By

A Primer on Privacy

The Public Trial of Samsung’s SmartTV

In early February 2015, Shane Harris at the Daily Beast reported on a provision in the Samsung’s Privacy Policy:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

This clause sparked outrage, and comparisons to Big Brother in George Orwell’s 1984, online:

“Samsung’s Smart TV privacy policy sounds like an Orwellian nightmare” – The Verge

“Careful what you say around your TV. It may be listening. And blabbing.” – The Daily Beast

“Left: Samsung SmartTV privacy policy, warning users not to discuss personal info in front of their TV Right: 1984” – Parker HigginsEFF Activist (as shown in the above image)

Samsung was forced to act quickly. By amending its policy for clarity and revealing more about how the system works in a blog post titled “Samsung Smart TVs Do Not Monitor Living Room Conversations,“ the company attempted to stem the tide of complaints from privacy and consumer advocates. The voice recognition system would only be triggered by the user pressing a button on their television remote or the user stating one of the several predetermined commands. In the latter event, voice data is apparently not transmitted. Samsung also identified who the third party would be, Nuance Communications, Inc. Additionally, they guaranteed that it would be possible opt out of the voice recognition system entirely.

While the system Samsung described isn’t particularly novel, and likely doesn’t reveal anything secret, it did initially provoke some visceral reactions. The internet storm surrounding the policy started conversations, yet again, about the privacy practices of services and companies we engage with every day. For the entrepreneur, it should serve as a reminder and incentive to develop your policies early, review them often, and ensure compliance with your own polices. This post will serve as a primer on the essentials of privacy policies.

Privacy Policy Basics

 What is a privacy policy?

A privacy policy is a document that describes to users of your service, usually a website or mobile app, the data you will be collecting, how it will be collected, and how you will be using it. Depending on the nature of your website this data could range from usernames, email addresses, and very limited browsing information stored in a cookie to highly sensitive personal information such as credit card numbers, health records, personal names, and addresses. A privacy policy will typically discuss your intentions for the data and how it is stored and transferred securely. If you intend to process some information about your users for directed advertising, or sell user information directly, you should disclose information relating to what data is shared, what kinds of third parties (meaning companies the interaction with which the user will have no control over or possibly knowledge of) will be handling the data and how the data is secured.

Why do you need one?

In the US, there is no general federal requirement that a service provides a privacy policy. Instead it is a patchwork of statutes that cover services targeted to children (COPPA), financial services and banks (FCRA), and health-care providers (HIPAA), among others. However, some states have taken it upon themselves to mandate this kind of disclosure. Specifically, California requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site.” This may include posting the policy directly on your web site homepage, or linking to it using the word Privacy. Here is a more in-depth explanation.

Many countries and regions have created their own standards and regulations. The European Union has highly developed privacy law and has a set of principles endorsed through a directive: transparency, legitimate purpose, and proportionality. While the US government has created a program for US companies to comply with these principles, any company specifically planning to do business in Europe or collect data from individuals from the European Union should exercise great care. (For the curious, the summary article on Wikipedia is a quick introduction).

In the US, the Federal Trade Commission is responsible for regulating business practices and has the potential to issue fines for unfair practices. Failure to adhere to your own policies can be such a practice. The company facing liability may have acted deliberately, or may simply have inadvertently given access to an untrustworthy outside party.

Consumers are beginning to pay attention to privacy and security. As demonstrated by the Samsung debacle, a company that is clear, concise, and open with their privacy policies may have a leg up in organically growing goodwill while a company that is deceitful, deliberately confusing, or formalistic in their policies risks at best embarrassment and possibly outrage or loss of customers.

Lastly, if you plan to publish a mobile app, Apple, Google, and Microsoft may require a privacy policy accessible from your app or the respective store.

How do you write one and what should you be thinking about?

It is likely not wise to rely solely on a free privacy policy generator (easily found through an internet search). At the bare minimum, you should be highly critical of anything generated without an in-depth analysis of your business needs and practices. While writing your company’s privacy, you will want to consider:

1) What information are you collecting? What do you need?

Are you collecting everything just in case it becomes useful? Are you processing payment information or health information? Is your service covered by COPPA, or another special federal regulation? Are user interactions with the website tracked and logged?

Specifically identify the types of information collected.

2) How are you going to use and protect the data?

Are you recording information to improve usability and meeting consumer demand? Do you plan on generating revenue through targeted advertising? Is the information securely stored on servers you maintain or through another provider? Will the data be sent to outside companies and if so, what do their policies look like?

You don’t need to reveal secrets about your company’ strategy, and obviously you shouldn’t give away anything sensitive about your data security policies, but make sure your customers know their information is safe.

3) Are there chances that your uses will evolve?

This is where knowledge of your business plans becomes important. Are you engaging in a high growth model, with revenue to come later? Is it foreseeable that you may need to open up your data collection to another party for auditing purposes? How much control will you be giving to your users regarding storage of their information?  Even if you later revise your policy, you might need users to affirmatively opt-in to the revised policy in order for it to cover data collected under the prior policy.

4) How do you plan to notify your users of changes?

By being open (or even collaborative) with your users, you can quickly foster a sense of community and trust. In the alternative, by alerting them to updates to your policy or describing what was changed and why you can keep control over your terms without being seen as having an ulterior motive. It is important to designate the date your policy becomes effective for the initial version and each update.

5) How advanced will your user base be?

In some cases it may be preferable to provide an additional slimmed down version of your policy that explains your behavior in simpler terms. This could also be accomplished through creative uses of formatting and headings. There are a variety of approaches to this ranging from a basic approach to a sophisticated summary of terms.

 

 

Leave a Reply