The speed at which new technologies have become embedded into our daily lives is amazing. Within the past five years, I’ve gone from defaulting to my laptop to my phone, and now within my phone my entry point to information is through apps.
What many of us don’t fully realise is that apps, just like websites, collect data on our behaviour. Apps can collect location data about where we are, as well as what apps we use and how we use them.
This is valuable information to apps, as it not only helps them understand and improve how they are being used, but also because digital marketing’s fastest growth segment is app based.
While all of this is happening, laws such as the EC’s Data Protection Framework and the ePrivacy Directive – what some call the ‘cookie law’ – are struggling to be relevant, and naturally so.
They were passed in a different age, when we used desktops or laptops and smart phones were a futuristic notion. Legislation, though, is trying to catch up.
In the EU, the Data Protection Framework, after a long process, will soon be overhauled into a pan-European Regulation, having the effect of a unified data protection law that will help to create a single EU digital economy.
The aspiration is that such a pan-European law will lessen compliance burdens on companies and allow the cross-border flow of data to be frictionless, thus creating the foundation in the EU for companies to develop new technologies and industries.
By creating a condition for innovation, there can be greater prosperity: more jobs, money, and tax revenue.
That’s the theory at least. But it’s all predicated on one simple notion: that new technologies and their uses, in order to pass regulatory muster, must not ignore well established privacy principles such as a right to notice, consent, access to data, and the ability to withdraw consent, to name a few. And this is where it gets tricky.
Well-established privacy principles, because they were created in a different era, are difficult to implement technologically in a fast-changing digital age.
Although the principles are timeless, there is not often a tool that enables companies to comply with them, thus the notion of notice and consent within the context of an ever-changing digital environment becomes a central pillar.
A stand-alone law in the EU, the ePrivacy Directive, provides a great roadmap for us to follow. This law, also long in the tooth, was flexibly written to be technologically neutral and therefore can be extended into apps and even beyond.
While its original purpose was to require websites to give notice and obtain consent where tracking technologies are deployed, regulators have been quietly giving guidance that the law applies equally to apps.
Thus, any sort of data collection in an app triggers the notice and consent requirements of the ePrivacy Directive. It’s only a matter of time before one of the EU regulators steps up and enforces the law against apps.
The magic of the notion of notice and consent, seemingly self-evident, is that it creates trust, and not in an amorphous way.
Consumers have been quite clear that the more transparent an organisation is about its digital practices and the more control it gives to the individual, the higher the level of consumer trust.
And where there is trust, a company has a solid foundation with its customers and will be able to extend new services and products, and it will sell more.
It’s important that companies, apps included, get the notion of notice and consent right because shortly the digital landscape will go through yet more change, change that is difficult to imagine from where we sit.
I have spoken widely that we are on the threshold of the post-internet age, where we are about to morph from a world of 2bn smart phones to 50bn connected devices as part of the Internet of Things, all of which will be collecting data for some reason or another.
We will see yet another round of laws struggling to keep up and needing to be updated, but what the before and after will have in common is the notion of transparency or notice and consent. Its not fully clear how notice and consent will be delivered in the world of tomorrow.
What is clear is that, as well-established privacy principles, they will still be relevant and still be required.