search cancel

The Five Practices Of The Privacy-Sensitive

The Tor Project, Ghostery, BugMeNot and a thousand other tools and techniques that help users remain anonymous online are spreading like wildfire. These were once the bastion of the hacker elite but now are being adopted by the middle-aged business man, the stay at home parent and everyone in between. This expansion is fueled by growing concerns over a loss of privacy.





People are concerned about losing control over their personal data, and in some cases with good reason. Whether you agree with that statement or not, the one indisputable fact is that it’s the small startups that will suffer the greatest pain from the cultural shift. Humans are instinctual herders so we don’t have a problem handing over personal information to Facebook (everyone’s doing it) but doesn’t enjoy that same benefit.



As a result, startups, especially early-stage startups, need to be privacy-sensitive. The need to not only recognize the apprehension new user’s have to sharing their personal information, but to address it in a way that removes that apprehension. Having a privacy policy is a good start, but most won’t bother to read it. It is important to take it beyond just a written policy.


To follow are five things you should do, and as a bonus, if you do them you will comply with most privacy laws and regulations around the world.


Tell users what you’re doing with their data

This is often referred to as “being transparent.” Tell your users what personal information you are collecting, why you are collecting it, what kind of controls (e.g. edit /delete) they have and how you will protect it. This is the type of information that is usually covered in a privacy policy, but you should strive to make this information more accessible to the user.



Always get users’ permission

This pairs up nicely with the goal to be transparent. Once you’ve told the users what you’re doing with their personal information, then you need to ask their permission to do it. Or in legal terms this would be getting their explicit consent. This could be a simple checkbox or button asking them if they agree to your site’s terms but remember this is only really effective if you execute transparency well.


Give users control of their data

One great way to alleviate user’s fears is to give them as much control over their own data as possible. At the very least you should allow them to edit and update any personal data you have collected from users, but you can take it a step farther and allow them to delete it altogether. This is often referred to as the “right to be forgotten.”



Protect users’ personal data

There are many reasons to protect your data stores properly and privacy concerns are among them. There are too many examples to cite where a data breach has sent the company straight to ruin. Follow information security best practices and minimize your risk of a data breach.

Do as your policies say

This is a lesson you learned in kindergarten: Do as you say. If you have a privacy policy or internal policy you must do as it says. Nothing will make a regulator who is out for blood happier then if they find out you promised something in your policies that you didn’t deliver on.


That’s it. Do these five things and not only will you earn the trust of your users but you will be compliant with privacy laws and regulations worldwide. Of course the devil is in the details and some of these items are difficult to execute properly, but the sooner you start trying the better off you will be in the long run. If you want more information on tackling privacy issues, you will find more detailed guidance in my book Startup Privacy: The Entrepreneur’s Guide to Privacy.


Photo Credits / / /


Author : Jeff Northrop

Jeff Northrop, CISSP, CIPP/US, CIPP/IT is a software developer and IT veteran of over 20 years. He is currently a director at the International Association of Privacy Professionals and author of Startup Privacy: The Entrepreneur's Guide to Privacy.

Share This Post On