When circumstances change, update your advice (location-based data edition)
tl;dr Part of your job as product counsel is to monitor changing perceptions of privacy practices. When those perceptions have changed, you should re-do your legal analysis to ensure it’s still valid.
Up until December 10, 2018, people weren’t particularly concerned about smartphone apps tracking their location. Then that all changed. The New York Times published a fantastic and chilling story about location tracking:
[T]hose with access to the raw data — including employees or clients — could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.
This story turned out to just be the beginning. Last week, The Los Angeles city attorney sued IBM over its Weather Channel App. Another blockbuster story came out about mobile carriers selling location data. The mobile carriers announced they would stop selling the data. The world, and the attendant legal risks, have changed.
When this happens, we lawyers don’t always update our advice accordingly. Sometimes we’re lazy (or, to say it in fancy terms, it’s the result of the asymmetric allocation of cognitive resources). And sometimes we don’t think the legal risks have really changed. To take just one example, the Wall Street Journal reported on Gmail extensions scanning users’ inboxes . . . and nothing happened. Well, that’s not exactly correct. A few of the companies mentioned in the article changed their practices, but no lawsuits were filed and, as far as we know, the FTC didn’t open an investigation.
Fair enough. But what should a product counsel do?
Here’s one rule: If your name shows up in a Times article about a questionable privacy practice, then change it. Change . . . it. Or, if you can’t change it immediately, tell people you’re going to change it. (But first, remind everyone that “protecting our customers’ privacy and security is a top priority”—when did that become mandatory comms language?).
Here’s another, more useful rule: If you’re lucky enough to not be named in a Times article about a questionable privacy practice, but you’re doing the same thing, then redo your legal analysis. It might turn out that you decide not to change anything. That’s fine. But, at the very least, you’ll probably develop a game plan if it looks like the article is going to change the way people view the practice. As far as location data is concerned, that is certainly true now.