A Primer on Privacy
— Parker Higgins (@xor) February 8, 2015
The Public Trial of Samsung’s SmartTV
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
This clause sparked outrage, and comparisons to Big Brother in George Orwell’s 1984, online:
“Careful what you say around your TV. It may be listening. And blabbing.” – The Daily Beast
Samsung was forced to act quickly. By amending its policy for clarity and revealing more about how the system works in a blog post titled “Samsung Smart TVs Do Not Monitor Living Room Conversations,“ the company attempted to stem the tide of complaints from privacy and consumer advocates. The voice recognition system would only be triggered by the user pressing a button on their television remote or the user stating one of the several predetermined commands. In the latter event, voice data is apparently not transmitted. Samsung also identified who the third party would be, Nuance Communications, Inc. Additionally, they guaranteed that it would be possible opt out of the voice recognition system entirely.
While the system Samsung described isn’t particularly novel, and likely doesn’t reveal anything secret, it did initially provoke some visceral reactions. The internet storm surrounding the policy started conversations, yet again, about the privacy practices of services and companies we engage with every day. For the entrepreneur, it should serve as a reminder and incentive to develop your policies early, review them often, and ensure compliance with your own polices. This post will serve as a primer on the essentials of privacy policies.
Why do you need one?
Many countries and regions have created their own standards and regulations. The European Union has highly developed privacy law and has a set of principles endorsed through a directive: transparency, legitimate purpose, and proportionality. While the US government has created a program for US companies to comply with these principles, any company specifically planning to do business in Europe or collect data from individuals from the European Union should exercise great care. (For the curious, the summary article on Wikipedia is a quick introduction).
In the US, the Federal Trade Commission is responsible for regulating business practices and has the potential to issue fines for unfair practices. Failure to adhere to your own policies can be such a practice. The company facing liability may have acted deliberately, or may simply have inadvertently given access to an untrustworthy outside party.
Consumers are beginning to pay attention to privacy and security. As demonstrated by the Samsung debacle, a company that is clear, concise, and open with their privacy policies may have a leg up in organically growing goodwill while a company that is deceitful, deliberately confusing, or formalistic in their policies risks at best embarrassment and possibly outrage or loss of customers.
How do you write one and what should you be thinking about?
1) What information are you collecting? What do you need?
Are you collecting everything just in case it becomes useful? Are you processing payment information or health information? Is your service covered by COPPA, or another special federal regulation? Are user interactions with the website tracked and logged?
Specifically identify the types of information collected.
2) How are you going to use and protect the data?
Are you recording information to improve usability and meeting consumer demand? Do you plan on generating revenue through targeted advertising? Is the information securely stored on servers you maintain or through another provider? Will the data be sent to outside companies and if so, what do their policies look like?
You don’t need to reveal secrets about your company’ strategy, and obviously you shouldn’t give away anything sensitive about your data security policies, but make sure your customers know their information is safe.
3) Are there chances that your uses will evolve?
This is where knowledge of your business plans becomes important. Are you engaging in a high growth model, with revenue to come later? Is it foreseeable that you may need to open up your data collection to another party for auditing purposes? How much control will you be giving to your users regarding storage of their information? Even if you later revise your policy, you might need users to affirmatively opt-in to the revised policy in order for it to cover data collected under the prior policy.
4) How do you plan to notify your users of changes?
By being open (or even collaborative) with your users, you can quickly foster a sense of community and trust. In the alternative, by alerting them to updates to your policy or describing what was changed and why you can keep control over your terms without being seen as having an ulterior motive. It is important to designate the date your policy becomes effective for the initial version and each update.
5) How advanced will your user base be?
In some cases it may be preferable to provide an additional slimmed down version of your policy that explains your behavior in simpler terms. This could also be accomplished through creative uses of formatting and headings. There are a variety of approaches to this ranging from a basic approach to a sophisticated summary of terms.