In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.

Consumers

  1. Your choices matter most. I beat this drum pretty heavily, but it is true. While technology, the marketplace and even the law will serve to provide you some protections and redress when it comes to privacy and security matters, the biggest impact on protecting your personal information are the choices you make with respect to that information. What information you share, with whom (which companies) and under what conditions are all things you can control.
  2. Read the privacy policy. I joke in the interview that no one really reads my work in the privacy policies I write for my business clients. Well, there is a little truth in all jokes. Studies show the numbers on how many people read posted policies before providing their personal data, or even know what a privacy policy is, range from 10% to as many as 50%. Taking five minutes to review how a company collects, uses and shares your information can be enlightening and may make you question your patronage of that company. The terms of the privacy policy wouldn’t have stopped Cambridge from doing what it did with the Facebook data, but you would at least know how Facebook claims to share your information.
  3. Read the terms and conditions. Probably less appetizing than reading a privacy policy is reading the terms and conditions for any online transaction in which you engage. These are important too, but not just for privacy. These terms govern ownership of data, intellectual property rights and authorized and unauthorized uses—by the company and by you. It is all about risk. If you value the data involved in any transaction, or the opportunities it provides, take the time to read the agreement.

Businesses

  1. It’s a matter of trust. Have a privacy policy. And honor it. Privacy is all about trust. To be sure, Facebook is facing legal and regulatory fallout over this recent issue. However, the biggest impact might come in losing customers and reputational harm. Indeed, many are swearing off Facebook, especially considering this is the latest in a long line of privacy and security related issues for the company. Companies that want to earn customer loyalty, and indeed loyalty that might get them through a privacy or security crisis WHEN not IF it happens, will get a grip on their data and back-up their privacy promises in their privacy policies and terms of use. Better yet, ask yourself: Can we survive such a breakdown in our customers’ trust?
  2. Audit. Get up in your third parties’ business. Facebook could have verified that Cambridge actually deleted the Facebook profiles. Rather, it took a contractual attestation to the fact and allegedly did nothing more. Not always a bad idea, but if you are entrusting third parties to handle your customer’s sensitive data or data in large amounts, use your agreements as an opportunity to ensure that the third party uses the same (or better) safeguards than you do and reserve the right to verify. Not only does this prevent bad things from happening, it shows your customers, regulators, and opposing counsel that you take privacy seriously.
  3. Data is your business. I do not care what industry in which you operate—you are a data business. Get smart about the data you collect, store, share and destroy. Take the time to classify your data and map your data throughout your organization and with third parties. Write policies and procedures for how your data will be used properly and what is prohibited. Write agreements with your third parties and with your customers that are easy to understand and place a priority on data protection. And get insurance. Even with all the best practices, you WILL have a data incident. It is not IF but WHEN. Plan and invest in protection for not only your customer data, but the survival of your business and its reputation.