I wrote this post on privacy and user data ownership in consumer startups back in 2012 when Facebook bought Instagram.
This seems even more germane today as we start to see Quantified Self startups that blur the line between social and health data being acquired. Case in point: The recent Moves app and their ToS Changes post acquisition. I should point out that Moves does allow you to export your data in full and to delete your account.
Let’s talk about this on Twitter.
Consumer Data in Social Media Startups
Facebook recently bought the photography start-up Instagram, for a billion dollars. Commentary is flying hot and heavy about the strategic value, appropriateness of the valuation, and the coming ruin of the experience. Stepping away from the hoopla for a moment, we can see that hidden in the backlash is a real frustration with the data ownership model prevalent in social media.
The Privacy Challenge
Most social media companies today aim to create value by aggregating information about their users - Check-Ins (foursquare), TV Habits (Get Glue, Miso), Photos (Facebook, Instagram, Path) - and monetizing the information by delivering targeted advertising. The terms of service contend that the company owns and/or can maintain the data user has uploaded or created on the site in perpetuity.
Industry has quickly moved to address breaches but have largely ignored another significant user problem: data ownership during change of control events – i.e. acquisition, IPO or more likely for most startups wind down. For example, Wal-Mart recently bought Social Calendar - a service that creates birthday and holiday reminders to augment their database with customers’ dates. Typically, the company blog announces the control event with promises of no changes at this time followed by quiet changes to match the buyer’s policies. Lather, rinse, and repeat. The consumer typically has no clear control over continued use of data despite material changes.
While acquisitions and IPOs trigger the psyche’s ingrained response against corporate Goliaths, the more insidious case is when your favorite startup goes bankrupt or shuts down. Who owns the consumer data? Will the highest bidder in a liquidation honor the privacy commitments in the initial terms? When there is a thriving black market for personal information - Who will guarantee that “worthless” assets of a defunct startup won’t end up in some hacker’s lair?
A Modest Proposal
The industry can address this following two simple rules:
Allow users to completely and easily delete their user information from your site (Instagram seems to do this)
Allow users to export all their data in a simple human readable experience (HTML, PDF, JPGs, TXT, etc.) and a machine readable format that can be imported by other service - Data portability (JSON, XML, CSV, etc.) - Instagram users have to do this through 3rd party services today.
But there is a Catch.
This is a catch-22 for Startups. Well-intentioned startups might want to do the right thing for the customer and provide data portability options. However, doing so could put these same startups at a competitive disadvantage when it comes to acquisitions. Some buyers simply see the transaction as a user/data acquisition rather than a product/service acquisition. In these cases, all other things being equal, a startup that can deliver user data will garner a higher valuation than one with caveats.
Regulators, Mount Up.. But is it the right choice?
One way out of this quandary is for the regulatory bodies to make data portability mandatory - Users own their data and are allowed to move it into and out of systems at their will. Somewhat similar to the FCC mandate for phone number portability between carriers.
The devil however, as they say, is in the details. Today, social media is nascent and evolving in terms of its data collection practices. And, the regulators and legislators are too far away from the complexity of innovation to effectively create safeguards without stifling progress and innovation.
Let’s hope that in the Internet age the industry can quickly develop responsible corporate leaders who set clear consumer friendly standards for exporting and extinguishing consumer data before being regulated from the outside.