation is accelerating, personal data has become the fuel driving many business models. But as companies increasingly rely on data to power their services, many are making a critical mistake: they’re asking for more data than they need, without a clear plan or purpose for using it. This not only puts users at risk but also puts companies in the crosshairs of regulatory bodies.

Take a look at some of the largest fines imposed for data misuse. British Airways was fined £20 million under the GDPR after a data breach compromised personal details of over 400,000 customers. This wasn’t just a blow to their finances—it was a blow to customer trust. A breach is a high-cost way of learning a valuable lesson: more data means more responsibility.

So why are companies so obsessed with collecting vast amounts of personal data? It comes down to the notion that data, in the abstract, equals potential future profit. Companies hope they might glean insights to improve products, deliver personalized experiences, or generate advertising revenue. In reality, however, holding data you don’t need is not just risky—it’s bad business. The more data you store, the more you have to protect, and the more you increase your liability.

Here’s where the fundamental issue lies: businesses often assume they need data simply because they can collect it. It’s a mindset fueled by the allure of big data, machine learning, and predictive analytics. But as Donna Dubinsky once told me, if you don’t have a specific use case for the data you’re collecting, don’t ask for it. Collecting data "just in case" is no longer a strategy—it’s a risk, both for the company and the users.

The Dangers of Storing Unnecessary Data

When companies hold data without a regulatory or functional need for it, they are essentially building a house of cards. The more cards they stack—personal information, addresses, payment details, behavioral data—the more precarious the structure becomes. At some point, a breach, an oversight, or even just poor handling practices can bring the whole thing crashing down. And when that happens, it’s not just fines and lawsuits that businesses will face. The damage to brand reputation can be irreparable.

A Ponemon Institute study estimated that the average cost of a data breach in 2023 was $4.45 million. That’s not just from direct costs like legal fees and fines, but also from indirect costs like customer churn. Once trust is broken, it’s incredibly difficult to rebuild. After a breach, 65% of customers lose faith in the company, and a significant portion will never return.

The truth is, most users today are well aware of the value and risks associated with their data. They are cautious, even skeptical, about handing over personal information to companies that do not clearly articulate why they need it or how they will protect it. This is where businesses need to rethink their approach to data collection, not just as a regulatory requirement, but as a matter of good customer relations.

The “Less is More” Approach to Data Collection

To build trust in the digital age, businesses should adopt a “less is more” approach when it comes to user data. Minimalism in data collection doesn’t just protect users—it also protects the business.

When you limit the scope of the data you collect, you limit the risk associated with holding and protecting that data. You also avoid the complex, costly infrastructure needed to store and secure it. This isn't about shirking responsibility—it's about being strategic and responsible.

Here's a guiding principle: Every piece of data you collect should serve a purpose, and you should be able to explain that purpose to your users. Transparency is critical. When you’re transparent about why you need certain data and how it will be used, you’re showing respect for your users’ privacy, which builds loyalty over time.

A good example of this is Apple’s approach to user privacy. Apple has built its brand on protecting user data and being transparent about its policies. By minimizing data collection and storing much of it locally on user devices, Apple has earned a reputation as a privacy-first company. The company doesn’t rely on user data to monetize its services, and as a result, it has established a strong foundation of trust with its users.

The Regulatory Landscape: Fines Are Just the Beginning

As governments around the world crack down on data misuse, companies are finding themselves subject to stricter rules and harsher penalties. In the EU, the General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are reshaping how businesses can collect and store data. These regulations are only getting tougher, and enforcement is becoming more aggressive.

What many companies don’t realize is that the financial penalties for data violations are only part of the picture. Regulatory bodies are now starting to go after individual executives, holding them personally accountable for breaches and non-compliance. This shift underscores just how serious the issue of data privacy has become. It’s no longer enough to say, "We’ll fix it later" or "It won’t happen to us." The risks are too great.

Moreover, the U.S. Federal Trade Commission (FTC) recently announced plans to crack down even harder on companies that misuse or mishandle user data. This aligns with the global trend of increasing data privacy scrutiny and emphasizes that holding unnecessary data is no longer a benign oversight—it’s a business risk.

The Decentralization Dilemma

In the digital identity space, decentralization is often hailed as the key to solving data privacy, security, and control issues. The promise of decentralized identity is that users maintain full control over their personal information, eliminating the need for a central authority to manage or store that data. However, while the concept is powerful, many companies that started with decentralized principles have gradually moved toward more centralized or hybrid models, largely driven by customer demand, regulatory pressures, and operational challenges.

Take Uport, for example. Uport initially set out to build a decentralized identity solution on the Ethereum blockchain, aiming to give users complete control over their personal information. However, the complexities of managing decentralized identities—combined with the need for a scalable solution that businesses could adopt—led Uport to pivot toward integrating centralized elements. Today, Uport focuses on providing enterprise-ready solutions, often incorporating centralized infrastructure to simplify identity verification processes and meet the regulatory requirements of businesses.

This shift from decentralization to centralization is not unique to Uport. Many other companies, across a variety of industries, have followed a similar trajectory for several key reasons:

1. Customer Demand for Simplicity: Decentralized systems can be complex, particularly when it comes to managing private keys and ensuring security. Most users—and businesses—prefer simplicity. They want an easy-to-use platform that doesn’t require extensive technical knowledge or additional layers of responsibility. As a result, companies like Sovrin, which began with a focus on self-sovereign identity (SSI), eventually incorporated centralized features to meet the demands of enterprise clients who prioritize ease of use over full decentralization.
2. Regulatory Pressures: Many industries, particularly those dealing with financial services and identity verification, face stringent regulatory requirements for Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. While decentralized identity systems can offer significant privacy benefits, they often struggle to meet these regulatory standards without incorporating some form of centralized control. Evernym, another early advocate for decentralized identity, faced this challenge and began offering centralized solutions to navigate regulatory requirements while still aiming to promote self-sovereign identity principles.
3. Scalability: Decentralized infrastructure is often difficult to scale. The verification and authentication processes in decentralized systems can be slow, costly, and complex when attempting to operate at a global level. Blockstack (now Stacks) is a prime example of a company that started with a fully decentralized vision of the internet. However, as it grew, the need for centralized governance and services became apparent, leading to the adoption of a hybrid model that balances decentralization with the scalability needed for widespread adoption.
4. Governance and Trust: Decentralization removes centralized authorities, but it also introduces challenges around governance. In decentralized systems, decision-making can become fragmented, and resolving disputes can be difficult without clear leadership. Companies like Helium found that while their decentralized wireless network was innovative, they needed some level of centralized control to maintain governance and ensure the network’s smooth operation. This shift allowed Helium to address challenges like hardware procurement and decision-making while still retaining core decentralized elements.

This trend in the identity space mirrors a broader pattern in the blockchain and Web3 industries: decentralization is an enticing concept, but the practicalities of business, customer needs, and regulatory environments often require companies to introduce centralized elements. The result is a hybrid model where companies keep certain aspects decentralized—such as data ownership or authentication—while centralizing others to ensure scalability, compliance, and ease of use.

At Identity.com, we’ve seen firsthand how decentralization can protect user privacy while providing essential services. Our solution verifies users’ ages without ever sharing that personal data with the vendor. It’s an excellent example of how decentralization can deliver privacy and security. However, many companies—especially those in less regulated industries, like vending machines—often stray from this path. Once they get a taste of the potential value of personal identifiable information (PII), they become fixated on gathering more of it, hoping to use the data for marketing or even selling it to third parties.

What begins as a simple data collection process—perhaps to verify identity—quickly spirals into an obsession with PII. Companies start mining the data for new ways to profit from it and lose sight of more responsible, privacy-focused approaches like anonymization. They become addicted to the idea of monetizing user data, forgetting the risks associated with holding so much sensitive information.

For businesses in the identity space, this presents a dilemma. Decentralization offers immense potential for user control and privacy, but the temptation to centralize often grows stronger as companies seek to scale and meet market demand. The key is to find the right balance—a way to leverage decentralized technology for privacy and security while ensuring the system is user-friendly, scalable, and compliant with regulations.

A Glaring Example

One glaring example of this overreach can be seen in the identity verification space, where companies often ask for far more information than they need. At Identity.com, we've developed a solution that allows businesses to verify a user’s age without ever sharing that actual age or other personal details with the vendor. This solution uses decentralized identity technology, ensuring that only the verification is shared—not the underlying personal information.

But here’s the catch: once companies—especially those with minimal experience handling personal data—get a taste of the so-called "sweet nectar" of PII, they often lose perspective. This is particularly evident in industries like vending machine operators, where you'd think minimal data is required. Yet, once they experience the potential of personal data—once they start collecting even basic details—they become fixated on acquiring more.

Suddenly, it's no longer just about verifying whether someone is over 18 to buy an item. It becomes about mining every possible detail for some future, often ill-defined, purpose: to market, to analyze, to sell. They become so engrossed in what they could do with that data that they forget the ethical and responsible approach—doing it in an anonymized way. This is where the fundamental problem lies. The temptation to gather, store, and eventually monetize user data blinds companies to the fact that less data is often better, both for them and their users.

For companies, data minimalism should be the goal. It’s not about collecting as much information as possible to exploit later. Instead, it's about collecting only what’s necessary and nothing more. Not only does this build trust with customers, but it also reduces risk. Every additional piece of personal information you hold is an additional potential liability. When vending machine companies or app developers get addicted to that "data high," they set themselves up for failure, either through regulatory penalties, security breaches, or simply alienating users who are increasingly aware of how their data is being used.

In the identity space, anonymized solutions are the future. Companies need to shift their mindset from data collection at all costs to responsible, purpose-driven data use. Just because you can collect personal data doesn’t mean you should. It’s a dangerous road once you start, and once you have that scent of personal information in your system, it can be hard to let go. But companies that succeed in today’s privacy-conscious market will be those that can embrace data minimalism and protect their users by design.

Conclusion: Data Responsibility is the New Competitive Advantage

Companies that want to thrive in this new era of digital privacy need to pivot from data hoarding to data stewardship. Responsible data collection isn’t just about avoiding fines or limiting exposure—it’s about building trust, loyalty, and long-term relationships with users. A minimalist approach to data collection—one that respects user privacy and aligns with a company’s real business needs—is the future of ethical business practices.

It’s time for companies to recognize that they don’t need mountains of personal information to be successful. Instead, by collecting only what’s necessary and protecting it vigilantly, they can build stronger, more trustworthy relationships with their users.

Remember, as the great advice goes: only ask for data if you know exactly what you’re going to do with it. Anything more, and you're not just collecting data—you're collecting risk.