Posts which are about the intersection of law and technology.
That’s why I advocate for companies to take pride in their privacy policies.
Privacy Policies are more than just a legal hoop to jump through. With fallout from privacy breaches like with Facebook, Quora, and Newegg, privacy is moving to the front of customers’ minds. Privacy-forward companies are seeing surges in use (DuckDuckGo searches nearly doubled from 2017 to 2018), and, according to the Pew Research Center, 93% of Americans care who has their personal information, and 90% of Americans care what kind of information is held.
Privacy is now a feature of trusted consumer brands. That’s why it’s important to have thought through your privacy values. You need to understand your business model thoroughly to decide whether the collection, sale, sharing, or storage of user data is necessary to your business, because if not, you may be leaving some goodwill on the table with an overly broad privacy policy.
A broad privacy policy will help protect you during litigation, but it won’t let people know where you actually stand when consumers are deciding which brands to trust.
A good rule of thumb for a solid privacy policy is to follow the rule of the 5Ws – use your privacy policy to tell people:
The above list is a bit of a simplification, but it gets the general idea across of what goes into a good privacy policy. As you’re sifting through the lives of various people with your data, remember that transparency on your end can go a long way towards building trust and lifelong customer relationships.
1. Update Your Privacy Policy
The GDPR is all about transparency and consumer choice. When was the last time you read your privacy policy? When was the last time you read any privacy policy? If you collect data from users of your app or visitors to your website, then there’s a good chance that you need to have a privacy policy. What’s more, you actually need to do the things that are stated in your privacy policy. Being out of compliance with your privacy policy can open you up to administrative action and lawsuits from more than just the EU. Make sure your privacy policy is up to date with the latest requirements of the GDPR, California, and other jurisdictions – if you collect data on residents from those jurisdictions, you need to follow their laws.
2. Implement or Update Internal Privacy Policies
The GDPR isn’t just about providing user choices, you need to also be able to demonstrate compliance when a regulator requests a demonstration. The logic of this makes sense when you think about what will happen when the EU moves to enforce – they’ll ask you to prove you’re complying, and they don’t have time to comb through your systems to find proof. Having internal policies that are protective of user information will provide a data point that the regulators can rely on to see that you’ve made an effort to comply – there’s failure to comply and then there’s failure to comply for lack of effort. There’s a chance the regulators would be willing to work with you if they see the failure as innocent and with a good faith effort.
3. Provide Users with Choices About How Their Data is Used
As mentioned above, one of the goals of the GDPR is to provide consumer choice when interacting with companies. Being able to offer consumers options with regard to data collection, use, distribution, decommissioning, and review will be necessary for GDPR compliance, so the more privacy is baked into the development process, the better.
4. Update Your Vendor Contracts to Be Privacy Conscious
Under the GDPR, you’re not just responsible for how you use and treat consumer data, but you’re also responsible for how consumer data is treated by those who you give the data to. If you, as a steward of consumer data, give that data to a payment processor, and that payment processor then uses that data in a way that’s out of compliance with your privacy policy or the GDPR, you can be held responsible for that. One defensive measure you can take is by including privacy and security provisions in each contract you enter with vendors.
5. Build Your Systems to Demonstrate How You Protect Consumer Data
Gone are the days of simply seeking to protect your data, you need to be able to prove that you’ve done it. If a European regulator comes knocking on your door asking whether you’re protecting consumer data, telling them you’ve done so is not enough. Instead, you’ll need to show them how the processes work. When a user opts out of marketing materials, can you show that choice has been memorialized somewhere? Can you show that you work to ensure that those choices are honored? Those are the types of things you should orient yourself towards.
As you might have gathered, the GDPR (and other privacy laws) is no joke. When the GDPR was first announced, they provided companies with three years of runway to get their systems compliant before enforcing the laws. At this point in time, the EU expects compliance. You really should talk to an attorney to make sure you’re in compliance, but hopefully taking these steps will get you part of the way there!
A recent study conducted by Sophos and Vanson Bourne of 3,100 IT managers globally had some surprising results.
68% of organizations surveyed fell victim to a cyberattack in the last year. That means that these organizations were unable to prevent attackers from entering their network and/or endpoints. Additionally, those organizations that were victim of at least one cyberattack suffered an average of two attacks within the one-year period.
The organizations reported that threats were in their systems for an average of 13 hours before being detected. The report is quick to point out that the 13 hour number represents the minimum amount of time a threat was within the organizations’ systems.
Additionally, the 2018 Verizon Data Breach Investigations Report states that (coincidentally) 68% of cyberattacks take “months or longer” to discover. The disparity between the two statistics is probably accounted for by the difference in capabilities – companies who are breached are not in the business of cybersecurity, their teams do the best they can with the tools they have, but they are underequipped and unable to analyze and respond to threat horizons with the precision of cybersecurity providers.
These reports highlight the need to have a strong cybersecurity plan in place, not only technical measures but operational ones too.
Over a quarter of attacks come from inside threats, with about 17% of all breaches resulting from employee error and 4% coming from clicks on phishing campaigns.
Insider threats can be somewhat addressed through technical measures, but having clear policies in place regarding data operations, regular auditing of compliance measures, and consistent employee training.
A well equipped, well prepared team can mean the difference between prevention, neutralization, and recovery, and a staggering blow to productivity and consumer trust.
$10,000 is a cheap price for all of the benefits the company will receive from this move:
Given the costs of marketing, customer retention, and litigation, $10,000 seems a small price to pay for all that Tin Leg was able to accomplish.
If you’re looking to run your own contest or sweepstakes, make sure to follow good practices! Social Media Contests and Sweepstakes.
The small Google affiliate promises affordable pricing based on the number of employees that a company has rather than the amount of data used. Depending on what those figures end up being – it could have a big impact on the state of cybersecurity regulation.
The FTC is the de facto enforcer of cybersecurity standards among businesses, and they have moving goalposts regarding the adequacy of a company’s cybersecurity practices:
“From the outset, the FTC has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses. For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors. Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data.”
Taken with the possibility of affordable cybersecurity solutions based on company size, smaller ventures no longer have the reasonableness standard to hide behind when they engage in poor cybersecurity hygiene. Even though the standard remains the same, this means “more” regulation.
Even if the potential lower costs means adding an extra expense, it’s really a big win for consumers and businesses alike. Consumers can feel more confident in sharing their data with businesses (which is often part of a company’s business model), and companies can rest easier knowing that they no longer have to be the ones who let customer data leak for lack of trying.
Bias is overlaying one’s assumptions and simplifications on top of a complex and nuanced person, idea, system, or thing (1). Bias is part of the human condition, it’s how we function (2). Imagine trying to grasp every subtlety of any given situation at all times: it’s inefficient, impractical, and socially awkward. As functioning adults, and sometimes professionals, we are expected to just know things. Asking questions can feel imposing and embarrassing. That’s just how it is. We as humans are simply uncomfortable with acknowledging uncertainty. Bias is inherent and unending, and its minimization should always be pursued.
Bias is already a problem. There was already so much inherent bias in the way that individuals were living their lives that the law had to be changed (several times) in order to try to mitigate the effects of biases (3). However, as bad as it is, what’s the worst thing that can happen when an individual factors an implicit or even explicit bias into their decision? You think, “Wow, what an asshole.” What if that person is representative of, say, a particular restaurant in a community? You avoid that restaurant, and maybe you have a bad time the first and only visit you make to the restaurant. What if the person is representative of an entire town, state, or country? Suddenly the problem is no longer a negligible and easily avoided nuisance.
The problem with algorithmic bias is the difficulty in detecting it and its cold scalability (4). Even those who actively challenge their own biases can accidentally implement their own biases, and when you’re dealing with products that can be downloaded at the touch of a button and delivered to millions of people instantly, suddenly the scale of that minor problem becomes immeasurable. The problematic program scoops up data and spits it out like pulp from a mill. But despite all best intentions, we’re all subject to the law.
There are two main problems of law with bias. One problem is a priori and one is a posteriori. The experience of believing in the basic essence of a thing being universal to the plurality of instances of that sort of thing requires no applicable experience for the negative implications to be apparent — if one is operating on biases when approaching a person or situation, one is missing the richness of the entirety of the situation or person’s character. If one is experiencing a bias, one has already diminished the fullness of an experience. The a posteriori problem follows from the search for the a priori problem. The a posteriori problem is one of direct impact on the subject of the bias, as well as the indirect effects which are far more difficult to define. The indirect effect is the ripple effect, the thumb on the scale. The direct impact of bias is the imbalance created by the effect on the subject, the indirect impact is the affirmation of the initial bias.
Contests and sweepstakes on social media can feel like a goldmine- free or low cost exposure to people through their friends and family? What better way to reach new customers is there?
Social media contests are so ubiquitous that it seems like there must be nothing to them: you have a contest, pick a prize, pick a winner, and you’re done! But they’re not really as simple as they seem.
The UK’s Natural Environment Research Council launched an online poll to name a research vessel, and the public popularly voted for the name Boaty McBoatface. Funny, but not helpful to the NERC.
Taylor Swift set up a contest to perform at the U.S. school that earned the most votes, and the internet took over. If Taylor Swift had followed through on the results of the contest she would have been performing at a school for the deaf.
A small regional paper company with a whimsical manager ended up paying out five winning tickets to a single client and took a hosing after failing to limit each contestant to one winning outcome.
Failing to take into account the mechanics of running a contest, the details of who the winner will be, how they will receive their winnings, and what the legal implications are can lead to embarrassment at worst, and lawsuits at best. These notes should help get you thinking about how to run your upcoming contest or sweepstakes.
Big Picture Questions
Before getting into the nuts and bolts of how you should run a contest you should ask yourself why. Will this bring new customers? Will this educate consumers about how to use your product? Will a new product be developed from this contest?
If you’ve thought long and hard whether this is a must for your company, then you’re probably ready to hear about what running a contest will entail.
Hiring Experts
You might be considering hiring an outside company to help you with your contest, or maybe you’re hiring new team members. Here are some points to suss out with the potential hire.
Perhaps most important question for shopping out consultants is, “Are they big enough to indemnify you?” If they fail to perform on their contract; if they can’t provide adequate security for attempts to manipulate the contest; if a consumer sues; if the FTC sues – your indemnity contract means nothing when they are unable to actually financially support the indemnification.
Contest Formats
How should your contest look? Is it a “share for an entry” post? A luck of the draw game? Customers will be quick to point out flaws in your contest if you fail to run a fair contest. Here are some considerations for various forms of contests and sweepstakes.
You want to make sure that your customers and participants in the survey believe that you’re trying to hold a fair contest that engages them in the game.
Dealing with Winnings
You’ve determined who’s going to run the contest. You’ve determined how the contest will be run. Now, you need to make sure your contest doesn’t run afoul of the law.
Winners
How you pick the winner is just as important as determining the rules for the contest. Make sure you put some forethought into how the winner selection will play out.
Some Final Notes and Best Practices
