Pokémon No Go: Niantic’s Experience Reminds Companies to Practice “Privacy By Design”

July 2016

Pokémon GO, an augmented reality mobile game, was launched by Niantic Inc. (“Niantic”) two weeks ago and is quickly becoming the new hot thing. But the excitement of the Pokémon GO launch was quickly dampened when ensuing privacy and data security concerns were raised. As anyone who has been paying attention to their social media news feeds now knows, to play Pokémon GO, you must first log in to either a Pokemon.com account or a personal email account. Most people opted for the latter. Through using an email account to log in, the initial version of Pokémon GO app gave Niantic full access to users’ personal email accounts -- in other words, it allowed Niantic to read users’ emails, access their personal drives, review their search history, and even potentially send emails. Fortunately, Niantic was quick to respond to the privacy and security concerns and released an update to the app, fixing the security flaw and characterizing the previous full access permission as “erroneous”. But the privacy and data security issue should not have existed in the first place.

Since 2012, the Federal Trade Commission has been emphasizing “Privacy by Design (PbD),” urging companies to proactively incorporate and promote privacy and data protection at every stage in the development of their products and services, and not reactively, as an afterthought. Unfortunately, many companies (particularly newer companies), in their haste to launch an exciting new product or app, often fail to consider privacy and data security risks, collect more information than needed, and become easy targets for hackers. PbD is an approach to protecting privacy by embedding it into the design specifications and architecture of new technologies and products and taking privacy into account through the entire engineering and/or manufacturing process.

The Seven Principles of PbD

The concept of PbD has been around since the ‘90s but it isn’t often discussed or practiced by companies developing new technologies and products. PbD is comprised of seven principles that help guide data security and privacy decisions when designing, operating and managing technologies and products. Companies preparing to launch a new product would benefit from keeping these principles in mind:

  1. Proactive not Reactive; Preventative not Remedial. Companies need to be proactive in anticipating, identifying, and preventing data privacy and security risks before they occur.
  2. Privacy as the Default Setting. Personal data should be automatically protected with no action required by the data subject. This concept not only applies to apps and products that collect personal data, but also company business practices.
  3. Privacy Embedded into Design. Security safeguards should be incorporated into product design and fully integrated into the components of the product and not as options or add-ons.
  4. Full Functionality – Positive-Sum, not Zero-Sum. Both privacy and security are equally important design goals. PbD opposes the zero-sum approach where tradeoffs are made to accommodate one or the other.
  5. End-to-End Security – Full Lifecycle Protection. Protection should be provided throughout the entirety of a piece of data’s lifecycle.
  6. Visibility and Transparency – Keep it Open. Companies should as act in such a way that assures stakeholder that their business practices, products, and technologies are operating according to objectives and promises, and subject to independent verification
  7. Respect for User Privacy – Keep it User-Centric. When designing new products and technologies, companies should keep individual privacy interest at the forefront of their priorities and aim to provide strong privacy defaults, user-friendly options and appropriate privacy notices.

Commitment to protecting privacy is increasingly being recognized as a business imperative that yields a competitive advantage. Companies launching new products or services can benefit from the ability to demonstrate their practice of PbD.

For more information on how to build PbD into your business, product or services, contact any member of our Information Governance Group:

Ronald J. Levine at + 212 592 1424 or [email protected]
Barry Werbin at + 212 592 1418 or [email protected]
Erica L. Markowitz at + 212 592 5953 or [email protected]

© 2016 Herrick, Feinstein LLP. This alert is provided by Herrick, Feinstein LLP to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.