paint-brush
The Difference Between Privacy Talkers and Privacy Doersby@liorb
123 reads

The Difference Between Privacy Talkers and Privacy Doers

by Lior BarakNovember 18th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Lior Barak: Apple's privacy settings will block attribution of users without consent. He says companies need to start playing the privacy game and processing user data in-house. Building a first-party tracker for your product can help you track users without paying a third party to store and process user data for you. He suggests you create three data layers: raw data layer, data lake, S3 bucket... call it whatever you want, but only data engineers and specific individuals will have access to it.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - The Difference Between Privacy Talkers and Privacy Doers
Lior Barak HackerNoon profile picture

I introduce the concept of storing and processing data focussing primarily on user privacy in my book, “Data is Like a Plate of Hummus”. I know many of you have read it – perhaps you're even thinking about it now ahead of the upcoming changes to Apple’s privacy settings which will block the attribution of users without consent.

The reality – unfortunately – is that most of us are still in the discussion phase, rapidly losing valuable time. In fact, I don't think many of us really understand enough about user privacy, instead hoping that a third party will solve the problem for us. There, I said it.

Sigh. Why oh why did Apple make this change to begin with? Whose interest do they have in mind? The user? You, the client? Or themselves and their profits?

you'll find yourself without data, without users and without a functioning business.

Companies need to start playing the privacy game. I'm not just talking about saying “we're GDPR/CCPA/LGDP compliant” – no, I mean processing user data in-house, sending only what you MUST share to third parties and keeping as much user data to yourself as you possibly can. It doesn’t matter if you're an e-commerce company, a dating app or even a health app, if you haven't developed a first-party tracking tool by now, in the long-run, you'll find yourself without data, without users and without a functioning business.

How many of you are scratching your heads right now saying "but we have lawyers and DPOs that said we were doing fine!"? How many of you didn’t even think to consult someone (even though your competition has made all the right inquiries)? How many of you had a vendor tell you "this is industry-wide practice!"?

I hope you've heard about the “privacy by design” methodology at least. You can read its seven key principles here. Let's focus on the seventh point (the one I believe is the most important): “respect for user privacy”. This is where you treat user privacy as the most important part of the product design process. I completely agree with this principle, even though I know many have criticized it for being too strict.

Let me give you my three tips for how you can safeguard your user's privacy and still enjoy a great flow of data – practices that I apply in each company I work with!

Build a first-party tracker for your product (App/Web…)

There are a variety of tools out there that help you track users without paying a third party to store and process user data for you. Instead, you actually own the tracker and store data on your own server. Snowplow is such a tool, but there are others on the market that can also enable your business to advance and allow you to take back control over user data without sacrificing your tracking abilities. Another advantage to this solution is that you will only need the user's consent for the data that you forward, so there will be less need for onboarding screens.

Create three data layers

Collect it, store it and allow access only to the teams or individuals that need access. Yikes! We're all aware of this best practice, so why are we still not abiding by it? Sometimes it's down to a lack of engineers and other times it's the result of a lack of knowledge. It’s super important to have as much data on your server as possible so you can analyze the user and better understand them. In that respect, I suggest you create the following three data layers:

First layer, raw data layer, data lake, S3 bucket... call it whatever you want, but only data engineers and specific individuals will have access to it. You will need to write everything about your APIs, tracking information and basically any user information you collect into this layer.

Create the second layer using an automatic ETL process only using the data that you really need. You should ensure that any personal data is hashed: country, city, user ID and any other types of identifiable data. In this way, the data on the second layer is for analysis purposes only and just contains pseudonymized data. This will ensure the user that nobody can access their private data.

Now for the third layer. This is where you keep the sharable dashboards and reports that are already accessible throughout the company. But remember, this is precisely why you need to ensure that the data is anonymized and aggregated!

It's not that complicated when you think about it, but truthfully, how many of you do it?

Share only what you need

How many of you have more than one SDK on your apps or more than one tracking tool on your site? How many services do you share your user information with? Not only is allowing third parties to collect your user data foolish – a mistake that can be used against you at a later stage – but it’s also completely mindless to slow your site down each time a user creates an action.

So what should you do? Well, the best solution is to fire as many events as possible from your server to the third party server, but you need to make sure the events are hashed to avoid a data breach. In other words, you should only fire user’s events with the right consent, and this is how you do it:

Firstly, you need to explain to your user how you process their data. You should tell them what information you share with third parties and you have to be crystal clear about it – no legal games that leave your user asking “Huh?!”. You need to come clean about what you send and how – in fact, the more you tell your user, the better. If they don't opt in, maybe there's a reason for it. It might even encourage you to rethink the way you approach the whole concept of privacy.

Whilst we're doing a lot of things right, we are still way too obsessed with our business strategy and goals – we're so distracted that we forget to think about the user we serve! We need to start thinking about our user's privacy first and foremost and considering what they would say if we do X or Y. How would they feel about our decisions?

At the end of the day, you are offering a service and you need to be able to track and trace your users so that you can adapt your service to them. If you can't do that, well, you'll soon find yourself in big trouble. How will you know what features your user likes and which ones they don't? How will you know what drives your profits and where you should direct your marketing efforts to attract more customers?