Whether you’re a Facebook user, a privacy wonk, or both, you’re likely aware of the social network’s settlement with the Federal Trade Commission, announced this week.
Under terms of the settlement, Facebook must now get users’ permission before it changes the way their personal information is shared. The social network also agreed to submit to privacy audits every two years for the next 20 years.
The settlement shows why it’s so important for companies to build privacy best practices into their business, preferably before the government orders them to do so. This concept—Privacy by Design—was first developed by Dr. Ann Cavoukian, information and privacy commissioner for Ontario, Canada. If Facebook had adopted these practices years ago, it could have avoided run-ins with U.S. and E.U. regulators.
The basic concept is actually quite simple: Companies should include privacy concepts and controls into new products and services during their development stage rather than treating privacy as an afterthought or ignoring it altogether. Companies should think proactively about the life cycle and uses of information collected so they can have clear policies on what they do with the information down the road.
Privacy by Design (PbD) is guided by seven core principles that companies can follow and think of as their privacy “rules of engagement” so to speak. The seven principles are:
1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality — Positive-Sum, not Zero-Sum
5. End-to-End Security — Full Lifecycle Protection
6. Visibility and Transparency — Keep it Open
7. Respect for User Privacy — Keep it User-Centric
These principles have been embraced by privacy authorities worldwide as the best approach for businesses regarding treatment of sensitive personal information of consumers. Each principle represents core privacy values that, if followed, are good for businesses and consumers. And they keep regulators happy.
I haven’t seen Facebook openly recognize the value of PbD. Maybe it’s because of its unprecedented growth in the last five years. Maybe it’s because as a young, brash company it doesn’t feel the need to have to set its goals regarding privacy very high. Heck, maybe it’s because one of its financial backers is a CIA-owned venture capital group. Or maybe, it’s just because up until recently it hasn’t had to deal with more than negative press and little risk of losing users since it’s really the only game in town.
Regardless of the reason, Facebook is beginning to realize that people still care about their privacy. In the end, that means giving the user control over his information, and making privacy protection easy, clear and a default for users.
Facebook is a good case study for businesses on the costs of ignoring privacy. Downplaying the importance of how you treat and communicate your treatment of consumers’ personal information can be a big mistake. It illustrates why adopting PbD principles early on in a product or service is critical. Mapping out how your company handles these issues early on can prevent later headaches.
Now being a sideline critic is easy and hindsight is 20/20, but Facebook is an easy company to be used as an example on why PbD matters for businesses in the 21st century. Remember Mark Zuckerberg’s self-serving statement, referred to as Zuckerberg’s law: “Every year, people are sharing twice as much information as the previous year.” Even if it’s true, people still care about the control of their information and privacy. And in the end that is really what this FTC settlement and PbD are all about.
A version of this article originally appeared on Identity Theft 911 on Nov. 30, 2011.