Posted originally on the Drum

Privacy issues online are a daily occurrence; so much so that I get the feeling that many out there feel personal privacy is the Titanic in our connected world and that they might as well abandon it in favour of the Iceberg that is big data and go with the flow! That’s certainly inherent in the naming of Facebook’s new app as ‘Home’, an indicator of just how much access we have already given away.

Last week, however, it was our online history or ‘‘right to be forgotten’’ that came in to sharp focus. All those ill-conceived comments, and inebriated pictures that you shared so innocently in the past that followed you around ever since; as Kent’s new youth police commissioner found out last week. Those unavoidable rocks of your digital life, you run into while ego surfing (and job hunting).

Currently there is a fight going on between the UK and EU as to how best legislate ones ‘right to be forgotten’. Whilst occasionally ‘good’ does come from the EU, like having to opt-in to email, much of the industry is still feeling the sting of the Cookie bill, which became a non-issue for consumers, and could have been dealt with without draconian (and unenforceable and expensive) legislation.

In the ‘Right’ corner the EU believes that everyone should have the right to remove their debris. It will be the service providers responsibility to not only promptly comply but also contact any other third party with whom the content has been shared (!), and for non-compliance a fine of up to 2% of gross turnover will be applied (!!). This is another potentially unenforceable and extremely expensive regulation, especially for online services who aren’t faced with these issues on a regular basis.

In the other ‘Right’ corner is the UK. The government claims that this is too much of a burden on business and that we in the UK and (other individual countries) should have the right to make their own laws to deal with it; and that the individual should be made personally responsible for contacting each service. This means that businesses may have to deal with at least 27 local variations of the above – which is also problematic.

I find myself somewhat torn on the issue – I firmly believe in privacy rights and the ‘right to be forgotten’, however I also appreciate the complexity, and to an extent futility, of blanket policies when it comes to the internet. They invariably lead to unpleasant unforeseen consequences, and I’m just going to skim the surface on some of the commercial ones.

How bad could it be?

• A consumer posted up a picture for a competition that they want removed on a dodgy flash microsite you made a few years back – you’ve already changed agencies (hopefully dumped flash) and don’t have access to it anymore – what do you do? Take it all down?

• Worse when the real trolls get a hold of you with legislation to sue you and start marketing their cleansing services on a no-win no-fee basis.  They love going after middle-tier businesses that are happy to settle out of court.

• The big guys (Facebook, Google etc.) have already been pulled up on this still haven’t entirely resolved the issue of taking down embarrassing pictures if you didn’t put them up there yourself – the copyright is actually owned by someone else, so it becomes a whole world of hurt.

• What fun we’ll have dealing with fake takedown notices as is rife with the DMCA in the US. Split up with your boyfriend? Get him removed from the web!

• It will be abused as an easy way to censor the Internet. What if somebody quoted you in a damning article? Retweeted a mistake, like Reading East MP Rob Wilson? Redaction-tastic! They say they want to protect freedom of expression but actually the best way to do that is to allow people to express themselves freely, not make ‘an exemption’, which is one of the key criticisms of the bill.

So can we affect the outcome of this battle? Probably not, and in many ways it doesn’t really matter. Consumers demand and deserve the right, so whether it’s poorly legislated or self-regulated, anybody who provides any kind of online service will be affected.

So how can you prepare?

1. Allowing consumers to easily delete their own data is simply best practice. Most modern platforms have the functionality built in, but if it was built bespoke, it may require more development.
2. You may want to look at your Data, Terms Of Service and Privacy Policies now, as opposed to later. Blanket legislation will overrule your own – and that it’s a positive action to give your consumers more control over their data – updating them shouldn’t be a challenge (although enabling it might be).
3. If you are socially driven startup – be it reviews, comment or community – this could potentially be disastrous, add ‘data deletion’ into your ‘Minimum Viable Product’.
4. If you are the local arm of a global business, but the development resides outside Europe, you may want to add the functionality in to your roadmap or production process now, rather than scrabble around next year trying to grab resources.
5. Do some spring-cleaning. The Internet it still littered with ancient microsites from the dark ages – do us all a favour and just bin them!
6. Double check that when you say you are deleting something it’s actually gone. This is often much harder than you think, especially with search engine caches, the Internet Archive and the recently launched UK libraries archive all trying to preserve the data, not destroy it!
7. Be wary about who you may be sharing or syndicating your data to. This is especially relevant to the publishing industry; editions that carry international comments may find themselves in a whole world of pain. Better to sort it now.
8. For those whose business model is not completely reliant on advertising – whilst not a solution, but a possible deterrent – you may want to consider not indexing some parts of your site to head a few folk off at the pass.
9. It should go without saying, but it’s worth factoring this in when planning out sites, apps and user-generated campaigns. Think of it as a data tax, the more you collect the more you are likely to pay in terms of increased time dealing with requests from consumers. I’m sure after a while you’ll be able to actually calculate your exposure up front, but at the moment it’s up in the air.
10. In the UK and Europe, this will finally put an end to the question ‘Who owns the data?’ and the answer is rightly – The Consumer. If your business model is entirely reliant on the goodwill of your customers, you better make sure you don’t overly exploit them, as I suspect personal takedowns may become the protest mechanism of the future.

Don’t assume this won’t affect you. This isn’t like the nobody-really-cares Cookie Monstrosity, there is nothing worse than a disgruntled consumer with the law and the trolls on their side!

Overly pessimistic or just the tip of the iceberg? Have you had to deal with this yourself yet? Would self-regulation be a better route forward?

Jon Bains is a partner at Business futures practice http://www.weareatmosphere.com