The Evolving Usage of Personal Data: A Comparison to Wardrobe Choices
The relationship between companies and the personal data they collect can be likened to the way individuals curate their wardrobes over time. Initially, you may gravitate towards specific styles or brands based on preferences or trends. However, as your taste evolves, you find yourself purchasing clothing that reflects your changing needs and desires. Similarly, companies start by collecting personal data for a particular purpose but often repurpose that information as their objectives shift. This dynamic raises important questions about the justification of such changes, especially regarding the handling of personal data.
Navigating Change in Data Usage
John Williams, Senior Agency Official for Privacy at the U.S. Federal Communications Commission, highlighted the complex terrain faced by privacy professionals within organizations as new product concepts evolve. While innovative ideas can unlock myriad opportunities, they also necessitate a reevaluation of data management practices. At a recent IAPP Privacy. Security. Risk. conference, Williams emphasized the critical need for companies to align their data usage with compliance frameworks like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The Importance of Compatibility
A cornerstone issue in repurposing data lies in compatibility. Williams underscored that any new use of previously collected data must resonate with the original purpose for which it was gathered. If an organization chooses to pivot its data usage, it bears the responsibility of updating its definitions and securing consent from data subjects when required. This brings us to the long-standing purpose limitation principle, which, despite some degree of flexibility, is essential for maintaining ethical data practices.
Flexibility and Compatibility Clauses
The good news is that organizations can find some leeway within the limitations set forth. This flexibility is often manifested in compatibility clauses, which can permit data repurposing without requiring consent if the new purpose remains reasonably aligned with the original intention. The conference panel reviewed real-world examples, including enforcement actions from the Federal Trade Commission, GDPR guidelines, and relevant court cases, to shed light on both successful and unsuccessful compatibility efforts.
Transparency as a Key Component
Troy Sauro, Senior Privacy Counsel at Google, emphasized the pivotal role of transparency in ensuring compatibility. People are more likely to understand and accept data collection practices when they see a clear connection between their data and the services being offered. For instance, collecting geolocation data through a flashlight app might confuse users if the rationale behind it isn’t apparent or necessary.
Active Involvement of Privacy Professionals
To navigate the complexities of data repurposing, privacy professionals must be actively involved in various stages of product development. By participating in the design phase, they can communicate effectively about data uses and devise strategies that future-proof privacy programs. Documentation becomes a powerful tool here, not only reflecting what data is collected but also explaining any proposed changes in its usage.
The Role of Documentation
Sauro pointed out that many organizations are aware of the documentation pressures imposed by regulators like GDPR. However, having organized records allows teams to refer back to their initial data usage claims and evaluate proposed changes critically. This practice aids in maintaining alignment with the established purposes and builds a framework for accountability.
Cross-Team Monitoring
Effective documentation requires collaboration across different teams within an organization. Keeping tabs on where representations have been made—whether in privacy policies, marketing materials, or customer service dialogues—ensures that any changes in processes are communicated back to the data privacy team. Sauro advised that a good starting point is the privacy policy itself, but it’s also vital to monitor other channels where user-facing information is presented.
The Challenge of Monitoring
Among the three pillars discussed—product involvement, documentation, and monitoring—Sauro deemed monitoring the most challenging. This process can vary significantly from one company to another. Regular check-ins and meetings with the team responsible for purpose representations can pave the way for better management of data practices. Additionally, organizations might benefit from engineered solutions that provide alerts when changes are made or when data usage strays from its original context.
Communicating Material Changes
Brett Cohen, a partner in Hogan Lovells’ privacy and cybersecurity group, took the conversation further by addressing the need for clear communication in the face of material changes to data policies. He suggested that organizations should approach such changes with caution, avoiding vague terms like “ensure” in their documentation. Active communication becomes crucial, especially when informing users about shifts in how their information will be used. This transparent dialogue not only aids in maintaining consumer trust but also helps organizations sidestep potential compliance issues with regulatory bodies.
Engaging Users in the Process
When material changes occur, informing users upfront is not just a best practice; it’s a necessity. Companies should offer options for users to opt-out or cancel their services if they disagree with new data usages. Although these discussions can be uncomfortable, they are essential for cultivating a respectful and transparent relationship with users.
By examining the parallels between evolving fashion choices and the repurposing of personal data, it becomes clear that companies must navigate this landscape thoughtfully, ensuring compliance and building trust with their users every step of the way.