On November 20th, 2014, we held another thought-provoking NetForum event. This time we bravely tackled the subject of Privacy on the Web. I wanted to approach the subject from an unusual angle: examining the Privacy Policy. We see those words on pretty much all web sites and religiously ignore them. Yet, someone bothers to write these policies. What is this all about?
Before I share with you some of the learnings of our discussion, I wanted to mention that this morning one of our members sent me an email saying "I did not know that discussing a Privacy Policy could be so interesting." Indeed, I did not either but that's the magic of the NetForum events: getting the smartest people around to have an open conversation always takes you to unexpected place. Speaking of smart people, we were lucky to have guest experts: David Greenberg, a partner at GreenbergTraurig (no relation, who with his partner Margaret Isa Butler was our host) and Professor Joel Reidenberg, Founding Academic Director of Fordham's Center for Law and Information Policy and Microsoft Visiting Professor of Information Technology Policy at Princeton.
Privacy on the Web has been a hot topic for a long time. As it happens every time we pick a topic for the NetForum, it becomes hot (or hotter) news. Right after we sent the NetForum initial invite on the Privacy Policy event, Facebook announced a change to its Privacy Policy to make it more intelligible (http://www.washingtonpost.com/blogs/the-switch/wp/2014/11/13/facebook-rewrites-its-privacy-policy-so-that-humans-can-understand-it/) -- funny that a change in the Privacy Policy of a web site would make the news, the Chair of the FTC griped about lack of transparency in data collection (http://www.cio.com/article/2847414/ftc-chair-wants-clearer-disclosures-to-protect-privacy.html), and PEW researchers discovered that people don't really trust what web sites do with their data (http://www.nbcnews.com/tech/security/pew-privacy-survey-weve-lost-control-over-our-personal-data-n247346). But the prize goes to Uber that revealed uber-monopolistic tendencies by having one of its senior executives suggest that it should spy on a journalist critic by looking at the logs of her travels with Uber to embarrass her (http://www.telegraph.co.uk/technology/11237836/Uber-scandal-Worried-about-NSA-spying-Its-Silicon-Valley-billionaires-you-need-to-watch.html). Or does it go to TRUSTe, who gave its seal of approval to over 1000 businesses without conducting an audit (and failed to disclose it became a for profit business years ago) and had to pay a fine to the FTC (without admitting wrongdoing) (http://www.nytimes.com/2014/11/18/technology/ftc-penalizes-truste-a-web-privacy-certification-company.html).
While the Privacy Policy is that document that no one ever reads, it is the expression of what a web site or app says it can do, and promises not to do, with its users' data. It is the fundamental deal between a company and the people who use its products. The web economy runs on an implicit trust that has emerged between the user on his/her device and some pretty pictures floating on a screen saying "trust me." So, without reading the Privacy Policy, we believe it does not say anything egregious. We have an expectation that web companies adhere to some elemental standard of decency. Or perhaps, as PEW's research clearly indicates, we don't trust but click "accept" anyway...
We launched the discussion with the seemingly innocuous question "Why have a Privacy Policy?" What emerged is that some regulated industries (banking, health care, credit) are subject to Federal and State regulations that clearly delineate what they can and cannot do with user data. But for everyone else there are no legal requirements to have a Privacy Policy. California and New Jersey are leaders in data protection and developing rules but, generally, it's a free for all. One of our members, a former State regulator, opined that the patchwork of rules and non-rules would evolve into a national policy. One of our members from London observed upon hearing multiple references to the European model of Privacy regulation that in the UK you have to register your Privacy Policy and Terms of Use with a governmental body but that after doing so, he checked whether his competitors were doing the same, and they were not, in clear violation of the rules. One of our members runs a VC fund, after having run investment activities in a large multinational, and attested that Privacy Policy was never part of the investment due diligence checklist, but that today it really ought to be.
This led one of our members to ask "where do I start in figuring out what should my Privacy Policy be?" It really is a business decision not a legal decision. Having a Privacy Policy is expected as a good business practice by consumers. One of our members shared that his company ran A/B testing on subscription pages with and without logos of certification bodies (TRUSTe perhaps?) and references to the company's Privacy Policy and the testing clearly showed that the references to the Policy increased subscription rates on the pages. But another of our members stated that the Privacy Policy can get you in trouble too because you might be committing to do vague things that have no clear objective definition and that you do not have the systems in place to monitor and enforce. (Many thought that there was a business opportunity here...) Another member stated it does not matter anyway: put a Policy in place, don't do something stupid to clearly violate it and then pay a fine when slapped -- witness Google and Facebook's margins that have never been hurt by all their Privacy violations. Another member who was subject to an enforcement action while at a large multinational entertainment company recounted how that company had to audit thousands of artist web sites and ensure compliance with what the regulator determined the policy should be. The costs can add up.
One of our member has an app that shares data with Apple's Health App (which is really a new consolidator of health data fed from an ecosystem of apps that communicate with it). That new App which I have seen appear once I upgraded my iPhone to iOS 8 seems to be a potentially huge business for Apple, and a privacy threat too, and it caused some of our members who had been unaware of it to get quite exercised. Our member's app's Privacy Policy seemed pre-emptive. It reserved the right to do a bunch of things, like display ads, including geo-targetted ads, despite the fact it has no present plans to ever do so. Our experts agreed that many Privacy Policies are pre-emptive in that way, and it is the right thing to do.
Web advertising and third-party data brokers obviously seeped into the conversation, it being NYC, the capital of AdTech. Our AdTech experts were unequivocal: most publishers only sell a fraction of their inventory and they dispatch user data to third party data brokers who create aggregated profiles and feed them into exchanges. Once the publisher pushes the data out to the brokers, they lose control over the data and what happens to it, and the user has no idea where that data went and who is doing what to it. AdTech experts tell us that the data is anonymized and therefore poses no Privacy risk. Perhaps. However, when Target targeted a teen-age girl that it had properly guessed was pregnant with discount coupons for diapers sent to her (and parents') home, it created a big Privacy issue... http://lightyears.blogs.cnn.com/2012/04/20/data-its-how-stores-know-youre-pregnant/ An very intriguing concept was mentioned by a member from the financial services industry. His company is a large repository of data, among other things, and when it send data out it gets contractual commitments -- downstream commitments -- with very strict usage restrictions. No one was aware whether such strict requirements existing in the world of advertising data exchanges. Probably not, again because the data is anonymized. But there is a good thought here...
In closing, I must say there were lots of interesting ideas that came up from the intersection of practitioners from various business sectors all looking at one issue that crosses over all their businesses. Since all our discussions are off-the-record, I merely summarized things as I understood them. NetForum members can continue the discussion on this blog, can join the LinkedIn Group and since each event's attendees get each others' email addresses the conversation can continue off-line as well.
Thank you all for attending.
Laurent
laurent@parkviewventures.com
Connect with me on LinkedIn
Follow me on Twitter
Request Access to the NetForum LinkedIn Group
REMEMBER TO SAVE THE DATE OF DECEMBER 18TH FOR THE NEXT NYC NETFORUM ON THE SUBJECT OF VALUATION: "HOW MUCH IS THIS STARTUP WORTH ANYWAY?"
ALSO, THE INAUGURAL NETFORUM LONDON AT BLOOMBERG ON DECEMBER 8TH ON THE SUBJECT OF STRATEGIC VENTURE CAPITAL: "YOU JUST CLOSED A STRATEGIC VENTURE INVESTMENT, NOW WHAT?" PLEASE CONTACT ME IF YOU WOULD LIKE TO ATTEND OR HAVE SOMEONE YOU KNOW ATTEND.
