Privacy Today: The More Things Change, the More they Stay the Same

I recently had the privilege of moderating a privacy panel discussion at an unmanned aerial systems (“UAS”) conference.  UAS’s have been in the news lately, so you can imagine the interest and concern for privacy and this rapidly-evolving technology; concerns from both those working in the sector and those outside expressing concerns for their own privacy and security.  UAS’s are indeed a “hot topic” and the technology, in many ways, is “bleeding edge.”  Even so, the way to manage privacy concerns with unmanned aerial vehicle systems is hardly novel, as our panel reiterated throughout our discussion.  In short, addressing privacy in developing, implementing and managing this technology, to include oversight and compliance, begins with a time-tested, universal principled approach to privacy.

Whether your product offering is a newsletter, online retail business, smart phone or yes, even a UAS, properly accounting for the privacy choices of your customer or industry is just plain good business.  Furthermore, managing privacy does not need to be an onerous, overly burdensome process either.  You simply have to frame privacy in the fair information practice principles.  In various forms, these principles are not only the foundation for information management best practices, but they are often included in state, federal and even international regulations.  Even easier, you probably have already encountered them in your day-to-day activities as a consumer, whether going to the doctor or buying something online.

At a minimum, if your product or service collects personally identifiable information (“PII”), it should do so with the following principles clearly addressed in writing and in practice.

A.  Notice. Individuals are told at the time of PII collection what PII is collected, why it is needed and for what business purposes it will be stored, used, shared or destroyed.  Such notice should be clear, conspicuous and written in plain language.

B.  Choice/Consent. Individual PII should only be gathered with the individual’s verifiable consent. An individual must agree to the use of their PII prior to such use commencing.

C.  Access. To the extent possible, individuals should have the right to review the PII in your company’s possession to ensure such information is accurate.

D.  Security.  Commercially-reasonable means should always be used (and updated) to protect PII against unauthorized use.  This is a minimum standard.  You cannot have privacy without security.

E.  Limited Use.  PII should only be collected, stored, used and shared for a specific, authorized purpose.  The individual should have already authorized such use at the Notice/Choice/Consent phase.

F.  Minimal Use. Only the minimum amount of PII required to complete the authorized purpose should be used for the authorized purpose.

G.  Enforcement and Redress.  A privacy policy should be enforced, to include responding to customer complaints and investigating issues arising under the policy. One of the best things you can do to head off bigger headaches is promptly respond to customer complaints.  Again, this is just good business.

H. Onward transfer.  The onward transfer of PII to third parties should result in no less privacy and security.

Addressing these basic principles in any privacy compliance program puts your business on good footing to deal with not only the state and federal regulatory requirements, but just as importantly with the “law of perception.” Indeed, misperception sometimes can harm a business more than any legal or regulatory action.  Building these principles into your products and business practices from the beginning will naturally do several things in preparing to manage public perception, including:

1. Lowering or reducing the chance of confusion as to what personally identifiably information is even at issue with your product.  You cannot have a privacy matter or issue unless you have personally identifiable information in play. A principled policy helps you define the discussion;
2. Enabling you to proactively cut off misconceptions about your business or product, and drive a better developed public relations plan and a mechanism to handle inquiries from the press and customers, alike;
3. When you do have an issue (and you will), you will already have a solid policy and plan in place to enable you to quickly and effectively respond to the issue resulting in successful mitigation of any harms, better compliance, lower opportunity costs and a greater likelihood of retaining customers and the good will established with them.

Privacy does not need to be a compliance burden or cost avoidance measure. It can even be a market differentiator for your business.  You need only have a principled plan in place.