Last week, Facebook held Privacy@Scale, a privacy conference with a unique focus – the end user.
These days, the agenda at most privacy events is almost always focused on legal or regulatory uncertainty – will we get a privacy law in the United States? Is the proposed EU regulation ever going to get passed?
To Facebook’s credit, Privacy@Scale focused on what companies can or should be doing right now about end user privacy, irrespective of all this regulatory uncertainty. And during the conference, we got glimpses of how companies continue to innovate around the fair information practices or “FIPs” – notice, consent, access, security, and enforcement.
For instance, companies making connected cars aren’t debating whether or not to have a privacy policy; rather that discussion has moved onto what the privacy notices should look like, whether sounds or icons can play a role in enlivening text-based policies, and what happens if the device screen is either very small or non-existent.
What are the FIPs?
The FIPs are the important building blocks of any privacy program. They were first articulated in a 1973 US government report entitled “Records, Computers and the Rights of Citizens.” It was the first time any government report had focused on the effects of “automated data processing” on US citizens. Now, in the post-Snowden era, Caspar Weinberger’s introduction appears incredibly prescient and even a bit sinister:
“Computers linked together through high-speed telecommunications networks are destined to become the principal medium for making, storing, and using records about people…”
The FIPs never became the basis of a commercial data collection law in the US (the US still lacks such a law today), but they did form the foundation of the requirements under several US sector specific laws including the 1974 Privacy Act that obligates the federal government to safeguard personal information collected from US citizens. And interestingly, most of today’s global and data protection frameworks incorporate and expand on the FIPs e.g. the European Union’s data protection law expands “notice” into two additional requirements – purpose specification and use limitation.
Step up your FIPs!
With this background in mind, should you “step up your FIPs?” Absolutely. The FTC formally adopted the FIPs in a 2000 report, and the agency continues to evolve that implementation in deciding how to evaluate end user privacy harm. As such, app advertisers and marketers should be aware of each FIP and how they are being implemented within the product or app’s experience, as well as backend processes.
Notice – Be transparent, and make sure privacy policies provide “meaningful” notice about data collection and use. Don’t make promises you aren’t keeping. The FTC prosecuted Snapchat on the basis of the company’s privacy notices and other statements which claimed that user messages would “disappear” after a set period of time. In reality, the messages were stored in Snapchat’s logs and could be accessed by third party apps.
Consent – Also known as choice and control. Getting end user consent for data collection and use is a must – including getting express consent for collection of “sensitive” data categories like the precise location of the end user’s device.
Access – Provide a way to alter, or even possibly delete the data you hold about end users. This includes honoring end user opt-out requests as the FTC showed us in its recent action against Nomi technologies, a retail tracking firm that didn’t opt out end users when requested.
Security – Secure all valuable personal data with the right organizational and technical measures to prevent unauthorized access or disclosure. The FTC has brought actions against Credit Karma and Fandango for misrepresenting security practices, and failing to secure consumers’ sensitive personal information.
Enforcement – This includes both government regulation, as well as self and co-regulatory frameworks like the Digital Advertising Alliance (DAA) mobile guidelines or the Network Advertising Alliance (NAI) code. Also, it’s important to not misrepresent or misstate your membership in a regulatory framework or safe harbor. This point was made most recently by the FTC, which just finalized two actions against companies for misstating their EU-US Safe Harbor participation status.
Pay attention to DAA, NAI and other self-regulatory requirements
This last point is especially worth thinking about. In the last two months, we’ve seen two significant self-regulatory announcements:
- The DAA will start enforcing its DAA mobile guidelines in September 2015 for all entities engaged in interest based advertising and cross-app data collection. These guidelines build off of the DAA’s Self-Regulatory Principles for online behavioral advertising or “OBA.” The DAA Principles are an important self regulatory program and based in part on FTC Staff’s 2009 OBA principles.
- The NAI has released guidelines for using non cookie based technologies (e.g. digital fingerprinting), building off of the NAI code. The NAI categorizes companies into either first parties (who collect and use data on behalf of themselves) or third parties (companies engaged in either “cross data advertising” or “ad delivery and reporting” on behalf of other companies).
It’s important to determine whether you fall within the scope of one of these self-regulatory programs. For instance, the DAA has stated that its principles cover “all companies engaged in [interest based advertising] and multi-site, multi-app data collection activity for permissible use” regardless of whether you are a DAA member or not.
In closing…
It’s a good time to revisit how you are incorporating the FIPs into your privacy program and app’s experience. As numerous FTC actions have shown us, incorporating these requirements are an important step to meeting your compliance and legal requirements. But the FIPs are also a critical piece to ensuring trust — because it shows end users that you respect their privacy rights and are a trustworthy steward of their personal data.
And, as more companies continue to follow this model of adopting practices based on a common framework, self-regulation becomes a more viable alternative to passing legal requirements. Unlike a law, self-regulation can keep pace with evolving technology. So this is an approach that innovative companies should be looking at in order to stay compliant, but also stay innovative.
Want to learn more about stepping up your FIPs? Then don’t forget to attend TUNE’s “FIPs for Apps” Workshop at Postback this year.
Like this article? Sign up for our blog digest emails.
Author
Becky is the Senior Content Marketing Manager at TUNE. Before TUNE, she handled content strategy and marketing communications at several tech startups in the Bay Area. Becky received her bachelor's degree in English from Wake Forest University. After a decade in San Francisco and Seattle, she has returned home to Charleston, SC, where you can find her strolling through Hampton Park with her pup and enjoying the simple things between adventures with friends and family.
Leave a Reply
You must be logged in to post a comment.