By

A Primer on Privacy

The Public Trial of Samsung’s SmartTV

In early February 2015, Shane Harris at the Daily Beast reported on a provision in the Samsung’s Privacy Policy:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

This clause sparked outrage, and comparisons to Big Brother in George Orwell’s 1984, online:

“Samsung’s Smart TV privacy policy sounds like an Orwellian nightmare” – The Verge

“Careful what you say around your TV. It may be listening. And blabbing.” – The Daily Beast

“Left: Samsung SmartTV privacy policy, warning users not to discuss personal info in front of their TV Right: 1984” – Parker HigginsEFF Activist (as shown in the above image)

Samsung was forced to act quickly. By amending its policy for clarity and revealing more about how the system works in a blog post titled “Samsung Smart TVs Do Not Monitor Living Room Conversations,“ the company attempted to stem the tide of complaints from privacy and consumer advocates. The voice recognition system would only be triggered by the user pressing a button on their television remote or the user stating one of the several predetermined commands. In the latter event, voice data is apparently not transmitted. Samsung also identified who the third party would be, Nuance Communications, Inc. Additionally, they guaranteed that it would be possible opt out of the voice recognition system entirely.

While the system Samsung described isn’t particularly novel, and likely doesn’t reveal anything secret, it did initially provoke some visceral reactions. The internet storm surrounding the policy started conversations, yet again, about the privacy practices of services and companies we engage with every day. For the entrepreneur, it should serve as a reminder and incentive to develop your policies early, review them often, and ensure compliance with your own polices. This post will serve as a primer on the essentials of privacy policies.

Privacy Policy Basics

 What is a privacy policy?

A privacy policy is a document that describes to users of your service, usually a website or mobile app, the data you will be collecting, how it will be collected, and how you will be using it. Depending on the nature of your website this data could range from usernames, email addresses, and very limited browsing information stored in a cookie to highly sensitive personal information such as credit card numbers, health records, personal names, and addresses. A privacy policy will typically discuss your intentions for the data and how it is stored and transferred securely. If you intend to process some information about your users for directed advertising, or sell user information directly, you should disclose information relating to what data is shared, what kinds of third parties (meaning companies the interaction with which the user will have no control over or possibly knowledge of) will be handling the data and how the data is secured.

Why do you need one?

In the US, there is no general federal requirement that a service provides a privacy policy. Instead it is a patchwork of statutes that cover services targeted to children (COPPA), financial services and banks (FCRA), and health-care providers (HIPAA), among others. However, some states have taken it upon themselves to mandate this kind of disclosure. Specifically, California requires “any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site.” This may include posting the policy directly on your web site homepage, or linking to it using the word Privacy. Here is a more in-depth explanation.

Many countries and regions have created their own standards and regulations. The European Union has highly developed privacy law and has a set of principles endorsed through a directive: transparency, legitimate purpose, and proportionality. While the US government has created a program for US companies to comply with these principles, any company specifically planning to do business in Europe or collect data from individuals from the European Union should exercise great care. (For the curious, the summary article on Wikipedia is a quick introduction).

In the US, the Federal Trade Commission is responsible for regulating business practices and has the potential to issue fines for unfair practices. Failure to adhere to your own policies can be such a practice. The company facing liability may have acted deliberately, or may simply have inadvertently given access to an untrustworthy outside party.

Consumers are beginning to pay attention to privacy and security. As demonstrated by the Samsung debacle, a company that is clear, concise, and open with their privacy policies may have a leg up in organically growing goodwill while a company that is deceitful, deliberately confusing, or formalistic in their policies risks at best embarrassment and possibly outrage or loss of customers.

Lastly, if you plan to publish a mobile app, Apple, Google, and Microsoft may require a privacy policy accessible from your app or the respective store.

How do you write one and what should you be thinking about?

It is likely not wise to rely solely on a free privacy policy generator (easily found through an internet search). At the bare minimum, you should be highly critical of anything generated without an in-depth analysis of your business needs and practices. While writing your company’s privacy, you will want to consider:

1) What information are you collecting? What do you need?

Are you collecting everything just in case it becomes useful? Are you processing payment information or health information? Is your service covered by COPPA, or another special federal regulation? Are user interactions with the website tracked and logged?

Specifically identify the types of information collected.

2) How are you going to use and protect the data?

Are you recording information to improve usability and meeting consumer demand? Do you plan on generating revenue through targeted advertising? Is the information securely stored on servers you maintain or through another provider? Will the data be sent to outside companies and if so, what do their policies look like?

You don’t need to reveal secrets about your company’ strategy, and obviously you shouldn’t give away anything sensitive about your data security policies, but make sure your customers know their information is safe.

3) Are there chances that your uses will evolve?

This is where knowledge of your business plans becomes important. Are you engaging in a high growth model, with revenue to come later? Is it foreseeable that you may need to open up your data collection to another party for auditing purposes? How much control will you be giving to your users regarding storage of their information?  Even if you later revise your policy, you might need users to affirmatively opt-in to the revised policy in order for it to cover data collected under the prior policy.

4) How do you plan to notify your users of changes?

By being open (or even collaborative) with your users, you can quickly foster a sense of community and trust. In the alternative, by alerting them to updates to your policy or describing what was changed and why you can keep control over your terms without being seen as having an ulterior motive. It is important to designate the date your policy becomes effective for the initial version and each update.

5) How advanced will your user base be?

In some cases it may be preferable to provide an additional slimmed down version of your policy that explains your behavior in simpler terms. This could also be accomplished through creative uses of formatting and headings. There are a variety of approaches to this ranging from a basic approach to a sophisticated summary of terms.

 

 

By

COPPA: Protecting Children’s Privacy Online

COPPA is designed to protect the privacy of children, but complying with COPPA can be difficult for startups.

COPPA is designed to protect the privacy of children, but complying with COPPA can be difficult for startups.  Attribution: Mike Licht.

Do you operate a website or app that is targeted at children? Even if your website or app is targeted at a general audience, do you know that you collect some personal information from children? If you answered either of those questions with a “yes” or even a “maybe,” there is a good chance you are subject to the Children’s Online Privacy Protection Act of 1998 (COPPA). Under COPPA, operators of a website or online service directed to children under the age of 13, or who knowingly collect personal information from children under the age of 13, are generally prohibited from collecting this information without parental consent. While there are exceptions and safe harbors to this general rule, compliance can be quite burdensome for start-ups with limited resources.

The Trouble with Verifiable Parental Consent

The Federal Trade Commission (FTC), charged with regulating COPPA, proclaims, “the primary goal of COPPA is to place parents in control over what information is collected from their young children online.” Hence, compliance with COPPA requires some method of obtaining verifiable parental consent for the operator to use, collect, or disclose a child’s personal information. This is the hurdle that trips up most startups falling under COPPA. As you can see below, the process of obtaining this consent is burdensome and inconsistent with the startup’s efforts to onboard new users with as little friction as possible. One FTC-recommended approach requires operators covered by the rule to perform all of the following:

  1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  4. Provide parents access to their child’s personal information to review and/or have the information deleted;
  5. Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

As a writer, I will be lucky if you actually read through all seven steps, let alone comprehended what each required for compliance. Now, imagine trying to advise a start-up to implement each of those . . . yeah, right.

Why You Should Comply with COPPA

While there are exceptions to obtaining prior parental consent, they are too narrow for the scope of this post, and unlikely to have much impact on COPPA compliance. So, why should operators care about being subject to COPPA, and how can they reasonably comply? Violators of the rule can be held liable for civil penalties of up to $16,000 per violation, which can add up quickly and debilitate a cash-strapped start-up from moving forward.

Realistic Solutions for Complying with COPPA

1. Don’t Fall Under COPPA by Clearly Avoiding Children User’s – The cheapest and easiest way to comply with COPPA is to simply not fall under the rule in the first place—don’t target children under the age of 13, and ensure that you aren’t collecting personal information from children under the age of 13.

2. “Age-gate” to Avoid Falling Under COPPA – In order to avoid COPPA’s coverage, consider using one of the following free options that utilize an “age gate” function, which requires a user to enter their date of birth in order to certify their age, before entering a website or app:

  1. If the user is under the age of 13, you can just deny their access to the website or app.
  2. If the user is under the age of 13, you can also allow the user to only access the online service through a “safe-mode” that does not collect, use, or disclose a child’s personal information. This means prohibiting a child from setting up any type of account or profile, and requires close monitoring of a child’s activities. For example, any text or input of any kind from a child must be monitored to prevent identification of the anonymous user profile.

3. Use a Safe Harbor Program – One plausible route for obtaining verifiable parental consent is through the FTC-approved COPPA safe harbor programs. Examples of these safe harbor programs include iKeepSafe, KidSAFE, and TRUSTe. While there seems to be some uncertainty surrounding these programs, the prospect of having service providers handle companies’ COPPA compliance is appealing and most likely the direction we are heading. These programs can serve as a portal for parents to read the privacy policies of multiple websites and provide consent, all in one easy-to-use location. Of course, this comes at a cost.

Understandably, some operators will fall under the umbrella of COPPA due to their business model. In this case, it is highly recommended that you consult a COPPA compliance attorney before launching the online service. However, if it is possible to exclude children from your online service, consider the aforementioned approaches for bypassing COPPA.

By

Visiting Your Competitor’s Web Page: Should Entrepreneurs be Concerned?

Competitor Website Pic.v3

Entrepreneurs, you can check out your competitors. But it’s likely they’re watching you watch them.

Data Collection and the State of the Internet

Data collection is an integral and expected practice of the internet. In fact, many companies, both established and new alike, rely on it for their continued existence. Data serves a critical role in either their marketing strategies or monetization strategies. Or in some cases, both. This data provides useful information essential to adjusting and tailoring a company’s business strategy. Both websites and third-party advertisers collect data.  This data includes IP addresses, location, and web history. Since the practice is unlikely to go away, the question becomes “as an entrepreneur, should I be worried about visiting my competitor’s website?” The good news is that there are some things that can be done to minimize the information a competitor learns about you from your visit to their website. This blog post will cover: 1) some of the technology involved, 2) examples from Facebook’s data usage and privacy policies, and 3) some suggestions going forward.

Technology involved

Numerous free or low-cost tools exist for a company (such as one of your competitors) to ascertain the affiliation of visitors to the company’s website.

Cookies

Cookies are small text files created when a user loads a website. Every time the user returns to the site, the browser sends this file to the site’s server. Both websites and ad servers create cookies on a site. Important for our purposes, cookies inform how and when ads are shown.  You can learn more about cookies here.

Pixel tags

Pixel tags are small blocks of codes on a webpages that allow websites to read and place cookies. The resulting connection can include information such as the person’s IP address, the time the person viewed the pixel, and the type of browser used.  You can learn more about pixel tags and how Facebook uses them here.  

Web Analytics

Services such as Quantcast, Google Analytics, KISSmetrics provide extensive data. They include demographic information (age and gender), location information, time on site, and other metrics. IP addresses by themselves will give away a user’s location and network information. For instance, visit IPInfo’s free geolocation databases.  Users are greeted with IP address information on the right-side of the screen (IP address, country, region, city, and time). These services can be free or paid, and therefore, there aren’t significant barrier to entry. A basic (yet still comprehensive) version of Google Analytics is available for free.

Examples from Facebook Data Use Policy and Practices

As it has become a part of many people’s daily habits, Facebook may become a problem for the cautious entrepreneur. First, Facebook may increase your competitors screen time as a user’s information and web traffic affect advertising. Second, it may tip off your competitors as to your presence.

Facebook is rather explicit (but not entirely straightforward) in its online policies. Facebook’s privacy page states that they receive data from and/or about “the computer, mobile phone, or other devices you use to install Facebook apps or to access Facebook.” This information may include your “IP address or mobile phone number, and other information about things like your internet service, operating system, location, the type (including identifiers) of the device or browser you use, or the pages you visit.” Facebook additionally receives data whenever you visit other websites, games, and applications that use the Facebook platform or use a Facebook social plugin.

Certain information on Facebook WILL ALWAYS REMAIN PUBLIC UNLESS DELETED. For our purposes, this includes name, user ID, and networks.

Facebook’s cookie policy

Facebook may read a cookie so they can show you ads that may be interesting to you on Facebook or other websites. They also use a cookie to learn whether someone who saw an ad on Facebook later visited the advertiser’s site. Similarly, Facebook partners may use a cookie or another similar tech to determine whether they’ve shown an ad and how it performed. Information may be shared with partners.  More more information, wee Facebook’s cookie policy here. 

Facebook Page Analytics

For a Facebook page, you can see how many people your post reached, how many people clicked it and how many people clicked it, commented on it, or shared it with their friends. The Facebook Pages feature allows administrators (or rather your competitors) to identify the location of users who have seen “any content associated with [their] page.”  

What does this all mean for the entrepreneur?

The problem for entrepreneurs is two-fold. First, you may be tipping off your competitors about your presence (and your interest in your competitor). Second, you may be increasing your competitor’s web traffic.

In the first instance, as explained above, by merely visiting your competitor’s website, your competitor is likely capable of learning your location, gender, and age (inferred age group. Furthermore, your competitor might be able to identify your network.To combat this, you may consider using the TOR browser.  The TOR software prevents tracking by “bouncing your communications around.” Your internet traffic is carried over a network of different relays, which are hosted by volunteers globally. According to the TOR site, “it prevents somebody watching your Internet connection from learning what sites you visit, [and] it prevents the sites you visit from learning your physical location.”[5]

Private browsing does not anonymize your data. IP addresses and other related information may still be collected. Private browsing only prevents cookies from being stored once the browsing window has been closed. However, a private browsing session will not read cookies from other sessions.

The second situation is not nearly as avoidable. Increased visits to a competitor’s website will increase web traffic. The cookie stored from that site will inform Facebook and other advertisers that you have viewed that site. As a consequence, it will then serve up more ads related to that site/product. Additionally, the more visits a page receives, the more likely it is to show up in search results and other advertisements in general. If you want to research your competitor, this consequence is almost inevitable.

Conclusion

Data collection is here to stay. As privacy policies change, entrepreneurs should be mindful of their internet behaviors, and they should remain up to date on policies. While you can cover some tracks, some things are unavoidable and are the cost of doing business.