When Facebook founder Mark Zuckerberg infamously declared that privacy “is no longer a social norm” in 2010, he was merely parroting a corporate imperative that Google had long since established. That same year, then-Google CEO Eric Schmidt publicly admitted that Google’s privacy policy was to “get right up to the creepy line and not cross it.”

We now know, of course, they weren’t kidding. Facebook’s pivotal role in the Cambridge Analytica scandal and Google getting fined $57 million last week by the French for violating Europe’s privacy rules are just two of myriad examples demonstrating how the American tech titans live by those credos.

But what if companies chose to respect an individual’s right to privacy, especially when he or she goes online? What if consumers could use search engines, patronize social media, peruse news and entertainment sites and use other internet-enabled services without abdicating all of their rights? What if companies stopped treating consumers as wellsprings of behavioral data – data to be voraciously mined and then sold to the highest bidder?

With Jan. 28 earmarked as Data Privacy Day --  an annual international privacy awareness campaign -- these are reasonable questions to ask. These are ponderings that have been debated by captains of industry, government regulators, and consumer advocates in Europe and North America for the past decade and a half.

Privacy as good business

Cisco’s Chief Privacy Officer, Michelle Dennedy, for instance, has laid out well-reasoned rationale for companies to begin respecting privacy as part of their business model in a number of  interviews I’ve had with her. “Our research shows a correlation between good privacy practices and good business practices,” Dennedy told me in late 2017. “More mature privacy policies and practices are good for business because they lead to trust in the brand and an improvement to the bottom line.”

At long last, we have a finely drawn roadmap for companies to follow. To coincide with Data Privacy Day, the Internet Society has released a new Privacy Code of Conduct and is calling on all companies with an internet presence to adhere to specific best practices. This is coming from an august body. The Internet Society’s founders include tech icons Vint Cerf and Bob Kahn, considered the “Fathers of the Internet,” and numbers has more than 95,000 members worldwide, including leading computer scientists and engineers and renowned public interest advocates.

“It shouldn’t take legislation to motivate companies to re-examine what they do with personal data,” says Christine Runnegar, Senior Director of Internet Trust at The Internet Society. “Many companies have extraordinary access to individuals’ personal data and access to that kind of information should not be taken for granted. We want companies to handle data responsibly. A Privacy Code of Conduct is a start to rebuilding trust online by putting concrete safeguards in place to protect personal information.”

Privacy Code of Conduct

You can judge the efficacy of The Internet Society’s newly-minted protocols for yourself. Here are excerpts:

• Adopt the mantle of data stewardship. Companies should act as custodians of users’ personal data – protecting the data, not only as a business necessity, but also on behalf of the individuals themselves.
  
  
• Be accountable. Companies should be transparent about their privacy practices, adhere to their privacy policies and demonstrate that they are doing what they say. They should establish clear safeguards for handling personal data.
  
  
• Stop using user consent to excuse bad practices. Companies should not rely on user consent to justify the legitimacy of their data handling practices . . . Users should not be asked to agree to data sharing practices that are unreasonable or unfair.
  
  
• Provide user-friendly privacy information. Companies should give users ‘in time’ information about how their personal data is being collected, used and shared. The information should be relevant, straightforward, concise and easy to understand.
  
  
• Give users as much control of their privacy as possible. Users should be able to see, simply and clearly, when and how their data is being used. Companies should give users easy-to-use privacy controls and make privacy the default, not an optional extra.
  
  
• Respect the context in which personal data was shared. Companies should confine the use of personal data to the context in which it was collected. They should not allow unauthorized or unwarranted secondary uses of personal data.
  
  
• Protect ‘anonymized’ data as if it were personal data. Companies should apply basic privacy protections to ‘anonymized’ data to mitigate potential harm if the data is later re-identified or used to single out particular individuals.
  
  
• Encourage privacy researchers to highlight privacy weaknesses, risks or violations. Companies should invite independent privacy experts to audit new services and features as they are being developed. As much as possible, the results of those audits should be made publicly available.
  
  
• Set privacy standards above and beyond what the law requires. Companies should set the next generation of privacy standards. For example, they could consider how to extend privacy protections to the personal data of non-users that has been uploaded by users.

Some sweeping changes need to be made for digital services to be as safe and trustworthy as they ought to be. Kudos to the Internet Society for articulating these notions. Let’s hope discussion leads to action.

But what do you think about a privacy code of conduct? Join the conversation with Avast on Facebook and Twitter.

Talk soon.

Byron Acohido is a guest blogger on the Avast Blog where you can catch up on all the latest security news.  Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products.