Evan Schuman: What to include in your mobile privacy policy

If your company doesn't yet have a mobile-specific privacy policy, it's time to get to work

It's well known that mobile devices are compact storehouses of vast amounts of data that they seem eager to broadcast to the world, which makes it all the more baffling that few companies have discussed -- much less implemented -- mobile-specific privacy policies. Putting off such a move ("procrastination" is such a negative word) may have made sense up to now to give us all time to get a handle on what the limits should be, but you really will regret waiting much longer. This new year we have entered may be a good time to craft a mobile privacy policy. If you've decided to do that, here are some things to consider.

You do really need a policy. Your employees expect IT to protect them, and your company's executives expect you to make sure that corporate data is protected from the things that employees do with their mobile devices. But your customers also want to know what you're doing with their data, and various contractors, distributors, suppliers and anyone else in your network need to know what they aren't allowed to do.

It's bad enough that a mobile device brings the same IT threats as any other network-connected device. It has full access to your LAN and can piggyback on whatever permissions you gave its owner. And of course, if it's being accessed by a naughty user, it can try to exceed that access.

But you really need a mobile-specific policy because mobile devices can be careless with all the data they store. They theoretically can track all movements. The microphone and camera can be activated remotely. Apps can access every phone call, email or text sent or received, as well as every site visited and every tweet tweeted. Some can even send messages under your name without your knowledge (No kidding. Even the Starbucks app has demanded the ability to tweet on customers' behalf). And some apps can identify every other app being used, along with a host of tech specs, like OS version, browser, serial number of phone, Wi-Fi particulars, carrier, etc.

Although it's important for any privacy policy to regulate what employees can and cannot do, it may be even more critical to delineate what your company will permit third-party vendors to do with its data under its name. Some of this will involve the public privacy limits your company will set for itself. Marketing craves data about customers. Without a policy that sets limits, your marketing people are likely to issue any number of mobile apps that can grab just about any kind of customer data and report it back to them. You have to decide whether the short-term gains that sort of thing might bring outweigh the long-term hit to the company's reputation that could result from a general outcry against such data harvesting. In the calm of day, you and your top executives need to discuss what kind of company you're running and what limits you want to set for yourselves and your customers. You really do not want this to be decided on a case-by-case basis by various rank-and-file marketers in the middle of some urgent deadline.

You also need to specify what the company can do with mobile devices' tracking capabilities. They might seem like a boon when you need to locate employees, and they're even helpful for building security, such as when needing to make sure every employee is located during an emergency evacuation. They're also an easy way for new employees to find some far-off conference room on a large campus.

But it doesn't take much imagination to see how tracking could get creepy. Are you going to let managers use tracking data in performance reviews? ("Well, Rebecca, I see that you spend more than an hour every day in the lavatory." "Scott, the average length of your lunch hour over the past six months has been 85 minutes.") Will you track employees when they leave your facility but are still on company time? What about when they are not on company time? What if someone phones in sick and you find his company-issued Android at the racetrack or a bar -- or a competitor's headquarters?

In last week's column, I discussed the implications of BYOD policies, where employees use their own mobile devices. I suggested that some form of partitioning will be needed to separate corporate- and employee-owned data, so that you aren't backing up employees' private data or deleting it when the employee leaves the company. Your mobile privacy policy is going to have to address who owns the device: the company or the employee -- or a third party? Do you have the same rights to justify monitoring your corporate data if it resides on a device your employee owns? Or a contractor owns? Or a partner (some other company's employee) owns?

You need to discuss and agree on where your company wants to place those limits. It's light-years easier to discuss this calmly and professionally when there is no immediate specific situation staring you in the face -- with personalities attached. Whatever is agreed to must be ironclad. You don't want emotional situations to trump the calm thinking made at an offsite executive meeting back in January. Clearly, exceptions can always be made, but they should be rare.

Something else to consider: Deciding these things isn't enough; the policy should also dictate how those decisions will be communicated to all of your audiences, especially to customers. In this case you can take a lesson from Nordstrom, which recently conducted a mobile location trial with shoppers. It posted a sign at the entrances to its stores, alerting customers to what was being done. It wanted the sign to be succinct and understandable, but it ended up with a program description that was a little inaccurate and incomplete. That caused confusion and anger among shoppers, who envisioned the program being far more invasive than it was.

This incident highlights another problem that a good mobile privacy policy should address. The chain's mobile vendor for the trial was collecting a lot of customer-specific data. In an attempt to avoid customer backlash, the agreement stated that the vendor would not share that data with Nordstrom. Unintended consequence: It made the backlash much worse. Nordstrom was getting the heat for accessing data that it was never able to access.

The moral of that story: If mobile data is collected, you will get blamed, no matter whether you see the data or not.

Your mobile policy has to address what you will allow vendors to collect about your customers, your employees and your partners. It should spell out how much of that your company should see. It should lay to rest the question of whether third parties will be allowed to collect data that you won't see. It needs to establish how you will inform your customers, employees and partners about this data collection, if at all. (There are legitimate arguments on both sides.) And you need to make your policy precise enough to be useful while not being so detailed that it is incomprehensible to people who aren't that technical.

There are few areas that are more complex, more controversial and more politically dangerous than mobile data collection. You may find that simply having these conversations will change not merely your policies, but your strategy and how you approach it.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon