5 Golden Rules of Data Privacy Law

By Brad Gold, 6/25/18

As news stories roll out on a daily basis regarding the changing landscape of data privacy and the world of law governing it, there is much confusion. Businesses push their interests to make money, individual people protest violations of various rights, and politicians straddle the middle, impossibly trying to please everyone. So, we need to take it upon ourselves to understand what is going on and what we can do about it.

In my classroom at the University of Texas at Austin, when I begin teaching undergraduate students about business law, I teach a couple fundamental concepts that help students understand how the law impacts our lives. First, I teach that the law is supposed to be a reflection of our goals and needs as a society. It is when laws no longer properly reflect society that we begin to question a law’s validity, or demand that new ones be drafted. Second, I teach that a substantial number of laws are ultimately determined by the “reasonable person standard.” That is to say, if 100 people were all placed in the same situation and a clear majority of people made the same choice, our legal system and sense of societal cohesion demand that such choice is protected by the law. 

So, to understand the law (let alone practice it), we must set aside our own personal ideology and be perceptive to the greater needs of our friends and neighbors alongside our fundamental rights to live, speak, and act as a free people. Instead of venturing into abstract legal philosophy to figure out exactly what that means for data privacy in our daily lives, we can obtain a strong and fairly accurate barometer of how data privacy laws should evolve by looking at 5 simple principles that we can all understand:

  • laws should promote and defend honesty;
  • laws should promote and defend transparency;
  • laws should promote and protect the commitments we make to one another;
  • laws should protect us from harm and punish those that purposely cause harm; and
  • evolutions in law should be based upon objective measures of society’s goals and needs.

When the law wrestles with a new issue, such as data privacy, the easiest way to determine how to act legally and ethically, is to follow these five guideposts. What many folks do at this point in the analysis, unfortunately, is become distracted by the cacophony of voices and companies out there that have already waded into this conversation with their own sense of data privacy, and their own sense of right and wrong. We’ve heard this play out with Mr. Zuckerberg’s testimony in front of Congress, press releases and privacy policy “updates” from every tech company imaginable, and even in private conversations over dinner we verbally tussle with family and friends over the benefits and drawbacks of a dating app telling potential suitors our location, or whether targeted ads are helpful or creepy.  

With Constitutional rights to privacy at stake, not to mention the greater implications of companies and governments knowing too much about who we are and what we do in our private lives, we need to set the record straight on how the law should form and how companies should behave when dealing with our private data. To do this, let’s return to the 5 guideposts set out above. 

HONESTY - Companies must be honest about the data collected, used, bought, or sold. 

TRANSPARENCY - Companies need to stop burying data collection policies deep in lengthy legal documents and instead be really straightforward with all consumers (regardless of their level of tech-savviness) regarding data privacy practices.

COMMITMENTS - If a company is a photo sharing app or a phone service provider, it should be a photo sharing app or a phone service provider, not a front to collect personal data and sell it around the world to the highest bidder to do anything with the data that they please.

DO NO HARM - A company must not ever sacrifice the privacy rights of any customer or the public at large for the purpose of driving revenue.

GOALS AND NEEDS - A company must rely upon objective and reasonable research to gain insight into what society wants and needs, NOT what a company wants to present as their view of reality. Likewise, even though a seemingly reputable study may report that 100 people have jumped off a bridge and therefore you should do it too, common sense must weigh in here as well.

On that last point, although a herd of companies have already jumped off the data privacy bridge and they all tell us it’s OK, the Pew Charitable Trust, an eminently reasonable source of objective research, found the following:  “91% of Americans ‘agree’ or ‘strongly agree’ that people have lost control over how personal information is collected and used by all kinds of entities. Some 80% of social media users said they were concerned about advertisers and businesses accessing the data they share on social media platforms, and 64% said the government should do more to regulate advertisers.

Although the research is a few years old, Pew republished this research in March 2018, and further stated: “Six-in-ten Americans (61%) have said they would like to do more to protect their privacy. Additionally, two-thirds have said current laws are not good enough in protecting people’s privacy, and 64% support more regulation of advertisers.

Today, this is a global legal issue, and folks from California, to Vermont, to the European Union, are drafting and enacting laws that protect consumers from companies that don’t follow the 5 golden rules of sound data privacy law. But until we in the US have our own GDPR-style law, we can imagine that it will be a few years until our government fully protects our data privacy rights. Last Friday, the Supreme Court took a small but important step in this direction by ruling that warrants are required for cell phone location data based upon our “reasonable expectation of privacy”, but this ruling does little to protect us from private companies. So, in the meantime, if you are doing business with a company, even paying them $0.99 for an app, and they don’t meet the 5 guidelines, find an alternative ASAP. And if there is no alternative, be an entrepreneur, start something new, and let’s make the next generation of disruptive technology a mindful representative of our best selves and the 5 golden rules.


Brad Gold is the Data Privacy Officer at Abraxas Technology.

If you have any questions about GDPR and data privacy please do not hesitate to contact us. Follow us on Twitter @Abraxas_Tech