Who Owns My Data?
We’ve often written about how connected experiences in the consumer Internet of Things (IoT) provide a powerful new channel for engaging and marketing to consumers. In one post, we wrote about consumer app monetization. In another, we discussed IoT’s impact on advertising. The emergence of hyper-contextual marketing was the topic of yet another related post.
Underlying consumer IoT applications is the question about how personal data ownership and privacy are managed. Given the type and amount of data these applications capture, it's understandable that privacy concerns are being raised to a new level.
The entire topic of privacy and data security is too large and complex for one blog post, but there are a few fundamental concepts around data ownership that you as a consumer of connected product apps should know:
1. The Terms and Conditions (T&Cs)
Every app will have T&Cs you agree to when you register to use it. They’re a legal contract to which you and the app developer are bound should any conflict (e.g., about timely payment) arise. They also describe the limits of liability. Most app developers will specifically disclaim any guarantee of absolute security for your personal information.
T&Cs also spell out the app developer’s rights to the consumer’s User Data and Content. The typical arrangement is that the consumer owns the data and content, but grants the developer the rights to use them to operate and improve their service.
2. User Data vs User Content
User data (also PII or Personally Identifiable Information) is the basic data you must enter - name, birthdate, gender, email address - when you register with the app. The app developer will never claim ownership of this data, but reserves the right to use it to provide their service. They’ll also include a retention clause. If you delete your account, they may delete your data, but that’s not always guaranteed.
User content includes all the other data and content captured and stored by the app that cannot, by itself, be used in some way to identify the individual user. It includes content posted explicitly to the app (photos, written comments, “likes”…) as well as activity data (e.g., what’s captured via a fitness tracker). Most apps will not claim ownership of this content, but include a grant of rights in their T&Cs to be able to use it.
Most app developers will also use anonymized data and content to improve their service or develop other services. Since the T&Cs already grant them the right to use the un-anonymized data, it’s not necessary to spell this out. Instead, this use is often mentioned in the Privacy Policy.
(For an example of a Terms and Conditions document, including a rights grant for User Content, see Strava’s T&Cs.)
3. Privacy Policy
A privacy policy, if it exists, describes how the app will be using your data and content. It may or may not be attached to T&Cs. If it isn’t, it’s not legally binding and is more of an honor system. Privacy policies are useful for informational purposes, though. They may describe, for example, how your personal information may be anonymized and aggregated for market analysis and the creation of salable data sets. (Strava’s Metro service is an example of a salable product constructed from aggregated user data.)
Balancing Risks vs Rewards
Remarkably, very few consumers ever bother to review app T&Cs and privacy policies. According to Pew Research, half of us don't even know what a privacy policy is.
Despite our apparent ambivalence, most app developers try very hard to keep personal data safe, but these are complex systems and mistakes are made. There are also criminals out there who will go to great lengths to get access to personal information. In the end, every user of a connected app needs to balance privacy risks with the rewards derived from using the app. Whether or not you choose to take the risk with an app is up to you, but knowing the T&Cs and privacy policy at least allows you to make an informed choice.
For more general info on how to keep personal information secure, check out this article from the FTC.