I spent a good portion of last week navigating the legal agreements. Even in my previous role I did work multiple times getting a feature through legal process around privacy and third-party reviews. As a developer we might think legal processes will be taken care by someone else, but having a good understanding of requirements around user privacy is critically important even for developers.
Let's assume you are building a product and you want to add Google Analytics to the product to capture metrics around browsers your users use or how many times a certain button is clicked etc. While throwing in Google Analytics script tags takes no time, however there are many legal implications for this feature.
Use of non-functional cookies must require user consent and only then Google Analytics can be embedded. Any data we collect must be properly secured and policies around how we deal with the data must be disclosed. Developers must have a good understanding of what we collect, countries where we store and handle the data, how we use the user data and how the data is destroyed etc. so the features are properly implemented and inline with the product disclosures. Also any third-party services that a product relies on or may come in contact with user data must be properly documented in privacy policies.
Not just user specific data, developers must have good understanding of changes being done to the product so they know to check with legal before those features are rolled out. For example:
- Cookies - what cookies are being set and how they are used? Are we adding a new cookie?
- Consent - Is the user consent taken for collecting data?
- Third-party services - Are we leveraging any third-party services e.g. for hosting, sending mails etc. that come in contact with user's data?
- Data storage - Where do we store and process the data? Are we replicating it somewhere else? And is it being replicated to services hosted in other countries?
- Collection - What all data we collect about a user and how it is being used? Is there a change being rolled out to collect more data about the users?
- Secured - Who all gets access to the collected data?
- Destruction - When do we destroy collected data and does user have a way to know what we collect?
- User generated content - How is the user posted content being used?
- Child appropriate - would children under 13 use the product?
- and many more.
Here are few closing thoughts from my experiences:
- Minimum Data Collection - Collect only the data that's must for your product needs.
- Understand how the data is being used, especially if the data is being sent to other services or being shared even within your company.
- When in doubt get a legal review done. I know this can be frustrating and can delay the rollout, but "job well done" > "job quickly done".
- Watch out for sneaky changes after the initial rollout.