Articles

Ensuring data privacy compliance in the age of “accepting all terms”

Written by Matt Davis, CIPM (IAPP) | April 19, 2022
In signing up for and downloading various apps and websites, the onslaught of privacy policies, terms of service (TOS), cookie consent, and legalese can be... a little much. And as we become less fazed (and more complacent), it raises the question: How many of us actually stop to read the fine print?
 
Apparently, not many.
 
In a 2019 survey, a third of respondents readily admitted to never reading terms of service. An older study from 2017 had more staggering results: Deloitte found that 91% of people agree to terms of service without a glance.
 
Those insights — coupled with the fact that most of us have upward of 80 apps on our phones — shed light on how great the task is when keeping up with new or updated policies.
 
Which means companies, apps, e-commerce sites, or any other entity can change their TOS on a dime, and most of us are none the wiser — because we choose not to be.
 
What implications does this have, specifically, on the private information we give up?
 
In 2021, the social audio app Clubhouse came under scrutiny by the Stanford Internet Observatory (SIO) because of how careless the platform was with private data. SIO worried the company’s negligence posed “immediate security risks to Clubhouse’s millions of users.”
 
And in 2019, “The Wall Street Journal” reported that at least 11 popular apps, totaling tens of millions of downloads, were sharing users' sensitive data. That same year, “The L.A. Times” made headlines for suing IBM for illegally and deceptively mining users’ private data via its Weather Channel app. The app combed users’ personal geolocation data for advertising and other commercial purposes.
 
Digital interactions are a given, but we don’t have to accept data privacy infractions at face value. Until transparency and protocols around user data evolve, companies need a solution that allows insight into the use (and health) of data.

The case for continuous monitoring

 
A 2021 poll by Ipsos found that 70% of Americans feel it’s become harder to control who has access to their personal information. It doesn’t help that data privacy and compliance regulations have changed rapidly over the last few years.
 
Since 2018, organizations have worked hard to navigate the EU’s General Data Protection Regulation (GDPR), as well as the California Consumer Privacy Act (CCPA), which went into effect two years later. China, India, and Canada have also adopted their own data privacy policies.
 
On a global scale, this means digital interactions are becoming increasingly complex. As of 2022, Gartner suggests that the software-as-a-service (SaaS) market, backed by the public cloud, is worth roughly $172 billion. As more companies run on SaaS offerings, a growing need exists to regularly monitor vendor health. This includes TOS policy updates, compliance adherence, litigation cases, and data privacy initiatives.

Below the radar (but not for long)

 
Currently, many data dependencies (including third-party data sharing) fly below the radar. That is, at any given point, information about who your vendors work with isn’t forcibly transparent.
 
In other words? Who you share your customer data with — and who those vendors share their data with across apps and integrations — can have significant repercussions.
 
Case in point: In early 2022, the U.S. Department of Justice filed a complaint against WW International (formerly known as “Weight Watchers”) over claims the company marketed its weight-loss app to young children and, in turn, collected their personal information without parental consent.
 
According to the Federal Trade Commission, WW was in violation of the Children’s Online Privacy Protection Act. Following the DOJ complaint, they reached a settlement: The company owed a $1.5 million penalty and had to delete any private information obtained from children, plus remove any algorithms created by using that data.
 
Thankfully, technology exists to empower people to keep tabs on who they’re giving information to.

Transparency for the greater good

 
Until data privacy transparency is a mandate, your organization must have a plan in place to understand how applications and websites gather, use, and share data. As the digital landscape becomes more crowded, understanding regulatory changes helps your company stay proactive.
 
Vendor exploration, policy, and litigation monitoring are not just responsible business practices. They also safeguard your bottom line.
 
The takeaway? We know you don’t read the fine print, so we’re here to do it for you.