Last month I wrote on the relationship of privacy and trust in building and keeping customer relationships. Inherent in both trust and privacy is a level of transparency. At a minimum, a lack of transparency can give us a “bad feeling” about things, but does not necessarily change our behavior. At its worst, a lack of transparency promotes secrecy and efforts to cover up actions that, while not necessarily illegal, may definitely undermine customer trust and threaten your business.
To see both extremes demonstrated, we need look no further than the recent dustup over the smart phone application developed by Carrier IQ, which allegedly secretly collects and transfers your private information by logging your key strokes on your smart phone. Within hours of a technical blog being posted disclosing the application’s existence, newscasters touted this as yet another conspiracy of tech companies to erode consumer privacy. According to Carrier IQ, the application does collect key stroke information on the phone, such as the phone numbers you dial and letters in text messages you type. However, the company states the background application does so solely for the purpose of improving the devices’ performance and does not store or transmit personally identifiable information to any third party, most specifically the cell phone service carriers. By most accounts to date, this appears to be true.
However, this has not stopped an avalanche of reaction by consumers, lawmakers, software companies and cell phone carriers, alike. These reactions range from disgust and cynicism to potentially significant legal and financial threats to the company and its business partners. In a matter of weeks since the original report, we have a sensational news story with legs, class action law suits threatened, software companies denying any involvement with the company (or ceasing such involvement) and legislators moving the Federal Trade Commission to investigate. This borderline hysteria is rooted in a lack of transparency about what a product does and does not do with personally identifiable information.
Personally, I believe this application more or less does what the company says it does. This would not be the first application that compiles metrics without our knowledge, or at least not our informed consent. Others have similarly described this dust up as misinformation. To be clear, I am not claiming to know if any of the accusations are true or not. However, I am saying this could have transpired so differently with a little planning and commitment to sound data privacy practices.
From a product perspective, the application could have been implemented with a more privacy-centric focus. It probably could just as easily collect performance data without having to use personally identifiable information. The companies could also audit the application to ensure no such information, or the minimum necessary, was being used to facilitate the service needed. It is quite possible all this happened in the Carrier IQ matter. Doing so balances a respect for privacy with the valid business purpose of improving product performance—something all consumers want. From a policy perspective, the companies involved could ensure their business agreements clearly stipulate protections against collecting and transferring personally identifiable information. They could also have fully disclosed the practice from the beginning and easily cited to that disclosure whenever potential misinformation or allegations about their product began to arise; doing so can effectively make the event a “non-story.” The ability to cite existing policy provides not only transparency, but also promotes consistency in company messaging—both of which go to credibility and maintaining or re-establishing trust in your brand.
So what does this mean for your business? Well, I think it proves to be yet another cautionary tale, one that is hardly original and is only the latest. As in most things involving privacy, if the basic principles of consumer notice, choice and consent are followed, potentially devastating public relations and compliance nightmares can be avoided. If not avoided all together, at least the resulting harm can be mitigated. Sure, you may still have to endure the media circus; this is more likely than not in the age of 24 hour news outlets. However, if you have an information privacy program and policy, which include building privacy protections into your product during research and development (“Privacy by Design”), you will be better prepared to weather the storm. You will have a solid answer to the pressing questions and put the fires out long before they engulf not only your business, but possibly those businesses with which you partner. Privacy, trust and transparency go hand in hand with good business. Are you prepared?