While SEO has remained relatively dormant in search engine algorithm changes, the hot topics in the last couple of weeks have found user privacy as a focal point. The two main news items are the Zuckerburg Hearings & the Right to Be Forgotten.

Zuckerberg Hearings

Facebook is in hot water, and as the New York Times summarized:

In March, The New York Times, working with The Observer of London and The Guardian, obtained a cache of documents from inside Cambridge Analytica, the data firm principally owned by the right-wing donor Robert Mercer. The documents proved that the firm, where the former Trump aide Stephen K. Bannon was a board member, used data improperly obtained from Facebook to build voter profiles. The news put Cambridge under investigation and thrust Facebook into its biggest crisis ever. 

Cambridge Analytica did what shopping companies (like Target) have been doing for a while: they amassed a bunch of user data, and used that to target people based on different psychological patterns. The issue is that they did this by using Facebook’s public API to extract and build these portals. They acquired data of tens of millions of users — considered to be the “largest known leak” in Facebook history.

The problem is, it isn’t really a leak.

They gathered this information through Facebook’s API, specifically the “Facebook login.” If you’ve ever given an app or website permission to log in via your Facebook profile, that’s how Cambridge Analytica obtained the data.

When people use this feature, they grant an app access to certain information. This is that part of the terms and conditions that no one reads, and means that a single user could (before the rules were changed) grant permission to their own data, and data for their friends.

Where, for example, Equifax made mistakes that cost the privacy of nearly every American, this wasn’t a mistake.  Companies like Apple & Google do this as well. Cambridge Analytica, not Facebook, abused the privilege by transferring data they received from the app and broke the terms of service. It is agreed that a lot of the spotlight is because the average person doesn’t realize how common these practices are.

The fact that tech companies have the ability to do this, paired with the scare it caused with the US election, is what thrust this whole thing into the public spotlight, asking Zuckerburg to testify before congress (who, unlike Equifax, actually showed up).

After I look at Google’s privacy issues, I’ll summarize both at the end of the article.

Google Loses “Right to Be Forgotten” Case

In May of 2014, it was ruled in the EU that individuals can petition to have Google remove search results about themselves.

If you have a criminal past you are trying to recover from, you’d likely prefer that your court records and mugshot aren’t the first thing a new employer finds about you when running a Google search for your name.

This was the case for a businessman fighting for his “right to be forgotten.” He wanted search results for a past crime removed from Google. When he applied for the Right to Be Forgotten (RTBF), he was denied by Google. He sued, and the UK High Court ruled in his favor.

It’s safe to say this ruling will encourage others who have been denied to push forward. Google’s response has always been that they are weighing these decisions with the public interest/right to know, versus the individual’s requests (for example, a lot of people side with this individual, until they realize this might be someone who would work for them).

Speculation and “what if” scenarios run into conspiracy theory land, assuming that this will become a dystopian/distorted view of the world where facts are expunged to protect the guilty.

What Does This Mean?

It means that we should likely expect new laws coming through that do a better job of protecting and penalizing people who don’t protect data.

The right to privacy has been a hot topic for several years, and the exponential growth of technology hasn’t always put privacy first. As mentioned in the Facebook case, thousands of app developers have access to this data. Most companies that you’ve interacted with online are storing and using your data for internal marketing, sales, and other purposes.

Why Do Companies Even Track this Data?!

It’s no secret that it’s easier to sell to someone when you have all of their psychological information. There’s a great story about Target accidentally spilling the beans on a secret pregnancy by sending out marketing materials to a teenager based on her purchasing habits.

Target identified 25 products that were purchased together to indicate a woman was likely pregnant and sent coupons accordingly. Here is a summary:

“My daughter got this in the mail!” he said. “She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?

The manager apologized and then called a few days later to apologize again.

On the phone, though, the father was somewhat abashed. “I had a talk with my daughter,” he said. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

Companies, politicians (the same ones who were aghast with Zuckerburg) and small businesses want more data on their consumers. They want to be able to know things like “73% of my customers listen to Van Halen, we should buy ads on their videos.”

The irony of the story is that Cambridge Analytica found a way to do things that others have tried (and failed at) for years. Google built a search engine to find anything and found that sometimes people would prefer that spotlight wasn’t pointed at them.

How Does This Affect My Business?

Initially, this doesn’t affect anyone. Soon, I expect there will be new regulations passed on how companies can collect, store, and transmit data. There already some regulations (your website should have a privacy policy, you can’t just sell all your customer data without their permission, and so on), but I expect these will become much tighter.

To prepare yourself and your website:

  1. Now, more than ever, do not ever sell or rent client data.
  2. If you need to share or provide access to people’s data, be up front. Use the simple: who, what, where, why, and when. Who are you sharing data with (third party vendors, competitors, clients)? What are you sharing (just a client’s email address, or all of the information you have on them)? Where is it being shared/stored (is it in a secured server, or are you emailing it back and forth to people? Can it be accessed in your API)? Why are you sharing the data (does it help the consumer have a better shopping experience, or does it help you make more money)? When is the data shared (can the person who is receiving the data access it at any time, or is it on set intervals)?
  3. Have an attorney create a privacy policy and terms of use for your website and app. Don’t rely on the “free” ones or generated ones for longer than you need to.
  4. Store data encrypted if possible, and really lock down the rights/privileges you give away with any public facing APIs.

You can’t skip the essential things like PCI compliance, protecting data, terms of use, and similar. Developers who do this will start being put in jeopardy, and it won’t be worth it. Developers who don’t do this likely shouldn’t be trusted.

Finally, stay in the loop on this. Compare this to the companies who spent a lot of time on black hat SEO or other poor practices, only to pay for it later. Keep an eye on new regulations, and make sure you have a web development company you can trust. As new regulations come in to play, you have to be very careful with how you treat your customers’ sensitive information.