Data Brokers and Privacy of User Data

If you have a business that collects data and plans to sell it to third-parties and data brokers, what do you need to do in order to do this legally?

A Privacy Policy is an important and fundamental component of any app or website. In most cases, this is simply a document that discloses if personal information is collected, what information is collected, and how that information is used.

If you collect information with the intent to sell it, you must disclose this in your Privacy Policy.

Here's an example of this type of disclosure from Unroll.me:

Depending on the laws that apply to you and your users, there are other guidelines that must be followed in order to share or sell the personal data you have collected safely and legally.

This article will discuss best practices for data brokers and the selling of personal data to third-parties, as well as highlight what not to do.

Why a Privacy Policy is Important

In 2017, Trusted Media Brands, Inc. (the publisher of popular magazines such as Reader's Digest) settled a federal class action lawsuit for $8,225,000 after allegedly collecting personal information including magazine preferences and selling it to third-parties in a manner that did not comply with Michigan law.

This is a good example of why a having and adequate and proper Privacy Policy in place is important. Otherwise you can face potential fines and penalties.

As a class action lawsuit, this also shows that people really do care about their privacy and personal information. Many people don't like the idea of their personal information being sold, so this can be a particularly tricky situation that should be approached honestly and professionally.

Email services are a popular example of a type of company that collects and sells data to third-parties. Oftentimes, free services collect and sell data in order to create a revenue stream in exchange for what they offer.

By making this arrangement clear within your Privacy Policy, many users will accept and understand it as an alternative to a service charge. However, you will need to do this properly to be compliant with the law and appeal to your users.

If you learn one thing from this article, it should be that inadequate Privacy Policies can be a very expensive mistake.

Your Privacy Policy

The first and perhaps most important aspect when trading in personal data is an easy to read and legally compliant Privacy Policy.

A Privacy Policy should do these main things:

1. Inform your users that you are collecting their personal data
2. Disclose what personal data you are collecting
3. Explain what you do with the data you have collected
4. Disclose if you share or sell that data, and to whom
5. Describe the measures you take to secure the data you have collected

Step 4 is an important section in any Privacy Policy, as people are often concerned about how their data is shared and spread. You should clearly state in your Privacy Policy if you sell or share data, what data you sell or share, and who that data is sold to or shared with.

This gives your users a complete understanding of what happens to the data you collect from them, and gives them the power to decide not to participate.

Consent

While asking users for consent is always a good idea when processing personal data (and often a legal requirement), it is especially vital when sharing or selling personal information from your users.

If approached correctly, gaining consent should be pain-free. Simply explain to your users that you plan to sell data you gather from them while simultaneously quelling any concerns they may have by explaining what data you are selling it, how and to whom, and why you are selling it.

Here's an example of a clause in Slice's Privacy Policy that discloses all of this:

If your methods of sharing user data are reasonable and well explained, most users will have no issue agreeing to them. Also, the easier you make the process of giving consent, the more users will agree and continue on with your services.

Clickwrap

Clickwrap is the common best practice for most websites today, where a pop-up prompts users to read and agree to your Privacy Policy and Terms & Conditions before continuing on to your website.

Here's an example from Whatsapp that requires users to type "Agree and continue" as well as click an "Agree and continue" button before continuing to use the service:

The majority of your users are likely to simply agree and proceed, assuming that your policies are fair and reasonable. But for those who may have concerns about the data you collect and process, a prompt such as this is a quick and convenient way for them to investigate your Privacy Policy and make sure they agree with it before proceeding.

Opt-out

Making it easy for your users to opt-out of data selling practices is a great way to build trust and retain users without causing them any concern.

Most privacy laws require some form of opt-out option in relation to data processing, so be sure you are complying with any regulations regarding the rights of users to opt-out of your data processing or data sharing services.

You may also wish to go above and beyond the legally required opt-out procedures in order to better serve your users.

Depending on the service you provide, selling user data may or may not be a crucial component to your business.

For example, if you own a social media website that primarily profits off of ads, selling user data is probably not a huge concern.

If, however, you offer a free app that profits primarily off of selling user data to a third party, allowing users to opt-out may have an impact on your earnings if too many users opt out.

In either case, you must comply with the applicable laws that may or may not require you to provide an opt-out option in a certain manner. Aside from that, you must decide on the proper balance of customer service and convenience versus your revenue.

If you give all of your users a simple yes or no option for allowing you to share their data when they use your website, most will probably select no unless you have a good reason to convince them otherwise. This could be detrimental to your business.

However, burying the opt-out process somewhere hard to find or requiring a phone call to opt-out of having one's data sold is likely to upset your users and may encourage them to no longer use your services. It also may be in violation of privacy laws.

Finding the proper balance is important, but first and foremost, make sure you are compliant with the laws regarding opt-out procedures for data processing and the selling of personal data.

Best practices

Regardless of the law, let's discuss some best practices for systems that sell user data to a third-party.

While becoming minimally compliant with the laws protecting your user base is important, these best practices will improve the overall quality of your app or website and futureproof you in the event of changing laws or expansion into a new jurisdiction.

Have a thorough Privacy Policy that discloses third-party/data broker selling

Not only is a Privacy Policy required by the privacy laws in almost every country, but it is a foolproof way to be upfront with your users who may be concerned about data collected from them being sold. While many of your users may not bother to read your Privacy Policy, having this information clearly stated there puts the responsibility on them to read your policies if they have any concerns.

Your Privacy Policy should, of course, also comply with any other legal guidelines, such as gaining consent or making your users agree that they have read your policies before using your services.

Use clickwrap to gain consent from your users regarding your Privacy Policies

Even if you are not legally required to obtain consent or agreement from your users, most countries' privacy laws are moving in that direction. It may be a good idea to follow the stricter rules of the leading privacy laws such as the GDPR of the EU in order to futureproof your company when laws change or to be compliant with the laws of the EU should you expand to serve that market.

A clickwrap agreement does not require your users to seek out your Privacy Policy or Terms & Conditions on their own, requiring them to decide to accept or reject your policies before using your services. It presents the agreements at the time when consent is sought.

Here's an example of how Slice gets consent using clickwrap:

This is the best and safest way to ensure your users are giving their consent for their personal data to be collected and sold. Browsewrap methods that require users to find your Terms & Conditions or Privacy Policy page on their own have not held up in court as a sufficient means of gaining consent, as users often do not search out the agreements without being prompted.

Use clickwrap to offer opt-out options of data collection or sale

Best practices for opt-out options are to have a checkbox located in areas where you collect personal data from your users so that they may decide not to share that data or decide not to give you consent to sell it.

An example of this is a registration form where users enter their email addresses. By providing a checkbox that they can use to opt-out of having their email address sold to a third-party or data broker, your users can easily make this decision. You'll also earn their trust by providing such a convenient method of opting-out.

Here's how GameStop lets users opt-in and opt-out in one convenient clickwrap form during account registration:

At a minimum, you should require users to check a box or click an agreement button that states they have read and understand your Privacy Policy, which should fully disclose what information you collect and how you use it (including selling it to third-parties).

The major privacy laws of many countries are cementing guidelines such as these for gaining consent before collecting or processing the personal data of users within their jurisdiction.

Allow your users to opt-out of other processes such as remarketing

While this is not always required by law, it can drastically improve user-experience by giving them more control over what is done with their personal data and who has access to it.

Remarketing is a common use of user data where ads for websites previously visited are shown to users elsewhere on the internet.

For example, if you browse the selection of products at a shoe website, you will then see ads pop-up on other websites for that shoe website.

For some, this phenomenon can be disconcerting as they may be uncomfortable with their habits being monitored or data about them being shared to the third-parties who handle the remarketing. Some users also feel hounded by such ads and dislike the aggressive nature of seeing more ads pop-up for something they may not have actually been interested in purchasing.

By giving your users an easy way to opt-out of processes such as these, you give them more control over their personal data which can earn you trust and make them more comfortable using your app or website.

Here's how Square Enix provides this information and options in its Privacy Policy:

Conclusion

Collecting and using user data requires a developed system that is compliant with laws and mutually beneficial to both you and your users. Selling personal data to third-parties and data brokers can be a sensitive subject that requires extra care to ensure not only compliance with the laws that oversee data selling and sharing, but also to gain the consent and trust of your users

You should be familiar with all of the relevant laws pertaining to these issues as they affect your company and its customers or clients and ensure your Privacy Policy and opt-in/opt-out processes are adequate.

Beyond that, by following the best practices above you can set yourself apart as a trustworthy company that cares about the rights and privacy of its users by making everything easy to understand and convenient opt-into or opt-out of. Following these best practices will also help futureproof you from changes in the law or expansions into territories with different laws.