Data Policy 101: What Businesses and Consumers Need to Know About Privacy

With all the critical tasks entrepreneurs face when launching a startup — from how to close the first round of financing, to where to find top talent — writing a data policy may not be at the top of the list. But if your company collects data about customers, you absolutely should have a policy in place for what you do with that data: how you use it in your business, who you share it with (or don’t share it with), how you keep it safe and private and, especially since Edward Snowden’s NSA revelations, what you plan to do if the government comes asking for it.

A clear data policy lets customers know that you care about the privacy and security of their data, that you’re aware of consumer concerns about how data is collected, used and shared, and that you want to be up-front about how those activities work in your business.

So how do you create such a policy? You can find the nitty-gritty of what to cover by looking at what prominent companies’ policies include — Facebook, for example, or Google. But when it comes to what data specifically your company collects and what you do with it, that’s going to depend on what kind of business you’re in and what role customer data plays in how you operate your business. Having said that, I’d like to share a few general rules of thumb I think are worth keeping in mind as you think through what your policy will be.

Understand local, national and international law
Customers have every right to know what’s happening to the data they share; in some cases, they have a legal right to the privacy of their data. If your company violates that right, how to hire great talent is going to be the least of your worries. How to hire a great lawyer might be a more pressing concern at that point.

Be sure you understand what the law requires of you. Consult with a lawyer if you need to. You don’t want to run afoul of one of the dozens of local and federal laws relating to data privacy in the US, even unintentionally. The Federal Trade Commission is a good source of information about current laws in this area as well as legislation under consideration.

If you’re doing business in other countries, be aware that laws governing what companies do with data can differ from country to country. For example, they tend to be stricter in European countries than in the US. One company has even posted a guide on how to create a data policy that specifically addresses Germany’s requirements for data protection when embedding Google Analytics in a website – because the requirements are different there.

Even if it’s legal, determine if it’s right
Following the law is important, but it’s also important to remember that just because something’s not illegal doesn’t mean it’s right. Earlier this month, Apple CEO Tim Cook gave a speech questioning whether it’s really all right to expect people to hand over their data to companies in exchange for a better deal on a product or some other similar consideration.

And you know what? He has a point. Sometimes, the way companies go about collecting data from customers may not be right, even if it’s within the law. There’s been a good deal of controversy recently about Uber’s new data policy that will allow expanded access to customers’ location information, and whether the policy gives the customer too little control. On the other hand, the Uber story came just a day after a report that Google would be increasing the amount of control Android users have over how they share mobile data with apps.

You can decide for yourself what you think about the degree of control companies take or give when it comes to customer data. More important, though, is what you decide about how you’re going to create your own policy around data – based not only on what’s legal, but also on what’s the right thing to do.

Stay informed on policy changes
There seems to be a new story about data policies, privacy and related information in the press just about every day. In the last couple of weeks alone, I’ve run across reports about everything from European regulators investigating Facebook to Google removing “revenge porn” from its search results.

Among these recent stories is one on the Electronic Frontier Foundation (EFF) and its annual “Who Has Your Back” report on technology companies’ disclosure policies. It specifically evaluates policies for responding to data requests from governments. Since the EFF first issued this report in 2011, most of the companies it surveys have evolved their policies around this issue, especially with regard to informing customers about requests for their data.

The EFF story is another reminder that customer data is a hot topic these days, and the laws and practices surrounding how it’s used — and sometimes misused — are in constant flux. Be sure you’re aware of what’s happening, or that someone in your organization is charged with keeping a close watch on this extremely important, but sometimes neglected, area of concern for anyone who runs a customer-focused business.