Author: Fatima Khan, Legal Fellow, Privacy and Technology Project 2012
SXSW Interactive, better known as SXSWi, just ended last week. SXSWi is a wonderful event to experience new startups, applications, and innovations. This year, privacy was a powerful theme at SXSWi because of all of the recent controversy involving mobile privacy policies and practices. As a result, I had an opportunity to speak with many startups about privacy as well as attend panels on privacy. In sum, SWSWi highlighted a critical issue: most startups care about privacy but feel that they lack the resources to properly address it.
Conforming without planning
Generally speaking, startups follow industry practices; but they do so without realizing consequences they face for failing to disclose their practices or make clear their privacy philosophy. In addition to legal ramifications, the consequences for not properly designing for privacy can harm a company by decreasing user trust and generating negative PR.
One recent example is the mobile application Path, which copied iPhone users’ address book information without telling them and failed to encrypt this information uploaded to their servers. Path treated the act as an accepted industry practice and failed to disclose its actions to its users, creating a privacy nightmare.
What can startups do to avoid such a problem?
Design for privacy. Designing for privacy is not the same as “privacy by design.” Privacy by design consists of promoting consumer privacy at every stage of the development of new products and services. This is a best practice that in reality sometimes conflicts with business needs for privacy, but should be followed as much as possible. Privacy by design is particularly important in light of the Google and Facebook enforcement actions, making it a requirement that the FTC believes that all businesses should implement. Failure to adopt privacy by design could amount to a deceptive or unfair act that results in a violation of the FTC Act. Therefore, startups should design for privacy – integrate privacy by design as much as possible while taking into account business needs.
Startups can design for privacy in many different ways. Below are a few five key takeaways from SXSWi to help companies design for privacy.
1. Help users understand your privacy philosophy.
Every company has a different privacy philosophy because every company has different needs. Take stock of the personal information that you collect and make sure that users understand how and why you use it. Don’t make promises you will not keep and be transparent about your practices.
2. Make things simple.
Avoid generating “privacy anxiety” via legalese. Companies strive for simplicity with their UI, yet many fail to achieve the same simplicity when telling users about data collection, opt-outs, and privacy controls. Simple words can help create or increase trust.
3. Leave room to grow.
Leave room to grow in policies. Your policies should take into account future company plans and not restrict usage only to particular data. If your company needs to collect information to increase usability or user experience, make sure that it is reflected in your policy and your privacy philosophy.
4. Reach out to your lawyer.
Don’t make your lawyer your last stop. Letting a lawyer understand your design process and examine your UI during development could help ensure a smooth launch for your product.
5. Privacy by Design
Privacy by design is a best practice, so it may be difficult to achieve. However, if you empathize with your users, you may have a better likelihood of understanding how to treat privacy as you develop your product.
The above factors are just a few to consider while designing for privacy – every business has different needs. Privacy is a business decision, so startups should integrate privacy but make sure to account for practical business needs.
This post was originally published on the Hastings Science & Technology Blog.