The lack of comprehensive federal privacy legislation leaves not only consumers vulnerable, but also companies frustrated. Many consumers lack information about the many ways their personal data is used, what parties use it, and the ways it could be potentially misused; meanwhile, companies seeking guidance to protect this data and be adequately transparent with their customers are left navigating a patchwork of privacy rules without a clear direction.
At present, companies must rely on a various privacy regulations that target only specific industries and types of data (e.g., HIPAA, FERPA), and many must wade through a number of constantly evolving state laws. Moreover, global companies must keep international privacy regulations in mind.
This patchwork of rules and lack of broad legislation such as a federal data breach protection law are a problem, said Sarah Holland, senior analyst of public policy and government relations at Google. And she is not just talking about companies like Google, a global company that has to navigate local, state, federal and global privacy laws as it builds products and services. Rather, she is referring to the risks facing the technology industry as a whole, and to the startup economy in particular.
“If you were only three people, and you were trying to get your company off the ground, how do you deal with that patchwork? How do you understand that and how are you incentivized to comply?” Holland said at a recent privacy forum hosted by the Massachusetts Attorney General’s Office at MIT.
Holland believes that Google is able to manage and keep up with constantly changing privacy regulations because it has created a strong culture of privacy and security across the company. This culture extends to the relationship Google has with its partners and encompasses the entire lifecycle of its products.
“You can have that [culture] before a product has been launched, and then [something like] the right to be forgotten comes down after a product has been launched, and you have to deal with that. We have colleagues around the world that help us deal with that,” she said.
That culture of privacy, Holland added, does not just incentivize compliance, but also earns their users’ trust by putting them in control of their data. She advised following Google’s four-pronged approach to building this type of culture:
– Bake security in from the beginning of a product’s development, and also throughout its lifecycle.
– Strive to be upfront and fair about how the company uses customers’ data, and use clear language when informing customers of the ways their data could be used.
– Give users control of their data. Google’s users can manage their data on myaccount.google.com, which functions as a one-stop-shop for them to control and secure their data. “It helps you do everything from managing your advertising settings to opting out of interspace marketing. You can also control your watch history and your location data,” Holland said.
– Demonstrate to users why it’s valuable for them to allow you to use their data. At Google, Holland believes that “our users trust us with their data … and in turn, we use that to power products and services that benefit them.” These services include ones that will likely sound familiar, such as turn-by-turn directions, instant translation applications, and the ability to find flight information on Google Now. But they also include other initiatives that are more under-the-radar, such as Project Sunroof, which analyzes satellite data to encourage solar-powered energy use.