A Primer on Data Privacy

What is data privacy and why does it matter? How did we get here, what does “here” look like, and what’s ahead?

At a recent Switchbit meetup, I presented a primer on data privacy, exploring the past, present, and future of privacy law. Below are my slides, as well as summary takeaways.

Thanks to those of you who attended our virtual event! Join Switchbit’s #PrivacyTech group for updates on our upcoming meetups.

Key Takeaways

  • Data Privacy is here to stay
    • Global regulations are increasing in number and severity.
    • Growing demand for privacy experts in tech.
    • Everybody needs to know the basics, and it’s not rocket science (credible online resources are everywhere).
  • Know the privacy lingo
    • GDPR: personal data, legal basis, controller, processor, sub-processor, data subject, DSR, DPIA.
    • CCPA: personal information, consumer, business, service provider, business purpose, sell.
    • Other: HIPAA, COPPA, PII, PHI.
  • Data isn’t dead
    • Data + Privacy is more than the sum of its parts.
    • The laws still allow enough flexibility to use data. Yes, everything is harder now, but it was too easy before.
  • Practice privacy-by-design and privacy-by-default.
  • Be vigilant: there are lots of bad (or ignorant) actors out there.

Respect data, respect privacy!

Meetup Slides


previous arrow
next arrow
previous arrownext arrow
Slider


Could Your Privacy Policy Cope With Explosive Growth?

Zoom’s coronavirus boom-and-bust shows why brands should communicate clearly about privacy

Six months ago, Zoom was a buttoned-down, business-focused video-chat tool with 10 million daily users — but by March, its user-base had surged to over 200 million as the coronavirus pandemic drove countless organizations to move online. Almost overnight, Zoom became not just a household name but a generation-defining cultural touchstone, and its stock price more than tripled.

Great news, right? Well, sure — except that Zoom’s explosive growth also exposed serious weaknesses in its privacy policy. First, it emerged that Zoom’s app was leaking user data to Facebook; later, cybercriminals began trading exploits, meetings were crashed by foul-mouthed “Zoom-bombers,” and it became apparent that Zoom’s vaunted end-to-end encryption didn’t actually exist.

The upshot: serious damage to Zoom’s brand, with corporations banning employees from the service, irate users filing lawsuits, and regulators launching a flurry of investigations. “We have fallen short of the community’s — and our own — privacy and security expectations,” admitted CEO Eric Yuan. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”

Zoom’s growth might have been unanticipated, but its privacy failure was a self-inflicted injury. By following a few simple guidelines, Zoom could have implemented far more effective policies, and spared itself a litany of headaches. So where did Zoom go wrong — and how can you ensure your own company’s privacy policy is ready for whatever the future brings?

1. Compliance is just the beginning

Many companies see the privacy policy primarily as a necessary but annoying document required by law — begrudgingly admitting that such policies are increasingly important given the rise of complex new frameworks such as the GDPR and the CCPA. But don’t take a bare-minimum approach and assume your privacy policy is ready for primetime just because you’ve ticked a few regulatory boxes. Your policy should aim higher, and be transparent, truthful, and forthcoming. Don’t just promise to play by the rules. Go further, and explain in positive terms exactly how you’ll collect, use, and protect your customers’ data.

2. Keep it simple

Your privacy policy doesn’t have to be a fusty legal document: turn it into a living, breathing opportunity to build and strengthen relationships with visitors who have shown an interest in what you do. The key is to thread the needle between using legally precise language, and expressing your company’s approach to privacy in terms that are simple enough for users to understand. It’s a fine line to walk: ambiguities could leave you legally liable, while dense legalese will make customers’ eyes glaze over. Imagine your grandma is reading your privacy policy — if she gets confused, or can’t make it through without taking a nap, then it needs more work. And remember it’s not illegal for the policy to have a little personality.

3. Make your policy a no-spin zone

Treating your privacy policy as a communication tool doesn’t mean putting your PR team in charge and calling it a day. As Zoom learned when it claimed to have E2E encryption, buzzwords and impressive-sounding jargon can come back to haunt you if they don’t reflect how your product actually works. You can’t spin your way to a successful privacy policy, so don’t tell people what you think they want to hear. Just tell them in plain English what you’re actually doing. And if you include specific technical claims, make sure they’re true.

 4. Sweat the small stuff

When it comes to your privacy policy, the devil is in the details. The snippet of Zoom’s code that leaked data to Facebook probably seemed inconsequential when it was first written, but when the world started paying attention, Zoom wound up with egg on its face. When thinking about privacy, don’t focus solely on the processes that are central to your business. Ultimately, trivial-sounding cut corners, workarounds, and hand-waved details can harm your brand.

5. Think of the children

Part of the reason Zoom slipped up was that its product, designed for enterprise users, was suddenly adopted by 90,000 schools for online teaching. Zoom got an unscheduled stress-test as children began mucking about with features and settings, and its privacy policies were swiftly put under the microscope by worried parents. The key lesson? Make your privacy policy robust enough to cater to sensitive or specially regulated users — and if kids might use your product, consider havinga separate privacy policy to explain how you’ll handle their data.

6. Put your money where your mouth is

Whenever a product gets popular, hackers start sniffing around. Zoom tripped up by failing to anticipate that, and leaving it to its own business partners to root out vulnerabilities in its platform. A better approach: spend some money early on, and pay “white hat” hackers to dig up problems that need patching. There’s little point crafting a transparent, effective privacy policy if you don’t also do your utmost to keep your users’ data safe from cyberattacks and other predictable threats.

Make privacy a priority

It’s easy to sympathize with Zoom. After all, how many startup CEOs can say, hand on heart, that they could handle a twentyfold growth surge without a few growing pains? Ultimately, though, Zoom’s privacy problems were an unforced error. Digital startups are built for rapid growth, so there’s no excuse for having privacy policies that aren’t future-proofed.

The real takeaway is that whatever business you’re in, the days of neglecting privacy are long gone. You never know when your user numbers will skyrocket, and you’ll never get a second chance to make a first impression, so you can’t afford to treat your privacy policy as an afterthought.

Fortunately, the solution is simple: instead of viewing privacy as merely another box to check, bring your whole team into the process, from top-level leaders to legal, technical, and communication experts. Establish privacy as a genuine priority, then use your privacy policy to communicate that commitment and make it a key differentiator for your brand.

Despite Zoom’s missteps, implementing an effective and resilient privacy policy isn’t rocket science. If you take your customers’ privacy seriously, and craft a policy that clearly and honestly explains your values, you’ll be well-placed to succeed — no matter what the future holds.