Privacy is a multi-faceted concept. It’s not one size fits all and is approached differently by governments, businesses, and consumers. However, there are practical privacy standards that can and should be used as a foundation upon which we build our digital world.

Privacy by Design

Privacy by Design is a guiding set of principles developed by Dr. Ann Cavoukian, former Information & Privacy Commissioner of Ontario, Canada, in 1995. This framework later became internationally recognized as the standard for privacy and fair information practices. Cavoukian outlines 7 foundational principles that make up the Privacy by Design concept:

  1. Proactive not Reactive; Preventative not Remedial – Anticipates and prevents privacy-invasive events before they happen
  2. Privacy as the Default – Seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice
  3. Privacy Embedded into Design – Privacy becomes an essential component of the core functionality being delivered
  4. Full Functionality – Positive-Sum, not Zero-Sum – Seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made
  5. End-to-End Security – Lifecycle Protection – Ensures cradle to grave, secure lifecycle management of information, end-to-end
  6. Visibility and Transparency – Assures all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, and subject to independent verification
  7. Respect for User Privacy – Requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options

Today we see many governments and privacy activists refocusing on this framework and attempting to implement its principles into laws and business practices. Perhaps the most popular examples would be Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Opt-In or Opt-Out

Opt-in and opt-out practices are an important part of online privacy and data collection, with the main difference boiling down to consent. Governments typically determine which approach will be used and define any accompanying details. Like most things, there are pros and cons to each approach and regulators often have a difficult time determining the best solution.

Opt-In

In opt-in cases, consumers must be notified of potential data collection and give consent, prior to any collection actual happening. Sounds good, right? Consumers have a right to know when their data is being collected and used and should have the option to say no. However, it’s easier said than done to implement this in an effective way. The most common way we’ve seen this in action is through cookie banners, which have become increasingly present since GDPR. Despite good intentions, many people find these notifications to be annoying and often click through them without fully reading the notice or making any changes to the presented selections. Additionally, giving consent to one site can unknowingly branch into your data being shared with multiple other companies behind the scenes.

Opt-Out

In opt-out cases, consumer data is collected by default and isn’t always clearly communicated. Consumers must actively opt-out if they decide they do not want their data collected. Although, the ability to opt-out isn’t always guaranteed, and when it is, can be buried deep within privacy settings, making it difficult to find. The United States currently functions on an opt-out basis due to the lack of federal legislation. Individual states have begun to implement their own privacy regulations, which incorporate Privacy by Design principles, but still fall short on protecting consumers. For example, the California Consumer Privacy Act (CCPA) requires businesses to notify consumers of data collection, but it is still collected by default. Consent is assumed.

Default Settings

Unfortunately, the default settings many companies assume are not the most privacy-conscious. If higher levels of privacy come at the cost of revenue and goals, many companies choose to prioritize the latter. Particularly egregious businesses take it a step further by making privacy settings difficult for users to find and change. But frankly, most people are unlikely to change their default settings anyway. Studies have proven over and over again that the effort required to change these settings, no matter how minimal, keeps people from doing it. This is why default settings actually play a pivotal role in determining levels of privacy. It’s always a good idea to take a look at the privacy settings of the things you use – from devices to online products and services. Some will offer more customization than others, but it’s better to work with what you have than do nothing at all. We did a series of posts covering how to adjust the privacy settings of popular social media platforms. You’ll find links to those posts below. How to Change Your Privacy Settings on Facebook and InstagramHow to Change Your Privacy Settings on Twitter and YouTube