Anyone using technology should read the fine print in privacy policies, especially legal professionals. The tools used in the business and practice of law have access to confidential client information—and we’re obligated to protect that information. To adequately protect client confidences, we must know which questions to ask, and understand the risks and benefits of using technology.
In this enlightening interview, privacy expert Donata Stroink-Skillrud explains how to assess privacy policies and which questions to ask when you’re considering new software. Donata also draws attention to potential privacy issues that are often buried within privacy policies, like third-party permission to access data. This interview is the playbook for responsible privacy assessment. Read on for Donata’s helpful advice.
What is your role and how is it related to privacy law?
What prompted your interest in privacy law?
Serendipity. My first brush with privacy came in 2013 when my personal information was breached in the Target data breach. That breach opened my eyes to the consequences of sharing personal information online and what can happen once personal information is breached. When I was in private practice after law school, some of my clients would ask me about privacy policies and Terms of Service, and whether I offered these policies as a service. I started to look into it and fell down a rabbit hole that I haven’t gotten out of five years later. I noticed that when I was drafting policies for my clients, the process was repetitive; I was managing a slew of templates I would copy and paste from. I asked myself whether this process could be automated, and that’s how Termageddon was born. Personally, I think that privacy is or should be a fundamental human right, and I feel very fortunate to help companies honor that right.
What’s the difference between privacy and data security?
To me, privacy is about collecting, using, and sharing personal information in a responsible and compliant way. Security, on the other hand, is protecting personal information from unauthorized access and disclosure. I think that to meet and maintain compliance requirements, companies need to focus on both. I see a lot of smaller businesses laboring under the impression that if personal information is secure (through, for example, having an SSL certificate) on the website, that privacy requirements are met. However, this is simply not true, as privacy is a related but separate field that ensures that your company itself is using and managing personal information correctly. A lot of education is still needed on the importance of privacy and security, and the relationship between the two.
How is privacy connected with empathy for end users?
As a lawyer, data professional, or a privacy professional, I think that you should always try to put yourself in the shoes of the consumer. You should also pay attention to privacy practices whenever you sign up for a new service. For example, have you ever received a marketing email from a company you have no prior relationship with? What does that feel like? For me, it’s annoying. The trust I otherwise would have had in that company decreases, thus the chances of me purchasing anything from that company decrease. It’s almost a cliché, but I think that you should treat others the way you’d like to be treated—that applies to privacy practices as well.
What are some red flags in privacy policies of consumer apps?
As someone who writes privacy policies for a living, I’ve read quite a few of them myself, and below are items I would consider “red flags."
What are some surprisingly good privacy protections you’ve seen in legal tech or other apps?
I am a big fan of Apple’s recently released update that prompts consumers to choose whether they would like to be tracked by a particular app before you use that app. The notice itself and the options presented are all very clear. In addition, the choice defaults to “do not track,” which I think is an excellent example of privacy by design. I know this update is very controversial as it may allow Apple to grow a monopoly around data; Apple is still collecting all of that data while discouraging other companies from doing so. However, I do believe that allowing consumers to actively choose whether they would like to be tracked is a positive step forward.
What are some dangers of using a freemium consumer app in legal practice?
What should lawyers know about the new privacy laws from the past few years? Do they apply to law firms? If so, how?
When you’re searching for new software, what’s the most important privacy-related question to ask vendors?
What are the top 3 privacy-related questions lawyers should ask about access to confidential data granted to consumer apps?
- How is the confidential data used?
- What pieces of confidential data are shared with third parties, if any?
- What third parties are the pieces of confidential data shared with?
I apologize but I simply can’t resist adding a fourth question here, too:
- If confidential data is shared with third parties, why?
How many layers of data-sharing should lawyers investigate when considering purchasing an app that will have access to confidential information?
What resources do you recommend for laypeople wanting to learn more about privacy?
If you are a resident of the United States, unfortunately, there are very few government resources on privacy rights. However, these websites can help you determine what privacy rights you have, how to keep your information private online, and what to do if a company fails to protect your personal information:
- Privacy Rights Clearinghouse Online Privacy Guide: https://privacyrights.org/consumer-guides/online-privacy-using-internet-safely
- Protecting Your Privacy Guide: https://www.usa.gov/privacy
- Thomson Reuters Internet Privacy Laws Revealed: https://legal.thomsonreuters.com/en/insights/articles/how-your-personal-information-is-protected-online
- Consumer resources regarding identity theft: https://idtheftinfo.org/consumer-resources
- EPIC Online Guide to Privacy Resources: https://epic.org/privacy/privacy_resources_faq.html
About Donata Stroink-Skillrud
Donata Stroink-Skillrud is a privacy and technology lawyer licensed in Illinois and a Certified Information Privacy Professional. Donata is the President and legal engineer of Termageddon, a Software as a Service company that has generated thousands of privacy policies and kept them up to date with changing legislation. Donata is also the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.
About the Privacy and Security Interview Series
This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.
WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.