Posts which are about the intersection of law and technology.
Privacy Policies Are Good For Customer Relations
That’s why I advocate for companies to take pride in their privacy policies.
Privacy Policies are more than just a legal hoop to jump through. With fallout from privacy breaches like with Facebook, Quora, and Newegg, privacy is moving to the front of customers’ minds. Privacy-forward companies are seeing surges in use (DuckDuckGo searches nearly doubled from 2017 to 2018), and, according to the Pew Research Center, 93% of Americans care who has their personal information, and 90% of Americans care what kind of information is held.
Privacy is now a feature of trusted consumer brands. That’s why it’s important to have thought through your privacy values. You need to understand your business model thoroughly to decide whether the collection, sale, sharing, or storage of user data is necessary to your business, because if not, you may be leaving some goodwill on the table with an overly broad privacy policy.
A broad privacy policy will help protect you during litigation, but it won’t let people know where you actually stand when consumers are deciding which brands to trust.
A good rule of thumb for a solid privacy policy is to follow the rule of the 5Ws – use your privacy policy to tell people:
- Who is collecting their data
- What data is being collected
- When the data will be collected
- Where the data goes
- Why the data is needed; and
- How the data is being collected
The above list is a bit of a simplification, but it gets the general idea across of what goes into a good privacy policy. As you’re sifting through the lives of various people with your data, remember that transparency on your end can go a long way towards building trust and lifelong customer relationships.
Five Things Your Startup Can Do to Improve GDPR Compliance Right Now
1. Update Your Privacy Policy
The GDPR is all about transparency and consumer choice. When was the last time you read your privacy policy? When was the last time you read any privacy policy? If you collect data from users of your app or visitors to your website, then there’s a good chance that you need to have a privacy policy. What’s more, you actually need to do the things that are stated in your privacy policy. Being out of compliance with your privacy policy can open you up to administrative action and lawsuits from more than just the EU. Make sure your privacy policy is up to date with the latest requirements of the GDPR, California, and other jurisdictions – if you collect data on residents from those jurisdictions, you need to follow their laws.
2. Implement or Update Internal Privacy Policies
The GDPR isn’t just about providing user choices, you need to also be able to demonstrate compliance when a regulator requests a demonstration. The logic of this makes sense when you think about what will happen when the EU moves to enforce – they’ll ask you to prove you’re complying, and they don’t have time to comb through your systems to find proof. Having internal policies that are protective of user information will provide a data point that the regulators can rely on to see that you’ve made an effort to comply – there’s failure to comply and then there’s failure to comply for lack of effort. There’s a chance the regulators would be willing to work with you if they see the failure as innocent and with a good faith effort.
3. Provide Users with Choices About How Their Data is Used
As mentioned above, one of the goals of the GDPR is to provide consumer choice when interacting with companies. Being able to offer consumers options with regard to data collection, use, distribution, decommissioning, and review will be necessary for GDPR compliance, so the more privacy is baked into the development process, the better.
4. Update Your Vendor Contracts to Be Privacy Conscious
Under the GDPR, you’re not just responsible for how you use and treat consumer data, but you’re also responsible for how consumer data is treated by those who you give the data to. If you, as a steward of consumer data, give that data to a payment processor, and that payment processor then uses that data in a way that’s out of compliance with your privacy policy or the GDPR, you can be held responsible for that. One defensive measure you can take is by including privacy and security provisions in each contract you enter with vendors.
5. Build Your Systems to Demonstrate How You Protect Consumer Data
Gone are the days of simply seeking to protect your data, you need to be able to prove that you’ve done it. If a European regulator comes knocking on your door asking whether you’re protecting consumer data, telling them you’ve done so is not enough. Instead, you’ll need to show them how the processes work. When a user opts out of marketing materials, can you show that choice has been memorialized somewhere? Can you show that you work to ensure that those choices are honored? Those are the types of things you should orient yourself towards.
As you might have gathered, the GDPR (and other privacy laws) is no joke. When the GDPR was first announced, they provided companies with three years of runway to get their systems compliant before enforcing the laws. At this point in time, the EU expects compliance. You really should talk to an attorney to make sure you’re in compliance, but hopefully taking these steps will get you part of the way there!
How Common are CyberAttacks?
A recent study conducted by Sophos and Vanson Bourne of 3,100 IT managers globally had some surprising results.
68% of organizations surveyed fell victim to a cyberattack in the last year. That means that these organizations were unable to prevent attackers from entering their network and/or endpoints. Additionally, those organizations that were victim of at least one cyberattack suffered an average of two attacks within the one-year period.
The organizations reported that threats were in their systems for an average of 13 hours before being detected. The report is quick to point out that the 13 hour number represents the minimum amount of time a threat was within the organizations’ systems.
Additionally, the 2018 Verizon Data Breach Investigations Report states that (coincidentally) 68% of cyberattacks take “months or longer” to discover. The disparity between the two statistics is probably accounted for by the difference in capabilities – companies who are breached are not in the business of cybersecurity, their teams do the best they can with the tools they have, but they are underequipped and unable to analyze and respond to threat horizons with the precision of cybersecurity providers.
These reports highlight the need to have a strong cybersecurity plan in place, not only technical measures but operational ones too.
Over a quarter of attacks come from inside threats, with about 17% of all breaches resulting from employee error and 4% coming from clicks on phishing campaigns.
Insider threats can be somewhat addressed through technical measures, but having clear policies in place regarding data operations, regular auditing of compliance measures, and consistent employee training.
A well equipped, well prepared team can mean the difference between prevention, neutralization, and recovery, and a staggering blow to productivity and consumer trust.
Do You Care About Your Customers’ Rights Enough to Pay Them to Read a Contract?
$10,000 is a cheap price for all of the benefits the company will receive from this move:
- Great publicity. Who doesn’t want to get insurance from a company like that? And now their name is plastered across the internet.
- Great for court. Can you imagine going to court against this company about the language of their policies? “Your honor, I would like to point out that my client incentivized people to thoroughly read their contracts – always.”
- Goodwill from current customers. Even the customers who didn’t capitalize on the offer will have to feel good about their current insurance company. The company feels more honest, and people will be less inclined to shop around for options.
- Encourages transparency. Moves like this, and the benefits that flow from them, contribute to the honest practice of law and to the trust relationship between companies and their customers.
Given the costs of marketing, customer retention, and litigation, $10,000 seems a small price to pay for all that Tin Leg was able to accomplish.
If you’re looking to run your own contest or sweepstakes, make sure to follow good practices! Social Media Contests and Sweepstakes.
A Google Cybersecurity Solution for Everyone
The small Google affiliate promises affordable pricing based on the number of employees that a company has rather than the amount of data used. Depending on what those figures end up being – it could have a big impact on the state of cybersecurity regulation.
The FTC is the de facto enforcer of cybersecurity standards among businesses, and they have moving goalposts regarding the adequacy of a company’s cybersecurity practices:
“From the outset, the FTC has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses. For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors. Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data.”
Taken with the possibility of affordable cybersecurity solutions based on company size, smaller ventures no longer have the reasonableness standard to hide behind when they engage in poor cybersecurity hygiene. Even though the standard remains the same, this means “more” regulation.
Even if the potential lower costs means adding an extra expense, it’s really a big win for consumers and businesses alike. Consumers can feel more confident in sharing their data with businesses (which is often part of a company’s business model), and companies can rest easier knowing that they no longer have to be the ones who let customer data leak for lack of trying.
The Problem of Algorithmic Bias
Bias is overlaying one’s assumptions and simplifications on top of a complex and nuanced person, idea, system, or thing (1). Bias is part of the human condition, it’s how we function (2). Imagine trying to grasp every subtlety of any given situation at all times: it’s inefficient, impractical, and socially awkward. As functioning adults, and sometimes professionals, we are expected to just know things. Asking questions can feel imposing and embarrassing. That’s just how it is. We as humans are simply uncomfortable with acknowledging uncertainty. Bias is inherent and unending, and its minimization should always be pursued.
Bias is already a problem. There was already so much inherent bias in the way that individuals were living their lives that the law had to be changed (several times) in order to try to mitigate the effects of biases (3). However, as bad as it is, what’s the worst thing that can happen when an individual factors an implicit or even explicit bias into their decision? You think, “Wow, what an asshole.” What if that person is representative of, say, a particular restaurant in a community? You avoid that restaurant, and maybe you have a bad time the first and only visit you make to the restaurant. What if the person is representative of an entire town, state, or country? Suddenly the problem is no longer a negligible and easily avoided nuisance.
The problem with algorithmic bias is the difficulty in detecting it and its cold scalability (4). Even those who actively challenge their own biases can accidentally implement their own biases, and when you’re dealing with products that can be downloaded at the touch of a button and delivered to millions of people instantly, suddenly the scale of that minor problem becomes immeasurable. The problematic program scoops up data and spits it out like pulp from a mill. But despite all best intentions, we’re all subject to the law.
There are two main problems of law with bias. One problem is a priori and one is a posteriori. The experience of believing in the basic essence of a thing being universal to the plurality of instances of that sort of thing requires no applicable experience for the negative implications to be apparent — if one is operating on biases when approaching a person or situation, one is missing the richness of the entirety of the situation or person’s character. If one is experiencing a bias, one has already diminished the fullness of an experience. The a posteriori problem follows from the search for the a priori problem. The a posteriori problem is one of direct impact on the subject of the bias, as well as the indirect effects which are far more difficult to define. The indirect effect is the ripple effect, the thumb on the scale. The direct impact of bias is the imbalance created by the effect on the subject, the indirect impact is the affirmation of the initial bias.
- http://www.dictionary.com/browse/bias
- https://www.boston.com/news/science/2013/02/05/everyone-is-biased-harvard-professors-work-reveals-we-barely-know-our-own-minds
- https://www.psychologytoday.com/blog/the-media-psychology-effect/201604/mris-reveal-unconscious-bias-in-the-brain
- http://neuroscience.uth.tmc.edu/s4/chapter06.html
- https://www.law.cornell.edu/constitution/amendmentxiv
- https://www.law.cornell.edu/constitution/amendmentxix
- https://www.theatlantic.com/technology/archive/2016/04/the-underlying-bias-of-facial-recognition-systems/476991/
Blockchain Basics: Legal Implications and Business Viability
Fake News and Social Media
Social Media Contests and Sweepstakes
Contests and sweepstakes on social media can feel like a goldmine- free or low cost exposure to people through their friends and family? What better way to reach new customers is there?
Social media contests are so ubiquitous that it seems like there must be nothing to them: you have a contest, pick a prize, pick a winner, and you’re done! But they’re not really as simple as they seem.
The UK’s Natural Environment Research Council launched an online poll to name a research vessel, and the public popularly voted for the name Boaty McBoatface. Funny, but not helpful to the NERC.
Taylor Swift set up a contest to perform at the U.S. school that earned the most votes, and the internet took over. If Taylor Swift had followed through on the results of the contest she would have been performing at a school for the deaf.
A small regional paper company with a whimsical manager ended up paying out five winning tickets to a single client and took a hosing after failing to limit each contestant to one winning outcome.
Failing to take into account the mechanics of running a contest, the details of who the winner will be, how they will receive their winnings, and what the legal implications are can lead to embarrassment at worst, and lawsuits at best. These notes should help get you thinking about how to run your upcoming contest or sweepstakes.
Big Picture Questions
Before getting into the nuts and bolts of how you should run a contest you should ask yourself why. Will this bring new customers? Will this educate consumers about how to use your product? Will a new product be developed from this contest?
- Will this contest fit into our mission and values?
- Do we have a brand media strategy that is prepared for a contest?
If you’ve thought long and hard whether this is a must for your company, then you’re probably ready to hear about what running a contest will entail.
Hiring Experts
You might be considering hiring an outside company to help you with your contest, or maybe you’re hiring new team members. Here are some points to suss out with the potential hire.
- Do they know what they’re doing?
- Have they done it before?
- What info are they collecting and how are they using it?
- Are the right agreements in place, NDA, security?
- Are they big enough to indemnify you?
Perhaps most important question for shopping out consultants is, “Are they big enough to indemnify you?” If they fail to perform on their contract; if they can’t provide adequate security for attempts to manipulate the contest; if a consumer sues; if the FTC sues – your indemnity contract means nothing when they are unable to actually financially support the indemnification.
Contest Formats
How should your contest look? Is it a “share for an entry” post? A luck of the draw game? Customers will be quick to point out flaws in your contest if you fail to run a fair contest. Here are some considerations for various forms of contests and sweepstakes.
- Avoid voting
- Voting fraud at worst, customer complaints at best
- Contests of skill that require specific criteria are good options to limit your liability
- Ex. Highest score in a game
- Ex. First to get all questions correct
- Vague criteria can be good to create wiggle room for the outcome, such as artistic contests where a panel of employees judges entries based on:
- Visual appeal
- Innovation
- Feasibility
- Don’t accidentally encourage fake accounts – you could end up violating a platform’s terms
You want to make sure that your customers and participants in the survey believe that you’re trying to hold a fair contest that engages them in the game.
Dealing with Winnings
You’ve determined who’s going to run the contest. You’ve determined how the contest will be run. Now, you need to make sure your contest doesn’t run afoul of the law.
- If the winner gets over $600, you should issue a 1099
- If the prizes value over $5,000, in the aggregate, then you will have to register in several states for the contest to be legal in those states
- Registration requires paperwork and bonds for the protection of consumers
- Failure to register can result in penalties or bans
- Prizes must be described accurately
- Approximate Retail Value must be accurate
- Don’t be “cute” about it
- The winner of a radio contest for “100 Grand” gave the winner a “100 Grand” candy bar
- Toyota prize for most up-sells from waitress gave the winner a Toy Yoda
Winners
How you pick the winner is just as important as determining the rules for the contest. Make sure you put some forethought into how the winner selection will play out.
- When determining the winner, make sure to stick to the rules and process you set out at the beginning of the competition
- When notifying the winner, give yourself time – let them know they won, but don’t say what level
- Clear the winner
- Ensure they meet qualifications
- To that end, have entrants accept an affidavit of eligibility (usually very general)
- Be wary of publicly seen winners, always investigate before publicly announcing a winner
- Person with multiple warrants; person with face tattoos of swastika
- Ensure they meet qualifications
- What is your plan for the winning entry?
- Did you give yourself the rights to a commercial?
- Can you use the winners entries in future marketing materials? How about the losing entries?
Some Final Notes and Best Practices
- Have a contingency plan
- What will you do if a piece of the contest fails?
- Formal rules are the terms of a contest
- Can’t stop a lawsuit but solid rules can be a strong defense
- Must include the rules at all relevant points
- Ex. No purchase necessary, legal residents of the 50 states and DC, 18 or older, ends on xx/xx/xxxx. to enter and for official rules including odds and prize description visit URL. Void where prohibited.
- Check platform rules
- Twitter, Google+, Facebook, etc. (email is also a platform)
- Be clear in your rules
- Never change the rules once the contest begins
- If someone gets upset over the change you could face a lawsuit
- You could no longer have a contract because you have an entrant who is in a contest without having agreed to new terms
- Be prepare to send takedown notices for creative entries that infringe on others’ intellectual property
- If you design a contest to be ugly, it will get ugly
- Be prepared to address concerns of winners
- Ex. If there’s supposed to be one winner, but somehow multiple winners occur, you’re still responsible