RESPECT YOUR DATA

Limit and protect the data you collect and retain.
Protecting your users’ privacy requires you to be thoughtful about the data you collect and hold. By carefully considering the costs and benefits of collecting data and by properly safeguarding the information that you do collect, you may prevent privacy harms and increase consumer trust in your product. 
CAREFULLY HANDLE ANY DATA THAT YOUR USERS MIGHT CONSIDER SENSITIVE.
Mishaps with information like credit card or financial records, passwords, physical or mental health records, and many other types of sensitive data can have major consequences both for users and your company. Taking special steps to protect this information can protect you and your users from harm.
Case Study

Fitbit Deals with Fireworks after Exposing "Sex Stats"

Fitbit, an online service that allows users to track their exercise habits, found itself faced with a different set of fireworks during the 2011 Fourth of July weekend when some users discovered that their sexual activity was being broadcast to the public.

Fitbit, an online service that allows users to track their exercise habits, found itself faced with a different set of fireworks during the 2011 Fourth of July weekend when some users discovered that their sexual activity was being broadcast to the public. The company had made all reported data visible to everyone by default without considering the full scope of “exercise data” that it allowed users to include. Although FitBit “pulled a quickie” by making activity reports private for all new and existing users and even contacting search engines to try to remove results, the damage was already done.

Case Study

Blippy Triggers “Nightmare Scenario” by Accidentally Publishing Credit Card Numbers

In April 2010, Blippy users shared more than they bargained for when a Blippy security flaw turned into a “nightmare scenario” by revealing some users’ credit card numbers in search engine results.

In April 2010, Blippy users shared more than they bargained for when a Blippy security flaw turned into a “nightmare scenario” by revealing some users’ credit card numbers in search engine results. News of the breach traveled like wildfire and the mood at the startup “quickly went from elation to disbelief to disappointment.” Although the company apologized for its mistakes, fixed the problem, hired a Chief Security Officer, and began conducting security audits to prevent future incidents, for many users it was too late. The incident “tainted the service with an aura of mistrust” leading many users to “rush to delete their accounts.”

Case Study

MeetMe Pays Up for Hiding That It’s Collecting Location Info

MeetMe was met with a barrage of bad press and sued by the City of San Francisco over its collection of location information from teenaged users. The City alleged that MeetMe used a “tangled web of ambiguous and misleading statements” to hide that it was keeping and broadcasting location information on its users.

MeetMe was met with a barrage of bad press and sued by the City of San Francisco over its collection of location information from teenaged users. The City alleged that MeetMe used a “tangled web of ambiguous and misleading statements” to hide that it was keeping and broadcasting location information on its users. MeetMe was forced to settle the case, pay hundreds of thousands of dollars to the City, and promise to limit the data it revealed about its users.

IDENTIFY AND COMPLY WITH SPECIFIC LEGAL REQUIREMENTS FOR THE DATA YOU COLLECT.

If your product handles certain types of information, you may be subject to specific federal and state legal requirements. For example:

  • Any service that deals with electronic communications may be subject to the Electronic Communications Privacy Act.
  • Services that are designed for health care providers and related entities may be subject to the Health Insurance Portability and Accountability Act.
  • Video content services may be subject to the Video Privacy Protection Act.
  • Websites and services that knowingly collect personal information from or that are “directed to children” under 13 may be subject to the Children’s Online Privacy Protection Act.
  • Other laws may apply if your service handles financial records, consumer credit information, government records, motor vehicle records, or student education records.
Case Study

Yelp’s Collection of Children’s Info Gets One-Star Review from the FTC

Yelp was investigated by the FTC, fined, and ordered to destroy its records after improperly collecting information from young users.

Yelp was investigated by the FTC, fined, and ordered to destroy its records after improperly collecting information from young users. The company had collected information without parental consent, including name, email, and location, from young users of its mobile app even after those users provided a birthday that showed they were under 13. Along with the fine, the FTC also required Yelp to destroy the information it had collected from those users and to submit a report showing how the company would comply with the law.

“The law is clear: the personal information of children is off limits, and the FTC will continue to investigate companies like Recolor that break or bend the law,” said Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection, 2021.

Share This: