Contributed by Reuel Baptista

27 November, 2017

Playing by others’ rules – compulsory data collection and consumer privacy

Data is essential for any company that wants to thrive in the digital economy. Data about customers is particularly valuable because it enables companies to tailor products and services to their customers. Ideally, a consumer should be able to opt out of data collection when using a product or service, thereby protecting their privacy by exercising their autonomy and choosing how they share their personal information. Additionally, the consumer’s ability to use a product or service should not be affected by their decision to opt in or out of data collection. However, the thirst for data, particularly in the technology sector, has seen more companies require their customers to acquiesce to data collection when using their products or services.

A good example of this trend is seen in the mandatory collection of telemetry data by Windows 10. Initially, the operating system required the user to choose between the ‘basic’, ‘express’ or ‘full’ level of telemetry data collection. Critics noted that users could not opt out of telemetry collection and were not clearly told what data was being collected and how it was being used by Microsoft [1]. After the Windows 10 Creators’ Update was released in April 2017, users can now choose between ‘basic’ or ‘full’ telemetry data collection. Microsoft also released information about the data that is collected under the ‘basic’ and ‘full’ setting and how it is used [2]. These changes allow users to make a more informed decision around the level of telemetry data collection they are willing to accept. However, users still cannot opt out of data collection, which continues to concern industry commentators and privacy organisations [3].

The Sonos privacy policy update in August 2017 is another example of the expansion of mandatory data collection. Sonos required new and existing customers to accept the updated privacy policy, which allowed Sonos to collect and use a wider range of data about customers and their devices. If an existing customer did not accept the updated privacy policy, their device would not be able to download software updates and may eventually ‘cease to function’ [4].

Consumers are presented with a stark choice – they must play by the company’s rules and sacrifice some of their privacy or avoid using the product or service. By not giving consumers the ability to opt out of all data collection, Microsoft, Sonos and other companies that use similar practices are hampering consumers’ privacy by limiting their ability to manage the collection and use of their personal information. This choice is further eroded when a company corners the market for a certain product or service, such as Windows’ dominance in the personal computing market.

The rapid adoption of Internet of Things (IoT) devices by consumers will amplify these privacy concerns. IoT devices rely on constant data collection and transmission in order to function properly. One IoT device manufacturer estimated that the 10,000 households with its home automation system collectively generate 150 million data points every day [5]. These massive datasets enable companies to gain unique insights and make accurate predictions about their customers’ behaviour. Developments such as IoT make the protection of consumer privacy even more essential.

Sometimes, collecting data about consumers can be necessary. For example, in their privacy policies, Microsoft and Sonos state that they use data collected from consumers to improve their products and services. At the same time, the sheer amount and range of data that can be collected and processed about an individual means there needs to be a balance between respecting consumer privacy and providing companies with the data they need to innovate and understand consumer demand.

A good starting point is privacy policies, which generally set out the types of data collected, measures taken to anonymise collected data and how collected data is used to target advertising. However, this information is usually buried in dense text that consumers tend to accept with little consideration. Summarising these details at the beginning of a privacy policy will help consumers to quickly understand what data is being collected and enable them to make informed decisions about the level of data collection that they are willing to accept.

Another approach involves requiring companies to allow consumers to opt in or out of data collection without limiting their use of a product or service. This may be contentious because it prioritises the protection of consumer privacy over a company’s licence to determine the terms of use for its products and services. Furthermore, some devices (e.g. fitness trackers) need to gather data from the user in order to operate properly. However, the spread of IoT devices and companies’ demand for data indicates that an expanding array of technology will continue to gather more data from consumers. When combined with greater centralisation in the technology sector this measure, perhaps in a more nuanced form, may be an important step in protecting consumers’ right to privacy.

The rapidly evolving nature of technology means that the balance between privacy and innovation will need to be adjusted regularly. It is up to consumers and regulators to ensure that companies in the technology sector continue to prioritise consumers’ right to privacy over the commercial value of turning people’s lives into countless data points.

References:

[1] Fahmida Rashid “How Windows 10 data collection trades privacy for security”, 2 December 2016, www.infoworld.com.

[2] Microsoft “Windows 10 diagnostic data for the Full telemetry level”, 17 October 2017, docs.microsoft.com. See also, Microsoft “Windows 10, version 1709 basic level Windows diagnostic events and fields”, 17 October 2017, docs.microsoft.com.

[3] See for example the Dutch Data Protection Agency’s comments (https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf) on telemetry data collection in the Windows 10 Creators’ Update and Microsoft’s response (https://ncmedia.azureedge.net/ncmedia/2017/10/Dutch-DPA-Windows-10-Home_Pro_Investigation_Mi.pdf).

[4] Zack Whittaker ‘Sonos says users must accept new privacy policy or devices may “cease to function”’, 21 August 2017, www.zdnet.com.

[5] Federal Trade Commission “Internet of Things: Privacy and Security in a Connected World”, January 2015, www.ftc.gov at p. 14.