Steps Companies Can and Should Take to Protect People in the Current Political Climate

The last thing any company wants is a reputation for selling out their users or putting them in harm’s way.

People shouldn’t have to worry that the information they share with a business is going to end up in the hands of the government. That’s all the more true in the current political climate, where we have already seen, and can expect to see more, government actions targeting people.

A business’s information and privacy practices can affect the rights and safety of millions of people, including immigrants, students, activists, and people who need reproductive or gender-affirming care.

To protect people and maintain user trust, companies should reexamine their information policies and be up to date on all the obligations of current privacy laws. They should reexamine all additional tools they can use to protect people’s information, rights, and safety.

We’ve put together a series of recommendations. This resource, along with our business primer, Privacy & Free Speech: It’s Good for Business, provides tips and 150+ real-life case studies to help businesses navigate thorny issues, maintain people’s trust, and protect their reputation and bottom line.

Companies Should Limit and Protect the Information They Collect and Retain  

Protecting people’s privacy and safety requires companies to be thoughtful about the information they collect and hold. Often, the simplest way to protect people from dangerous government demands is to limit the amount of information collected and retained in the first place.

Businesses should start by carefully considering the costs and benefits of collecting data and thinking through how they will properly safeguard the information that they do collect. Doing so will both prevent harms and increase consumer trust in the business.  

Reexamine Data Collection Practices – Practice Strong Data Minimization

A company’s product has a purpose, and that purpose should help identify the information it actually needs. Blindly grabbing information beyond that can subject a business to bad press, excessive government demands, and expensive lawsuits. For example, see our case study:

• FTC Cracks Down on Sale of Data Brokers Selling Geolocation Information

Instead, companies can build trust with their users by only collecting information as needed. 

Limit Data Retention 

Just because businesses need information for their service to work doesn’t mean they need to keep that information. Companies should determine how long they need to hold the information they collect, and they should delete it once it is no longer necessary to accomplish the purpose for which it was collected. This reduces the potential harm of information being accessed in ways – including by the government  – that customers don’t expect or want. See:

• Google Closes the Door on Geofence Warrants | Case Study   
• Alexa – Don’t Store Children’s Voices

Protect People from Improper Government Demands  

If companies do receive a demand from the government, it’s crucial that they follow privacy laws, and do all that they can to protect their users from abuse and overreach. People are drawn to companies that they know are on their side.

There are five steps companies should take to protect people to earn and maintain their trust.

1) Comply Only With Valid Demands for Information. 

Businesses must carefully consider any government demand for information and its potential impact on people’s rights and safety. They should make sure demands comply with all legal requirements and are not otherwise overbroad, invalid, or unenforceable.  

Review our specific guidance on the California Electronic Communications Privacy Act (“CalECPA”) for more information about what electronic communications information government entities can demand and the law they must follow. If a business suspects that they have received an improper demand, they should carefully think through both formal and informal avenues of challenging it.  

Here are some examples of ways companies have protected people from improper government demands: 

• Apple Defies Government Demand for Backdoor to Massive Acclaim | Case Study (itsgoodfor.biz) 
• Yahoo Applauded for Successfully Fighting Warrantless Demand for E-mail | Case Study (itsgoodfor.biz) 
• Amazon Applauded for Suing to Protect Users | Case Study (itsgoodfor.biz) 

In contrast, many companies have faced very significant backlash when they missed opportunities to protect the privacy and safety of their users. See:

• Security Firm RSA Faces Backlash for NSA “Backdoor” | Case Study (itsgoodfor.biz)

2) Promptly Notify Users About Demands and Give Them an Opportunity to Respond. 

One of the simplest ways companies can protect people is by giving them the opportunity to protect themselves. If and when a company does receive a demand for information, at a minimum, they should notify the affected people (if possible) and inform them that they should explore potential legal options to challenge the demand. Companies should give someone as much time as possible before complying with the demand. Doing so costs very little but still clearly positions businesses as their users’ ally. For example:

• Tech Companies Praised for Notifying Users About Data Demands | Case Study (itsgoodfor.biz) 
• Twitter’s Resistance to Gag Order Called a “Remarkable Display of Backbone” | Case Study (itsgoodfor.biz) 
• Microsoft Shines in Fight to Bring Data Demands Out of Shadows | Case Study (itsgoodfor.biz) 

On the other hand, when technology companies take actions that can endanger people, backlash can be swift.  See:

• Muslim Pro Users Delete the App En Masse After Military Sales Revealed | Case Study  

3) Disclose Only Required Information. 

If a business is required to turn over people’s information, they should still make sure they don’t turn over more than they must. Turning over months of records when only a single week’s worth of data is required, or disclosing information about activities outside the scope of the demand, can lead to legal liability as well as loss of user trust. On the other hand, pushing back against overbroad demands can help businesses limit their own costs and build a reputation for standing up for people in the right way. 

• Facebook Hailed for Fighting Overbroad Search Warrants | Case Study (itsgoodfor.biz) 
• Google Wins “Kudos” for Fighting Demand for Millions of Search Records | Case Study (itsgoodfor.biz) 

It’s important to remember that the police may attempt to use a company’s technology for surveillance purposes beyond its intended use.  

For example, self-driving car companies Cruise and Waymo got flayed in the press for failing to consider how building their cars with dozens of cameras capturing 360-degree views and gathering additional data as they travel could threaten people’s privacy. Once this sensitive information has been collected, the companies became a target for government demands for video footage to law enforcement.

• Ring Divorces from Law Enforcement  

4) Publicly Release a Transparency Report Detailing Data Demands.  

Being transparent about how many demands for information a business receives and when they comply with these demands can benefit not only their users, but their reputation as well. It is important to give people as much information as possible about demands from third parties, as well as the steps taken in response. The easiest way to accomplish this is by producing a biannual or annual “transparency report” documenting and providing detail about these demands. Check out our tools that help businesses track and respond to demands for user information and produce their own transparency reports.  

5) Support Strong Laws to Protect User Privacy and Make Sure to Follow Them.  

In addition to protecting users from improper demands, companies should also be their champion in court and legislature. Strong privacy laws can protect both businesses and users and can lead to glowing press.

It’s critical to make sure that laws to protect people from improper government surveillance are enacted and are followed – it protects customers and companies and builds trust and credibility:  

• Tech Giants Praised for Supporting Digital Privacy Protections for Californians | Case Study (itsgoodfor.biz) 
• Tech Companies Win Privacy Credibility by Supporting NSA Reforms | Case Study (itsgoodfor.biz) 

Of course, the laws that are passed must be followed. Businesses should also make efforts to support their implementation.

One example of a strong privacy law that was passed with broad support from technology companies is the California Electronic Communications Privacy Act (CalECPA). CalECPA is a law that companies should understand and know how to fully utilize. Learn more about CalECPA, what it does, and how to use it.