How often do you revisit and audit your privacy practices regarding collection and use of user information. Earlier this year we had a big kerfuffle over government practices and platforms turning over information to them. While maybe not topical to what you do on a daily basis, if you didn’t look internally at your own practices, you should have.
The problem is shielding your user data from the government. It’s in being up front with your users and what you will be doing with the information they give you. The perception by your users will make or break your platform. How you handle yourself when allegations of breaches or improper use will also help you. How many of us stopped using Zappos when they had an alleged breach? If your users feel that you are mishandling their information, that will destroy your business model faster than the tsunami in the ending scenes of Deep Impact.
What is Personal Information?
This is an interesting foundational question. There are quite a few definitions to work from. The first is regulatory. For instance, if you collect information from users under the age of 13, personal information is defined in the Children’s Online Privacy Protection Act (COPPA). The second is how you define it in your privacy policies and promises. In an interesting twist, this is also regulatory. The Fair Trade Commission will monitor your adherence to your own privacy policies, not to some statutory ideal. But it still has the force of law. But there are a few other definitions to look at.
At its most expansive, personal information, or more formally personally identifiable information (PII), includes any information that can be used to derive the identity of a person. The National Institute of Standards and Testing (NIST) define PII as
any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
This definition, published in April 2010 by the Computer Security Division of NIST, combines combines many concepts previously discussed in the General Accounting Office’s (GAO) May 2008 Report on privacy.
Now we come to the most important definition of personal information — the user’s definition. This is where it gets the most complicated and is usually where brands and companies give little time and thought. This is where you will get into trouble the fastest. If your user thinks that the website they were just accessing is personal and you don’t use that information appropriately, you could lose that user. It’s not fair and compliance professionals like bright lines. In the arena of user engagement and perception there is no such bright line. Get over it.
Now look at your data collection practices. What information do you need to collect to accomplish your business objectives? You need to disclose to your users where your needs and their perceptions lie.
Third Party Sharing
We have looked previously at the data sharing practices of some social networks and there is instructive language there. My opinion is that unless your monetization strategy includes selling your user data for profit and fame at the outset, don’t leave yourself that wiggle room. Any perception that you are doing something with your user data that doesn’t directly benefit the user will come back to haunt you.
Third party sharing includes sharing information with any outside entity. That includes governmental entities. You will get subpoenas and court orders for user data. This may be as simple as requests for data in divorce proceedings, or may include something as serious as investigations into terrorist activities. We have all seen the ‘pursuant to a lawful order by a court of competent jurisdiction’ language in privacy policies. What I haven’t seen is some verbiage about alerting the user. I think you owe it to your users to do the right thing and let them now when their information is ordered to be shared. Adding language like ‘as allowed we will inform you of such data requests.’
This comes down to a notice component, as well as a control component. While governmental requests are one beast, you should also look at your downstream practices with other commercial entities. This is where the user will feel the use more personally.
Public Relations Crisis
I think the situation that is faced by all of the brands that were implicated in the government data sharing allegations is difficult. I do not envy anyone there having to work through this. There are going to be times when data is requested and you cannot tell anyone about it. Document it, and keep good records of those requests and what was shared. What about systemic access to user information? I have a problem with any justification that supports systemic access to user information by the government. That being said, if you have to support such access, again document it.
With third parties and commercial uses, this is a bit more present, I would think. As you build in information sharing conduits, consider putting in kill switches into your processes. Perhaps consider query access to the information so you can monitor exactly what is being used. If you take that approach it becomes an easy step to shut it off. If you hand over databases, your control is gone, and so is your users.
Back to Basics
When it comes to user data collection and use practices, legwork up front will save you in heartache down the road.
- What do you need to collect? I emphasize the word need here. In order to accomplish your business objectives what do you absolutely need to collect. Do you need to know my favorite color?
- What do you want to collect? This is the future proofing part of the discussion. Look at future needs based on product or business roadmaps. I think it is a better idea to disclose that up front before you really need to collect it so your users aren’t too surprised.
- How do you plan to collect it? This will inform how you will work on the various platforms out there. Depending on what you are doing to get the information, you may need to build in platform specific functionality to visually disclose such collection to the user. Think the compass symbol on iOS.
- Who you will share it with? This is the topic of this blog post. Who are you sharing it with? For what reason are you sharing? If you are monetizing that data, you need to let users know ahead of time. Build in the right outs regarding governmental data requests.
- How you will protect, store and delete that data? Are you holding data after the user de-activates their account? Why would you? If you do, you need to let users know. I would also have some statement as to why.