A call to arms for compliance competency
Paul H. Müller
Co-Founder & CTO
Sep 15, 2014
When the Safe Harbor agreement was put in place in 2000, its intentions were to align US companies with EU personal data protection principles, but now a new reform is necessary to truly protect the rights of EU citizens. User data tracking and capturing has come a long way since 2000. US and other international intelligence agencies are capturing far more private user data than anyone could have initially anticipated. In a recent Center for Digital Democracy (CDD) submission to the Federal Trade Commission (FTC), it was revealed that 30 major US software companies have been violating the Safe Harbor framework through compiling, using and sharing EU consumers’ personal information without their awareness and meaningful consent. Data brokers, data management platforms and marketing partners are being called out for probable violation of safeguarding personal data transfer. Since the news broke a few weeks ago, many of the named companies have updated their privacy policies, yet the broader questions of not only investigation of accused companies by the FTC, who enforces the agreement, but also an update of the Safe Harbor agreement has not yet been publically addressed.
It was only a matter of time until violators would be called out (with potentially serious penalties) for breaking data privacy laws. For many app developers and analytics providers, privacy protection is a heavy claim, but the follow through action would prove otherwise. Businesses need to live up to the integrity of regulations that are in place for good reason - including bankrupting their company due to liabilities that could have been prevented. Developers should first and foremost ask themselves: ‘Do I know where my data is stored at all times and who can access it? Can I guarantee end-to-end encryption and the ability to manage data in the way it is intended?’ If you can confidently answer ‘yes’ to these questions, then you are doing your due diligence, but if the issue makes you a bit uneasy, there are some areas to consider.
Key information such as location, unique device identifiers and even personal identifiable data like IMEI is almost never encrypted over mobile networks. Why? Because it costs money and takes time. Complying with the highest privacy standards requires end-to-end encryption of user data, and therefore a more complex and expensive infrastructure. Many developers are understandably nervous to flag this as an issue with their customers, and would prefer to gloss over it. Others may have prioritized usability, design or monetization and come to tracking as an afterthought – something they have to look at after the important boxes are ticked. In such a highly competitive market, the temptation to cut corners is high, but the rewards are not worth the sensitive risks.
Where exactly is your user data located and who has access to it? If you’re scratching your head to find the answer to these questions, you are not alone. The problem is not just data distribution to different analytics partners or networks. The simple problem is that mobile attribution tracking can’t tell you where the data is since it’s ‘somewhere in the cloud.’ Many providers relying on cloud-based infrastructure will have a hard time answering this question. The other concern is the amount of data shared from your tracking provider to marketers. Are you in control of what gets shared, which events are shared, your revenue data, private user information and their geolocations?
Many tracking providers don’t want to shine a spotlight on this area, as they are aware that their practices breach applicable privacy laws. For others, it is simply a lack of awareness. Developers must trust all the companies that have an SDK in their app and be certain if they are or aren’t privacy compliant. If you can’t protect the personal data of your users, you may want to reevaluate your business practices - it’s that simple.
The big players, Apple, Facebook and Google, are clearly moving in this direction, with Facebook recently terminating an agreement with two of its biggest Mobile Measurement Partners for failing to adequately safeguard user data. Apple also sent a clear message with its recent crackdown on IDFA usage by analytics providers, effectively preventing illegal user profiling. Google has also signaled their intentions to ensure that data is protected, with their new Advertiser ID system coming into play from August 2014.
So, don’t be the one who says, ‘Actually, I have no idea where your personal information is stored, how it got there and who has access to it. And because I don’t know these things, I can’t promise your data is being controlled accordingly.’ Know and act on the laws that are in place, both local and international, and invest time and money to actively consider privacy issues in the earliest stages of product development. Companies that follow privacy and data management standards will continue to be trustworthy among partners and consumers, and will have sustainability surviving in this fast growing market.
This article was originally published on VentureBeat