A Principled Approach to Privacy

Cuebiq has embraced privacy as a core value from the very start.  As we continue to evolve our approach to privacy with each new regulatory advance, such as with GDPR and CaCPA, it’s important to ground ourselves in several central principles to guide our efforts. Cuebiq’s privacy program revolves around 4 key principles: Consent, Transparency, Control, and Accountability.

Let’s focus on two of these today: Consent and Transparency – which often go hand-in-hand to legitimize the other.

 

Consent is the most privacy compliant method to gain a legal basis for the collection and processing of a user’s data but it must be specific, informed, freely given, and unambiguous to qualify.  

When it comes to precise location collection, there is some debate if the default operating system consent language qualifies as “specific and informed” if data is shared with 3rd parties, such as Cuebiq, for further use in areas such as interest based advertising. Even when these disclosures are provided in the App’s privacy policy. Fortunately pure analytics use cases are rarely caught up in this argument and are the foundation of Cuebiq’s purposes for data collection.

To address these concerns, Apple now offers App Publishers the ability to alter the default precise location language to add more detail.  This is a great opportunity to include third parties that App Publisher may be working with but there are other options as well. A more natural consent flow for bundled consent (meaning third party and first party data collection is tied to the same consent) is to offer greater transparency as to the scope and purpose of data collection, which includes third party partners, prior to then asking for precise location consent.

How does this look?  Upon opening an app the user is told in a modal dialogue what information is about to be collected and for what purposes if they select the “Allow” option when the precise location consent appears.  Once the user selects “Proceed” the next modal dialogue shown is the default one from the OS. Now when the user selects “Allow” they have the full context of what this permission entails.

Another approach would be to unbundle the consents and simply provide an independent consent dialogue for the collection and use of precise location data by a 3rd party partner.  Cuebiq supports both options natively in our latest SDK and further supports all 26 official languages in the EEA (European Economic Area). It’s important that App Publishers consult with their legal teams on their options as EU regulators have strong opinions as to the legitimacy of bundled consent approaches.

While the consent flow addresses many questions about how “specific” a consent is, any consent would not be deemed valid if it is not also “informed”.  This is where the “say what you do; do what you say” principle of transparency comes into play.

While Cuebiq’s privacy policy goes into incredible detail about our data collection and use practices, it is vital that our App Publishing partners support this within their own Privacy Policies as well.  This way users always have a quick, contextual location in which to learn (or remember from their initial consent) the scope and purposes of precise location and related data that may be collected by Cuebiq.  This is foundational to support the consents we receive as “informed” and therefore, valid under the law. Cuebiq offers our App Publishers with model language but are always open to this being expanded, especially when an App Publisher is attempting to cover multiple partners in as compact a privacy policy they can manage.

I’ll be back to discuss these principles more and the others, Control and Accountability, in future blogs.  

It’s important to stress that we’re all in this together. The entire app ecosystem, 1st parties and 3rd parties alike, are under constant and growing pressure to focus on privacy matters.  We invite our partners to join Cuebiq in our principled approach to privacy fundamentals so we can collectively rise above the chatter and be easily identified as those that embrace privacy best practices.

Shane Wiley

Chief Privacy Officer

With almost 30 years of experience in software engineering, product management and policy, Shane Wiley possesses deep knowledge of both regulatory and business issues related to privacy and privacy
technology specifically.