top of page

The Kindergarten Rules for Data Privacy

This guest blog was contributed by Arlo Gilbert, co-founder and CEO of Osano

Arlo Gilbert, cofounder and CEO of Osano

Let’s talk about the ethics behind consumer data. Data helps brands improve the customer experience and marketing strategies, but many companies push the envelope on how they obtain, use, and store this personal data.

As a father of three children, I spend a lot of my day teaching them how to treat others and respect their things. While teaching my youngest not to take his friend’s beloved toy without asking, it all clicked. See, learning — and teaching — human morals is often more complex than SaaS technology and quantum physics, but we manage to simplify lessons on behavior into understandable “rules.”

The same thing goes for data privacy. Though a few laws and regulations enforce data privacy ethics for consumers, like the EU’s General Data Protection Regulation (GDPR), organizations need to look beyond the rules and think about what’s right when capitalizing on our consumers’ sensitive and personal data.

Thus, I’ve created three “kindergarten rules” for data privacy. These rules are simple enough that children could understand them, yet they encompass complex lessons on how companies should treat their customers.

1. Don’t take something without asking permission

A big lesson of growing up is learning how to share, but sharing etiquette goes both ways. If you want someone to share their belongings with you, ask permission. This also goes for data.

Before taking information from consumers, say what you’re asking for. Companies collect data from consumers in many ways, but the bottom line is that they must first ask permission. Consumers must understand why you want their data and what you’ll use it for before they consent.

Misleading consumers about their data’s use is wrong and comes at a high cost. Companies like Twitter are getting penalized for forcing users to accept personalized ads without full consent or understanding. Twitter asked users for personal information (phone numbers and email addresses) and said they were using it for account security purposes — but then gave advertisers access to that data for ad targeting. This deception cost Twitter $150 million in penalty fees.

To prevent such hefty fines, implement best practices for data collection permissions. If your site uses cookies, give consumers a banner to accept or decline cookie tracking. Dedicate space on your site to educate users on your data usage policies so they can make an informed decision on sharing data. These permission layers help ensure you don’t take any data until an individual explicitly says “yes.”

2. If someone wants something of theirs that you have, give it back

Even if you’re in the middle of using something, if it doesn’t belong to you and the owner asks for it back, you give it back. Data works the same way.

Your organization doesn’t really own anyone’s data — you’re just borrowing it with their permission. If someone wants their data removed or changed within your systems, the right thing to do is to remove or change it.

Individuals wanting their data back can start by submitting a data subject access request (DSAR). Through a DSAR, the public can discover what your organization knows about them and how you use that information. DSARs let consumers delete, modify, determine with whom you share their data and more. Upon receiving a DSAR, your organization should respond as quickly as possible by confirming the individual’s identity and the nature of their request. Once you clarify the request, gather all pertinent data and review it to ensure it doesn’t contain anyone else’s information. Finally, when you give the data back, include an explanation of the user’s data privacy rights.

3. Be honest about where you’re keeping someone’s things

The United States currently has no federal law that covers data protection. Some state-level regulations exist, and potential remains for the American Data Privacy Protection Act (ADDPA) to be reworked from its failed 2022 run and passed as the first federal data privacy act.

As the law stands today, however, an organization can share data, including sensitive data, with third parties. Those third parties are not required to notify individuals if they then further sell or share their data. This lack of transparency means consumers do not know everywhere their data is, and the more places their data is, the higher the likelihood that a breach will affect them.

The most forward-thinking organizations will do their best to clearly communicate where consumers’ data lives, unlike TikTok and Meta. Recently, it was uncovered that these big tech companies were providing false or misleading information about how user data is shared. Users were left unaware of all the places their data could have spread, damaging their trust in these companies’ abilities to keep their data safe. For organizations that want to do right by their users, data transparency is critical.

Companies have access to vast amounts of consumer data, but they must treat it fairly and with respect — just like I tell my kids to do when they play with other people’s things. Organizations are responsible for doing right by their consumers, but many still don’t. If you’re following these three kindergarten rules for data privacy, you are already doing better than 99% of corporations in the U.S.


About the Author

Arlo Gilbert is the co-founder and CEO of Osano, the leading data privacy platform for simplifying privacy compliance. Gilbert, an Austin native, is a high-growth leader with more than twenty years of experience in building companies in industries ranging from payment processing and telecommunications to digital health and enterprise software. He has an established track record of conceiving original product ideas, validating demand, building awesome teams, raising capital, and providing excellent returns to investors.


bottom of page