Do you collect user information? Are you revisiting your practices in the wake of the allegations against the National Security Agency (NSA) and the US Government? If not, you should be. You should also be looking at your future data practices.
The problem is not shielding your user data from the government. The problem is what your users think you are doing. Unless you are an essential service that can’t be replaced easily, the perception that you are mishandling user information will destroy your business model faster than the tsunami in the ending scenes of Deep Impact.
What is Personal Information?
This is an interesting foundational question. There are quite a few definitions to work from. The first is regulatory. For instance, if you collect information from users under the age of 13, personal information is defined in the Children’s Online Privacy Protection Act (COPPA). The second is how you define it in your privacy policies and promises. In an interesting twist, this is also regulatory. The Fair Trade Commission will monitor your adherence to your own privacy policies, not to some statutory ideal. But it still has the force of law. But there are a few other definitions to look at.
At its most expansive, personal information, or more formally personally identifiable information (PII), includes any information that can be used to derive the identity of a person. The National Institute of Standards and Testing (NIST) define PII as:
any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
This definition, published in April 2010 by the Computer Security Division of NIST, combines many concepts previously discussed in the General Accounting Office’s (GAO) May 2008 Report on privacy.
Now we come to the most important definition of personal information — the user’s definition. This is where it gets the most complicated and is usually where brands and companies give little time and thought. This is where you will get into trouble the fastest. If your user thinks that the website they were just accessing is personal and you don’t use that information appropriately, you could lose that user. It’s not fair and compliance professionals like bright lines. In the arena of user engagement and perception there is no such bright line. Get over it.
Now look at your data collection practices. What information do you need to collect to accomplish your business objectives? You need to disclose to your users where your needs and their perceptions lie.
Third Party Sharing
We have looked previously at the data sharing practices of some social networks and there is instructive language there. My opinion is that unless your monetization strategy includes selling your user data for profit and fame at the outset, don’t leave yourself that wiggle room. Any perception that you are doing something with your user data that doesn’t directly benefit the user will come back to haunt you.
Third party sharing includes sharing information with any outside entity. That includes governmental entities. You will get subpoenas and court orders for user data. This may be as simple as requests for data in divorce proceedings, or may include something as serious as investigations into terrorist activities. We have all seen the ‘pursuant to a lawful order by a court of competent jurisdiction’ language in privacy policies. What I haven’t seen is some verbiage about alerting the user. Your app, your website and your platform all collect a variety of sensitive data, and the vibrancy of that service depends on users sharing with other users. I think you owe it to your users to do the right thing and let them now when their information is ordered to be shared. Adding language like ‘as allowed by the court of competent jurisdiction, we will inform you of such data requests.
Public Relations Crises
I think the situation that is faced by all of the brands that are implicated in the government data sharing allegations is difficult. I do not envy anyone there having to work through this. There are going to be times when data is requested and you cannot tell anyone about it. Document it, and keep good records of those requests and what was shared. What about systemic access to user information? I have a problem with any justification that supports systemic access to user information by the government. That being said, if you have to support such access, again document it.
Google’s recent request to share more information about what went goes on with these data requests is interesting. Putting on my tinfoil hat, I think it is also interesting that all the major tech companies have talked about no ‘direct access’ to servers. I may have watched too may episodes of Burn Notice to wonder if there is some plausible deniability here. However, all the discussion of governmental practices and hand wringing about them distract brands from what is important – your data collection and sharing practices and how you communicate them to your users.
Back to Basics
When it comes to user data collection and use practices, legwork up front will save you in heartache down the road.
- What do you need to collect? I emphasize the word need here. In order to accomplish your business objectives what do you absolutely need to collect. Do you need to know my favorite color?
- What do you want to collect? This is the future proofing part of the discussion. Look at future needs based on product or business roadmaps. I think it is a better idea to disclose that up front before you really need to collect it so your users aren’t too surprised.
- How do you plan to collect it? This will inform how you will work on the various platforms out there. Depending on what you are doing to get the information, you may need to build in platform specific functionality to visually disclose such collection to the user. Think the compass symbol on iOS.
- Who you will share it with? This is the topic of this blog post. Who are you sharing it with? For what reason are you sharing? If you are monetizing that data, you need to let users know ahead of time. Build in the right outs regarding governmental data requests.
- How you will protect, store and delete that data? Are you holding data after the user de-activates their account? Why would you? If you do, you need to let users know. I would also have some statement as to why.
My apologies for missing my post on Friday of last week. I still have the draft of that post in my work folder and may revisit it at some point, but didn’t think I really had anything new to say. Today’s post is more about how to work with this situation as a brand, though. As always, if there are topics in the SoLoMo space that you want addressed, drop me a comment, or send me an email to firstname.lastname@example.org.