A Privacy Manifesto for the Web 2.0 Era - GigaOM

Let’s start by defining what we mean by personal information. Personal information includes any factual or subjective information, recorded or not, in any form, about an individual. For example: name, address, telephone number, gender, identification numbers, income, blood type, credit records, loan records, existence of a dispute between a consumer and a merchant — even intentions to acquire particular goods or services. And let’s not forget health, medical history, political opinions, religious beliefs, trade union membership, financial information and sexual preferences!

Now, what rights should you have? Here are four principles that form a Privacy Manifesto for the Web 2.0 Era.

1. Every customer has the right to know what private information is being collected. That rules out any secret data collection schemes, as well as monitoring regimes that the customer hasn’t agreed to in advance. It also rules out any advertising scheme that relies on leaving cookies on a customer’s hard disk without the customer’s consent.

2. Every customer has the right to know the purpose for which the data is being collected, in advance. Corporations must spell out their intent, in advance, and not deviate from that intent. Reasonable limits must be imposed on the collection of personal information that are consistent with the purpose for which it is being collected. Furthermore, the common practice of inserting language into privacy policies stating that the terms may be modified without notice should be banned. If the corporation collecting data wishes to change its policy then it’s incumbent upon the corporation to obtain the consent of customers in advance.

3. Each customer owns his or her personal information. Corporations may not sell that information to others without the customer’s consent. Customers may ask, at any time, to review the personal information collected; to have the information corrected, if that information is in error; and to have the information removed from the corporation’s database.

4. Customers have a right to expect that those collecting their personal information will store it securely. Employees and other individuals who have access to that data must treat it with the same level of care as the organization collecting it is expected to.

Viewed through the lens of these four principles:

• Verizon should have asked customers’ permission before sharing their information, and should have assumed that permission was denied until informed otherwise.
• Credit agencies should, upon request, share an individual’s information with them; should require consent from the individual before sharing their information with a third party; and should allow an individual to opt out of the credit reporting processes altogether.
• Facebook comes up smelling like a rose. The guarantee that they made to their users was that they wouldn’t share personal information with third parties. Facebook banned the use of automated scripts to prevent that information from being taken from the site. And Facebook explicitly recognizes in their terms of service that a user’s personal information is owned by the user, not Facebook, and the company is merely a licensee.
  Facebook’s privacy policy, however, contains a paragraph allowing them to unilaterally change the promises they make to their customers. Facebook should remove these weasel words.

Highlighted by margo57