Data Privacy Misleader Board seeks to influence change through shaming

Register now

Osano, a champion for data privacy transparency and the B Corporation behind Privacy Monitor, recently published the first Data Privacy Misleader Board, revealing eight websites with privacy issues that should be flagged for users.

As part of the process that informs the Privacy Monitor service, Osano’s team of licensed attorneys has been dissecting the terms and conditions at some of the world’s most popular websites. The rigorous policy review process and resulting reputation scores given to each site are based on more than 150 criteria as well as how the company gathers and utilizes users’ data, where and with whom they share it, how it’s stored and whether they comply with regulations. In a monthly Misleader Board, Osano will share some of the most notable offenses and the companies behind them.

Information Management spoke with Arlo Gilbert, chief executive officer and founder of Osano about the motivation for the Misleader Board, and what organizations can learn from those that have been named to the initial round.

Information Management: Privacy Monitor recently released its first Data Privacy Misleader Board. What exactly is that?

Arlo Gilbert: Osano is building a unique data set of data privacy practices and relationships between vendors. As our team of attorneys research the privacy practices, we generate scores that rank the practices of companies as it relates to data collection and management.

For Privacy Monitor, we expose the scores to consumers through a variety of browser plugins and mobile apps. As our attorneys were doing their research however, they kept filling our Slack chat with comments like "Can you believe that?" and "Wow this is terrible!"

It occurred to us that end users would benefit from seeing some of these terrible practices and so we decided to curate the most entertaining and awful practices that they find each month into the monthly misleader board.

IM: What does the board track?

Gilbert: The board tracks the eight most entertaining and awful data privacy practices that our attorneys found during the prior month.

IM: Who were some of the organizations/websites that grabbed your greatest attention, and why so?

Gilbert: Capital One blew my mind. Their policy essentially states that if you interact with them in any way on any social media platform, that you are agreeing to their privacy policy.

I completely understand why their attorneys put that in place, they want to be able to offer support on social media, but the problem is that just because they *say* they have your consent, doesn't really mean that an end user was even provided an opportunity to see the privacy policy.

So for example, their policy covers a tweet. If you tweet @CapitalOne commenting on an advertisement they ran on TV, congrats, Capital One now thinks you've consented to their privacy policy.

Snap Chat stood out for us as well due to the schizophrenic nature of the policy.

"We get your consent. We don't need your consent. We might ask for your consent." is essentially what their privacy policy says when it comes to getting your location and contacts. That's just awful and either they made a mistake or they are just playing games so that if they have a privacy lawsuit they can stand in front of a judge and say they had permission. It's just silliness and a great example of why people are losing faith in technology companies.

IM: What are the greatest type of offenses that get an organization or website named to your board?

Gilbert: Sneaky stuff is what we primarily focus on. Did they hide something in the fine print that is outside of what an average person would expect?

IM: With regard to the majority of organizations that make it to your board results, are they acting maliciously or deceivingly with regard to data privacy and security practices, or is it more a case of carelessness?

Gilbert: These companies are for the most part trying to balance competing interests. Their attorney's write these policies for the purpose of protecting their client, not for the purpose of creating fair and balanced privacy practices with clear language for the average reader.

Sometimes the policies are malicious and intentionally awful. We found one policy that claimed that you owe them $250 per site visit if you haven't agreed to their terms. Others we find pretty regularly just show a complete lack of understanding the basics of how to inform consumers. So overall it's a pretty good mix of intentional deception and over-lawyering.

IM: What was the motivation for starting the Misleader Board?

Gilbert: Privacy is not a sexy topic. Data sharing is generally a pretty dry subject. Since the privacy monitor tools are focused on helping the average Internet user from ages 13 to 100, we are always looking for ways to make a dry subject interesting and highlight why a tool like ours needs to exist.

IM: What gets an organization or website a favorable (or less-unfavorable) ranking in your view versus an unfavorable one?

Gilbert: The very best sites make it really easy to read by a 12th grader; they make it easy to delete your data; they don't share data with anybody unless they really truly explicitly got your consent; and they assemble cross-functional teams of marketing/legal/product/engineer to ensure that what is said in the privacy policy really matches up with their actions on the product side.

IM: What do you hope will be the long-term impact of the Misleader Board results?

Gilbert: We hope that the companies who get called out take this as an opportunity to revisit and improve their privacy practices. Of course, it's entirely possible that somebody will beat their chest and take us to court, but the truth is an absolute defense, and conveniently we have dozens of attorneys on staff.

For reprint and licensing requests for this article, click here.