The privacy of our personal information has, in many respects, become a commodity to be traded for goods and services: If you receive goods or services for free, it is you (or your personal information) that is the product.
But, as social sharing companies like Airbnb and Uber have discovered, as individuals become more privacy-aware, they are increasingly reluctant to hand-over personal information, unless they trust that their personal information will be protected and properly handled.
A strong privacy compliance program and corporate culture of valuing privacy go a long way to gaining and maintaining user trust.
The privacy concerns of an Australian Airbnb user (triggered by a request from the platform to upload a personal video) have been widely reported in the press and on social media.
Airbnb’s Australian manager has reportedly justified the “video policy” on security grounds and assures users that the videos are used for “verification purposes”.
Uber ran a similar argument last year, when privacy concerns over the service were raised (in particular, that Uber staff had access to the locations of prominent Uber customers). Uber sought to reassure users as to the limited access rights for its employees.
Whether or not the privacy concerns are well-founded, the extensive media coverage has potentially caused reputational damage to the companies and undermined user trust in their platforms.
And trust, as sites like Airbnb and Uber know, is critical to the success of platforms which rely on the open sharing of users’ personal information. Uber openly declares that “[its] business depends on the trust of the riders and drivers that use our technology and platform”.
The challenge for Airbnb, Uber and other social sharing sites is how to unlock the commercial value in the data collected through the platform, whilst maintaining user privacy (and, as a result, user trust). The answer lies, at least in part, in privacy compliance.
Platforms and services that rely on user trust need to clearly demonstrate a robust privacy compliance program and a corporate culture that values the privacy of its users’ personal information.
This does not mean that social sharing sites should not use or disclose personal information. On the contrary, users of social sharing sites need to accept that the underlying commercial model means that there is a trade-off: free goods or services in exchange for a sharing of personal information.
It is the terms of that trade-off that need to be explicit and brought to the attention of the user prior to account opening and whenever there is a change in privacy practices.
To gain (and maintain) trust, the operator must be open and honest about what happens to users’ personal information collected through the platform.
The operator of a social sharing site with an “Australian link” will need to comply with the Australian Privacy Act.
An “Australian link” includes, according to the OAIC guidelines, operating a website that offers goods or services to Australia and collecting personal information from an individual located in Australia.
This means that a social sharing site marketed to Australian users will need to ensure that it is open and transparent about its privacy practices, as well as complying with the remaining Australian Privacy Principles more generally.
Perhaps more importantly, opaque descriptions of privacy practices are also unlikely to foster trust among users in how their personal information is protected.
Given the volume of people using social sharing sites, and the sensitive nature of personal information that is shared (including drivers’ licence and passport details), users want to know how their personal information will be used and that proper privacy controls are in place (as well as having an avenue for legal redress when these controls fail).
A robust privacy compliance program is key to demonstrating commitment to users’ privacy. It should include:
As well as engendering trust among users, this approach will also assist operators to comply with Australian privacy laws.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.