Data powers and improves every aspect of our lives. A modern car generates 25 GB of data per hour working to monitor health and keeping drivers safe. A modern airplane generates up to 1 TB of data every flight to keep us safe and improve the experience. Having worked as a statistician and mathematical modeling engineer before Branch, I know the power of data to generate significant value. Using billions of data points to drive experimentation, our team was able to create a new technology for a solar panel, setting the world record for solar panel efficiency. Data was the key to innovation that could have changed the world. It was this experience that gave me a unique perspective on the usage of data as I got involved in the mobile ecosystem around 8 years ago. I was confident we could leverage the scale of data to build better user experiences in mobile.
But everyone who operates in the digital economy is now aware, data has become more of a liability than an asset when media is often looking to write the next scandal story instead of writing about how data can actually improve users’ lives. About every other week, Branch receives an inquiry from a reporter looking to write a story about how 3rd party analytics companies are violating user’s privacy with their usage of data. It’s blatant fear-mongering and super unproductive for the progress of the digital economy. No-one is writing about how data can be a force for good — if used correctly and safely. Data can be used anonymously without violating a user’s privacy, and help to deliver better, more seamless experiences to users.
As we approach the point where data-related, fear-mongering stories are less and less unique, I think it’s time for the industry to take a more educated and productive approach to assessing how data is used. Every industry in the world relies heavily on third-party companies that operate behind the scenes and specialize in services. For example, we trust our lives with airlines that buy airplanes from a select number of manufacturers such as Boeing or Airbus. These airplane manufacturers then buy parts from thousands of companies that you’ve never heard of, all of which are crucial for airplane safety and reliability. You don’t care about these third-party companies, because ultimately you trust the manufacturer to have properly vetted these third parties before using the components.
The same exact system exists in the digital economy. Every company operating a digital service (website, app, etc), relies heavily on third parties to provide a great experience to their users and operate their business. Rather than physical reliability and safety as experienced in the airline industry, these companies have to make choices around data security and privacy when working with third-party service providers. We must get to the point where these companies can give their users confidence in data security and safety of these third parties, in the same way that the transportation industry gives travelers this confidence.
Branch gives our companies and their users this confidence by following a set of principles that we believe all third parties should adhere to. From a user perspective, if a company would respect these rules, they would be trustworthy and generally “not creepy”. Moreover, if companies were to comply with these principles, they would be in a good position for compliance with GDPR or CCPA — or with the myriad other privacy laws and regulations that are inevitably coming down the pike. We’ll refer to those complying with these principles as “good data citizens”.
Principle 1: Don’t collect or store more information than you need to perform your service
As a third party with direct access to user information, it can be tempting to collect the information “just in case” you want to use it for an initiative in the future. Don’t do this. Only collect the bare minimum information you need to provide the service. We take this to heart here at Branch — which is why we don’t collect data like end users’ names or email addresses. We neither want nor need that data.
This same principle applies to storing the data as well. Don’t store data for longer than you need, and if you do, make sure it’s cleansed. That’s why, for example, after 7 days, Branch effectively renders unreadable its logs of end user data. This is because, even though it could be nice to have that data available “just in case,” we’ve made the determination that the “just in case” doesn’t justify the privacy and security benefits of limiting the scope of the data that we store.
Principle 2: Don’t sell / transfer ownership of data to other third parties
This is a more aggressive stance, given that many business models are still based on the premise of buying and selling data. However, I believe this to be a key root cause in the uproar around data usage, and the primary concern in the series of scandals we’ve observed over the last year. A user feels that they should own their data, and when ownership is not clear, it feels creepy and wrong. We must address this directly, just as CCPA and GDPR are attempting to through legislation.
By instituting a policy that the data is never rented or sold without the explicit permission of the user, users can feel safe that they maintain ownership of the data. Moreover, good data citizens should support direct deletion as well as standard opt-outs to ensure that users have control over their data, and user-facing companies should make these controls available through an easily accessible portal.
Principle 3: Implement best practices in security and data protection protocols
Lastly, but definitely not least, a good data citizen must make significant investments in data protection through security. For example, companies should implement SOC2 protocols and employ a third-party bug bounty system, as well as have dedicated security professionals watching over the technology. Moreover, employees should be given regular training on how to avoid social engineering tactics like phishing. Only through investment can third-party companies ensure the safekeeping of data. If combined with data-deletion policies as described in principle 1, users should be confident that their data is safe and protected.