One of my strongest held personal beliefs is that Daniel Craig has been the best James Bond. Another is that folks should be able to use technology to enhance their lives and do so without fear that they are sacrificing their privacy or security.
The harsh reality is, that these two things are not always mutually exclusive.
The default, for many technology service providers, is to capture as much information as they can, store it, and then try and figure out how to monetize it, with little regard for the fact that all those lines of data include sensitive information about actual human lives and livelihoods. Then, we all know what happens when that data goes missing. It’s the people caught up in the breach that suffer, and not really the people who put them in that position.
Legislation such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), introduced over the past few years have put consumers in a better position to exercise control over their personal data, but I think we can all agree that there is still a long way to go.
The truth is, the onus is on the organizations collecting and processing data to always do the right thing. This data privacy week, I wanted to share with you some of the ways we follow this principle at Particle. It’s especially important to us, as a platform that connects a wide range of products and services in a variety of different industries. Particle-powered products are everywhere, and with that power comes great responsibility.
We give everyone the same set of rights, regardless of where they live.
Particle’s privacy operations runbook, the guide we follow internally when responding to data subject access requests (DSAR’s), starts off by telling our security and privacy team that everyone who reaches out to us to exercise their data privacy rights, has the same set of rights.
Although technically, we could require proof of residency to exercise GDPR or CCPA rights, for example, we firmly believe that privacy rights are human rights, and as such, everyone gets a super-set of rights based on the most powerful legislation.
Storage is always opt-in, and consent can be revoked at any time.
One of the things I really enjoy telling people about Particle, is that despite the hundreds of thousands of devices that connect to our platform, and the billions of events that flow through it, we don’t actually store a great deal of data.
We’re a conduit. Our storage is limited to what we call ‘service data’, which is essentially the minimum amount of data we need to keep the service running. We don’t store event payloads, or proprietary information belonging to our customers, and ultimately their customers. Storage is limited to things like cellular signal strength, and other diagnostic data that allows us to ensure devices are performing well. Even then, this data is auto purged after a set period of time.
One exception to this rule applies to location data collected by our asset tracking services. In this case, we have an opt-in storage mechanism, to allow customers that choose to enable the storage of location data by Particle, to allow the drawing of points on a map. Consent for storage must be explicitly given to enable this feature, and it can be withdrawn at any time. If consent is withdrawn at any point, the data is purged from our platform.
Self-service account removal is a real thing.
We’ve all been there. We have a subscription that was very easy to sign up for, but extremely hard to shut down when we decide we don’t want it anymore. Either you have to open a support ticket or worse – make a phone call, the mere thought of which sends a spike of anxiety directly to my soul. It doesn’t make sense!
I can open an account online, but you’re telling me the technology doesn’t exist to close it without speaking to a human?!
Well, as much as we want people to stick around, one thing that we offer is the ability to completely purge your account from our platform, without having to speak to anyone. The delete account feature, walks you through a self-service process for completely removing your account from Particle, if you chose to do so. This process triggers the same behind-the-scenes steps that are followed by our security and privacy team.
We only collect the minimum amount of information from humans.
Anyone who has ever stood in line at an airport security checkpoint will be able to confirm that humans are interesting and complex creatures. There is a lot you can ask a human about themselves to really get a sense of who they are, and what they are interested in.
There are times when this is important to do – running an IoT platform is not one of them. Yes, we need to know your name and how to contact you in the event we need to let you know something relevant to your use of the platform, but that’s really it.
That’s why, when you register for a Particle account, all we collect is your name and email address. No phone numbers or credit cards needed.
Don’t get us wrong, we love hearing about the new and innovative ways you use the platform, but it’s your call to tell us about it! It’s your business, after all, we just make it happen.
This data privacy week, I encourage you to take a moment to learn more about how the services you engage on a daily basis use your data and take steps to protect your privacy where possible. You can read more about data privacy week here.