I had the priveldge of sitting on a panel yesterday called the Apps Privacy Panel, put on by Silicon Flatirons and the App Developers Alliance. When I was first asked to sit on the panel, I wasn’t sure what value I could add. I’m not technical and I don’t follow the field of privacy and data security closely. But Brad Bernthal said he was looking for someone with an entrepreneur’s perspective, so I agreed. We were joined by a couple of attorneys including Bryan Cave’s Jason Haislmaier, and most interestingly by Julie Brill of the Federal Trade Commission. The conversation was more stimulating that I expected. Intriguing in fact.
Privacy and security are things like – what data are people allowed to collect about us? What can they do with it? Who can they share it with or sell it to? For instance, we’ve all seen the Google ads, when you’re in your Gmail inbox, for products that relate to the topic of an email you’re reading. Google is using data in your email to display relavant ads to you. So maybe if you’re pregnant, and you’re talking about it with your friend in an email, Google might display an ad for a crib. But can Google share info about your pregnancy with others? Can they tie it back to you as an individual? Can they sell that data to potential employers who might not hire you if they knew you were pregnant?
The landscape of privacy and security is not well regulated YET. There are mostly just some common sense guidelines to keep us doing the right thing. But data privacy is a massive concern, so I believe it’s only time before legislation kicks in to regulate it to death. This is good news/bad news for entrepreneurs. The good news is that it’s not regulated yet, thus expenses dedicated to following law here are minimal. Regulation = overhead/infrastructure, and when you’re a startup, you really want to be focusing on your product or service, not on overhead and infrastructure. I think (maybe naively) if we, as software engineers and companies, can do the right thing with data and privacy, there will be little reason for the government (like the FTC) to step in and regulate it. So – DO THE RIGHT THING PEOPLE!
The bad news is that b/c it’s not regulated yet, there are a lot of gray areas around what the right thing is – and it only takes one or two bad players to spoil it for everyone.
I won’t rehash the entire panel’s conversation for you, but I thought I’d share a few key takeaways from my perspective. Here’s generally what I learned to help guide you in making sure you do the right thing.
- If you’re developing an app or website that is involved with youth, medical, financial, or employment information, or your selling data you collect to a third party, get yourself a good attorney that understands the landscape. Let them be your guide. Don’t try to learn it on your own.
- Better yet, everyone should just talk with an attorney around best practices for data privacy and security. If you build it into your app early on, it’s much less costly to fix retroactively.
- Be transparent about what data you’re collecting and what you’re doing with it.
- Use easy to understand & clear UI/UX practices to effectively communicate to your users what data you’re collecting and what you’re doing with it. READ – 31 page privacy policies and terms of service agreements don’t count.
- Ask for permission to collect sensitive information, and protect that sensitive information securely.
- Honor your data promises to your customers.
- When it doubt, ask around. If you’re not sure of the ‘creep factor’ of your app or data collection/storage/usage features, ask around. If it creeps people out, figure out how to communicate the WOW of your app and take care not to sell that data or use it in ways that would upset your customers.
Now go code something.