Data Privacy & Information Governance Get Intimate
The Canadian company We-Vibe recently agreed to pay $5MM Canadian (~$3.75MM US) to settle a claim that they violated customers’ privacy by tracking the very intimate details of customers’ usage of their smartphone-controlled “adult sensual lifestyle products.” You can read Forbes’s coverage of the story here.
While the company assures that no customer data has ever been breached or compromised by third parties, the case illustrates yet again the complexity and ramifications of data collection, aggregation, and analytics in a world that’s constantly flooded with new technology. What is is particularly interesting about this matter is something we’ve discussed previously on this blog: the importance of considering the context of data as it relates to data security, privacy, and information governance best practices. (For some of our earlier discussions about data context, take a look at this post, “Some Things Don’t Need to be Discovered: Protect Sensitive Data in Discovery” and “The AshleyMadison.com Breach: A Teachable Moment for Data Security.”)
“Smart” devices and the Internet of Things have been capturing, tracking, and analyzing customer information for many years now—that’s nothing new. But what’s different about the We-Vibe case is how customers perceived the potential abuses of the type of information the company was tracking—specifically, the frequency of use and various preference settings on their intimate devices.
The context of the information in this case is the problem, even more so than the content of the information. As a comparison, let’s say you use a smartphone app to control your Sonos sound system. . . And let’s say that Sonos collects information from that app on how often you listen to music, what music sources you choose, your bass and treble settings, and your preferred volume level. If Sonos failed to disclose this data collection—and if those data were ever breached—you would have legitimate cause for concern. But I suspect that you would be far less worried about the implications of that privacy breach than the We-Vibe customers were. With respect to the data We-Vibe collected from its customers, the ramifications are obvious—and potentially highly embarrassing.
For individuals and companies alike, context is an important consideration around every aspect of data—creating, collecting, consuming, analyzing, governing, protecting, etc. Good information security practices around anonymization, tokenization, and encryption should take data context into account. Robust information governance policies likewise should reflect the context of the particular types of data handled by the organization. And strong privacy policies, with the ability for customers to establish data preferences, are important—in many instances, required by law—and should be tailored to particular data context sensitivities.
We have enough other things worry about. Let’s all work to keep our personal and private spaces just that—personal and private.