It’s nothing new: in the past years, huge amounts of data have been collected, used and shared by companies all over the world. This raised many concerns about individuals’ control over their own personal data and, ultimately, put privacy ethics in peril. As a result, some much-needed privacy regulations have been introduced to oversee the use of this data.
👀 Let’s take a look at 5 key concepts that you must implement as a company to collect data in an ethical, and most importantly, legally compliant way.
Data minimization is the idea of collecting and retaining only the minimum amount of personal information necessary to achieve a specific business purpose.
This means that as a business, you should avoid collecting excessive information that is not relevant to your operations.
According to data minimization standards set by the GDPR (the most robust privacy law to date), personal data must be: “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed”.
💡 Data minimization is an important point in privacy ethics because it establishes a standard for companies to limit and question the amount of information they handle: is this data really useful?
In an effort to give control over personal data back to individuals, consent is fundamental. It means you must obtain an explicit permission (called opt-in) of an individual before collecting, using, sharing or disclosing their personal information.
You should also provide a means to withdraw consent (from a mailing list, for example), which is called opt-out, as well as clear instructions for doing so.
💡 Consent is a legal requirement under most privacy regulations. It’s a complex topic, though. That’s why you should take a look at our comprehensive guide on the different types of consent!
Have you ever heard of dark patterns?
Dark patterns are where design elements are used to influence people’s decisions and trick them into doing things they didn’t mean to do. They are typically used for getting user consent on a banner or a form.
Some misleading tricks can include the following:
💡 Dark patterns are not only unethical, but in many cases illegal! In the EU, the Digital Services Act (DSA) states that the use of deceptive designs is forbidden. California’s CPRA has also banned dark patterns.
Transparency goes hand in hand with disclosure and information obligations. It’s quite simple: you must inform users of your data collection practices!
This is usually done with a clear privacy policy, mandatory under most privacy laws. Apart from being straightforward, your policy must be easily accessible – from your website’s footer, for instance.
This means that having ambiguous, lengthy, or legally-technical privacy documents would be unethical, first, but also non-compliant. Click here for a privacy policy example!
Remember that the right to be informed is the first of the 8 GDPR Data Subject Rights.
Another step in ethics and privacy is to make sure data is safe and protected after it has been collected.
Companies usually use and store important data and, therefore, are required to have adequate data security safeguards to protect it from unauthorized access, use, disclosure, or destruction.
You have already heard about various data breaches, or even sensitive data exposures. Due to its nature, sensitive personal information must be handled with even greater caution and is usually subject to specific processing conditions.
💡 Learn more about What Is Considered Sensitive Personal Information.
Privacy can be considered an ethical principle, as it involves respecting an individual’s fundamental right to control whether an organization should be able to collect, use, share or keep their personal information (i.e. email address, name…). But privacy isn’t only ethical. It’s an obligation. It’s enforced by various laws around the world with strict legal requirements, and comes with legal and financial consequences when not respected.