My work in privacy focuses on helping developers balance privacy with innovation. Recently, I moderated a panel at the Personal Identity Innovation Conference (PII): Baking Privacy into Your App: What Every Developer Needs to Know. This is a critical issue because developers are the first line of defense for consumers, but face huge challenges given the lack of clear regulations, different industry standards, and device-specific variations (mobile vs. browser vs. hardware). And while the focus of this panel was on developers -not many attorneys in the audience! - a few “rules of thumb” emerged from the panel that are useful for developers and the attorneys that work with them.
1. Understand 3rd Party Terms of Service.
Developers use Software Developers Kits (SDKs) built by third parties to add functionality to their software applications. For example, Yelp uses a map to show restaurants provided by Google or Apple (depending on the device). SDK’s are also used to provide analytics on software usage and advertising.
Accepting the Terms of Service (ToS) of these SDKs, however, can put consumer data at risk. These agreements often hide what data is being collected, how the data will be used, and shift the burden of notice to the unknowing developer. Putting the developer, potentially, on the hook for liability as well. Developers, and their attorneys, must read and understand the ToS of any SDK used.
2. Provide Notice to Consumers.
It is increasingly difficult to communicate the nature, type, and amount of information gathered about individuals because of the sheer amount of personal data collected, and the ways data is generated, transmitted, and analyzed. Nonetheless, consumers are increasingly demanding clarity and disclosure about what information is being gathered in a way that is understandable by a non-attorney. Companies must communicate with consumers in a clear way that makes information digestible. It can be difficult to manage this process in a way that lends to a smooth user experience, but companies should err on the side of disclosure and ask for permission.
3. Reputation is an Asset.
Building on the aforementioned concept of Consumer Notice, companies should focus on building a good reputation with users. More specifically, companies should think about ways to incorporate reputation building into the design of software and product development. Reputation requires ensuring communication, i.e., being transparent in how information is collected (consumer notice), disclosing how information will be used, and, in a worst-case scenario, should personal information be exposed, informing users immediately.
4. One Regulation To Rule them All.
If companies only take away one piece of advice, it should be to understand and comply with the Children’s Online Privacy Protection Act (COPPA). COPPA is the one clear regulation that applies to absolutely everything and any violation will be fully enforced, making a company an industry pariah. Also, companies cannot assume children will not have access to their product. Companies should assume children might gain access and should develop their tools accordingly to be 100% certain they are on the right side of the law.
Before we let fear govern all, there was a sense of optimism on the panel. The lack of legal clarity may cause uncertainty, but where clear privacy regulations exist, opportunities abound. Health care and the financial industries are the best examples: both have clear sets of privacy regulations in the United States. The clarity these regulations provide, however, enables companies to develop products with certainty. These regulations also create barriers of entry. Finally, the costs of adhering to the regulations mean consumers are more likely to pay money for applications, mobile or otherwise, in these spaces.
Bonus Point Takeaway: Don’t be Creepy.
It sounds glib, undefined, and abstract, but the panel returned to this takeaway time and time again. Don’t. Be. Creepy. Many of the challenges that have arisen are because a critical mass of users felt the product was too creepy. Before releasing a software application, companies should always ask: does this creep me out? Although creepiness is subjective, it’s a good rule of thumb: if it creeps you (developer or attorney) out, that’s bad.
Charles Belle is the Executive Director of the Institute for Innovation Law and the Research Director of the Privacy Project, at UC Hastings College of the Law. A research program at the Institute for Innovation Law, the Privacy Project engages in applied research and community outreach. In addition to his research, Charles focuses on developing implementable tools to ensure privacy and innovation.