Stalking Apps: Creepy or Invasive? Understanding Social Media Data Collection is Key

IAB Consumer Privacy Campaign

Creepy!?? Is that how consumers would describe your online advertising? Maybe not, but regulators are clearly creeped-out by the amount of consumer data collected online and the ability of data aggregated to collect or discern information that many would consider private. Over the past weeks and months, several privacy stakeholders have issued guidance for best practices in online privacy and new light has been cast on developments in the state of online privacy.

For example, the Digital Advertising Alliance launched an ad option icon program for advertisers and consumers that lets consumers “conveniently opt-out from [some] online behavioral ads,” the FTC entered consent into orders with Facebook and Google regarding user information, Google announced a “single” privacy policy for all Google services, California AG Kamala Harris’ entered a consent agreement with mobile networks regarding applicability of the California Online Protection Act to mobile apps that collect personal data, the White House published a Privacy Bill of Rights, and the FTC issued a its final report on protection of privacy online. Online and offline privacy is coming under increasing scrutiny and businesses need to review their online (and offline) data collection practices, including how they share that data with third party advertisers, and compare their actual practices with what their privacy policies say and what their customers would reasonably think. 

Despite the spotlight on privacy, consumers seem less creeped out than regulators as they continue to surf, post and check-in online, giving Foursquare, Google and Facebook permission to track them for geo targeting purposes. However, last week, a mobile app called ” Girls Around Me” caused an uproar because it displayed the location of girls in the vicinity of the user and offered names and other personal details (such as relationship status) from the women’s Facebook profiles. Internet furor branded the app as a stalker tool… and induced Foursquare to block the it due to its creepiness. Considering that Girls Around Me simply runs on top of Foursquare, Facebook and Google services that were already permitted to track the women, accusing it of being stalker-like demonstrates considerable lack of awareness of what users already permit other geo tracking apps to do.

Clearly, what constitutes an invasions of one’s privacy is an individual decision and most of the responsibility for protecting the user’s privacy starts with the user’s own choices. Will the new awareness of social media’s potential creepiness inspire social media users to finally check their Facebook privacy settings? Perhaps. I don’t personally share much on Facebook, but the uptick in creepiness that Facebook’s new Timeline offers led me to fine-tune my Facebook settings. It took less than 15 seconds. Google privacy settings are somewhat more difficult navigate as its products cross numerous platforms. Google Dashboard, on the other hand, pretty quickly displayed what I have already agreed to share on various Google products.

Yet consumers can do only so much at this point and businesses, who are also on the front lines to protect user privacy should consider customers and their tolerance for risk on the internet. I have a few clients (with static websites) that prefer not to have privacy policies, due to a concern that privacy-sensitive users may falsely infer data collection if a privacy policy is posted. Businesses who take that tact must be sure that no data of any sort is collected from visitors. Privacy policies are required for data collecting websites and mobile apps — even when the site only collects administrative cookies.

If your website or mobile app collects non-personally-identifiable data and shares that data with third party ad servers or internet marketing research companies, your privacy policy should disclose such collection and provide a means to opt-out. Further, the opt-out needs to be “sticky” – persisting even if the user logs out or clears her cache. Regulatory compliance continues to focus on providing consumers with notice, transparency, choice, ability to view data collected and correct such data, and to opt-in for more invasive tracking or collection and use of sensitive or financial personal information. Businesses with integrity will comply. It remains to be seen how regulators will deal with the more aggressive adware businesses that use such exotic technology as zombie cookies or spyware that can log key strokes, sniff browser histories, and collect user contacts, IP addresses, and geo locations, without notice or an opt-in.

Social networking is here to stay and developing new conveniences for users at a brisk pace — at least in my practice.  At SXSW Interactive, numerous new social networking apps allowing mobile users to find other users in their geographic vicinity were launched, proving that many users and businesses need a better understanding of what is only creepy, versus what could allow other users to actually invade your physical privacy.