Companies today collect a lot of data about their users. People often divulge highly private information, and companies reassure them that what’s done with the data is limited by strict privacy policies that customers agree to when they sign up.
However, these privacy policies offer no real protection to users. Companies can and do change their policies on a whim, without user consent.
What’s the solution? Legislators need to step up to ensure that personal data is protected.
We need to shift from an opt-out approach that puts the burden on users to protect their private information to a more orderly, opt-in approach that puts user privacy first.
The (lack of) privacy laws today
Facebook’s recent plan to acquire the messaging service WhatsApp is the latest in a string of examples of this attitude.
Furthermore, Facebook could start collecting other information about WhatsApp users and selling it to advertisers or other interested companies.
For people who signed up for WhatsApp under the promise that their data would be closely guarded, there’s nothing they can do to regain control of their information. They can stop using the service, but even then they can’t take back the data they’ve already shared.
The Facebook/WhatsApp deal isn’t the first time these concerns have cropped up. Google’s recent acquisition of the home automation company Nest Labs allowed the Internet giant to gain immediate access to millions of Nest users’ personal information.
A simple solution
Because many companies have shown their reluctance to stick with their own privacy policies, it’s time for legislators to get involved.
Congress should craft a law that requires companies to get users’ permission every time they want to change the way they use customer data. Instead of just requiring companies to post privacy policies, as California now does, the law should require companies to abide by those policies until they get consent from the customer to make a change.
Many companies will immediately protest that such a law would make their operations too complex and difficult to manage. Companies that want to keep old users but instate new privacy policies would have to keep track of which customers fall under which guidelines.
It would indeed be difficult for organizations to manage such a process, especially if they’re changing their privacy policies on a monthly basis, but this is precisely the point of such a law. New rules would encourage companies to think more seriously about how they use customer data from the outset. Instead of changing the policy every time the company has a new idea about how to use customer data, the company would have to think in advance about how it plans to monetize sensitive information and stand by that promise.
Companies would also have to consider whether their plans for the customer data are something users will accept. In the long run, this should lead to more stable privacy policies, and customers could put real faith in the promises that companies make about using their personal information.
Ethan Oberman is CEO of SpiderOak.