I recently had the privilege of moderating a privacy panel discussion at an unmanned aerial systems (“UAS”) conference. UAS’s have been in the news lately, so you can imagine the interest and concern for privacy and this rapidly-evolving technology; concerns from both those working in the sector and those outside expressing concerns for their own privacy and security. UAS’s are indeed a “hot topic” and the technology, in many ways, is “bleeding edge.” Even so, the way to manage privacy concerns with unmanned aerial vehicle systems is hardly novel, as our panel reiterated throughout our discussion. In short, addressing privacy in developing, implementing and managing this technology, to include oversight and compliance, begins with a time-tested, universal principled approach to privacy.
Whether your product offering is a newsletter, online retail business, smart phone or yes, even a UAS, properly accounting for the privacy choices of your customer or industry is just plain good business. Furthermore, managing privacy does not need to be an onerous, overly burdensome process either. You simply have to frame privacy in the fair information practice principles. In various forms, these principles are not only the foundation for information management best practices, but they are often included in state, federal and even international regulations. Even easier, you probably have already encountered them in your day-to-day activities as a consumer, whether going to the doctor or buying something online.
At a minimum, if your product or service collects personally identifiable information (“PII”), it should do so with the following principles clearly addressed in writing and in practice.
A. Notice. Individuals are told at the time of PII collection what PII is collected, why it is needed and for what business purposes it will be stored, used, shared or destroyed. Such notice should be clear, conspicuous and written in plain language.
B. Choice/Consent. Individual PII should only be gathered with the individual’s verifiable consent. An individual must agree to the use of their PII prior to such use commencing.
C. Access. To the extent possible, individuals should have the right to review the PII in your company’s possession to ensure such information is accurate.
D. Security. Commercially-reasonable means should always be used (and updated) to protect PII against unauthorized use. This is a minimum standard. You cannot have privacy without security.
E. Limited Use. PII should only be collected, stored, used and shared for a specific, authorized purpose. The individual should have already authorized such use at the Notice/Choice/Consent phase.
F. Minimal Use. Only the minimum amount of PII required to complete the authorized purpose should be used for the authorized purpose.
H. Onward transfer. The onward transfer of PII to third parties should result in no less privacy and security.
Addressing these basic principles in any privacy compliance program puts your business on good footing to deal with not only the state and federal regulatory requirements, but just as importantly with the “law of perception.” Indeed, misperception sometimes can harm a business more than any legal or regulatory action. Building these principles into your products and business practices from the beginning will naturally do several things in preparing to manage public perception, including:
Privacy does not need to be a compliance burden or cost avoidance measure. It can even be a market differentiator for your business. You need only have a principled plan in place.