Privacy Outrage: How to Avoid it When You Can and Mitigate it When You Can’t

One of the things our clients routinely ask for is help preparing for privacy incidents that don’t involve security breaches–things that are likely to cause outrage among customers, journalists, activists, or regulators, such as:

• Yes Facebook is using your 2FA phone number to target you with ads

• The Los Angeles Department of Transportation’s Ride Tracking Pilot is Out of Control

• Apple’s privacy reputation is at risk with the changes it announced

• Broken promises: How Singapore lost trust on contact tracing privacy

Truth is, the best way to prepare for these scenarios is to understand how to prevent them by considering public perception throughout the design process. Below, I’m sharing a sample of questions I commonly ask when reviewing a product or feature proposal.

When I led privacy, security, and engineering communications at Uber, my cross-functional partners probably got sick of hearing these questions from me, but over time they learned what I was looking for and often came to the table prepared for a more thoughtful discussion.

Obviously, privacy communications professionals can’t single-handedly control everything in an organization, but I’ve seen this kind of proactive and self-reflective approach prevent embarrassing and costly privacy outrage more times than I can count.

———

Internal Privacy Comms FAQ

What is the purpose of this feature/product? Be as specific as possible.

Does it require collecting new types of data about people that we weren’t collecting before? Doesn’t matter if it legally falls under the category of PII or not, people will still care.

Does it use data we already have in a new way than we’ve used it before e.g. phone numbers collected for 2FA now being used for ad targeting or shifting from aggregated to non-aggregated?

What is the customer benefit? If there’s no meaningful customer benefit, the risk of outrage increases proportionally with the degree of potential harm to the customer, e.g. collecting personal data only for the benefit of your business without providing meaningful value from the customer’s perspective.

Are any third parties involved and why did we choose them? If yes, check out the security and privacy reputation of each third party and prepare to explain why you believe they’re trustworthy. If you run into red flags, share your concerns with internal teams and consider alternative partners. You will be judged by who you choose to do business with.

Has our information security team reviewed this feature/product for potential risks and vulnerabilities? If yes, find out if and where the security team expects potential issues to occur as well as any mitigation measures taken to reduce the risk to customers, e.g. adding 2FA by default on a new digital wallet product. 

What industry standards, research, or best practices justify our security assessment e.g. tokenizing payment information instead of storing in plain text? 

Have we done a data privacy impact assessment (DPIA) on this feature/product? If yes, ask for a copy to determine potential risk factors identified by legal, e.g. use of PII, as well as potential justifications/trade offs, e.g. encrypting data to reduce potential risk for customers.   

• Boss Mode: Work with your legal colleagues during the DPIA process to ensure the language in those documents is clear and precise for a non-legal audience. You may want/need to make a DPIA public someday, so it should be understandable to non-legal stakeholders. If you’re ever nervous about a DPIA becoming public, that’s a reputation liability and you need to make the business aware of that risk.

What are the default security/privacy settings for this feature/product? Why did we choose them, i.e. what threat models are we considering?

Are there relevant settings/controls that users can choose to exercise different privacy preferences than our defaults? 

Have we explored other design/business alternatives? If yes, why weren’t they chosen? If not, how will you justify not considering other options? 

What privacy commitments have we made publicly in our policies, media interviews, presentations, or contracts? How does this product/feature honor those promises?