Privacy by Design Is Good Business…and the Law

Recent privacy laws and standards promote, and in some cases require, privacy by design. Simply put, companies are to incorporate privacy principles in and throughout all its products and services. In Europe, Article 25 of the GDPR requires companies to implement "appropriate technical and organisational measures . . . which are designed to implement data-protection principles." Similarly, the FTC's 2012 Report on Consumer Privacy calls for companies to implement "privacy by design" at every stage of the development of their products and services. California's law on Security of Connected Devices—which, along with the CCPA, becomes effective on January 1, 2020—provides that a manufacturer of any device that connects to the internet must equip it with reasonable security features "designed" to protect against unauthorized access, destruction, or use. The International Organization for Standardization has approved ISO/PC 317 (Consumer Protection: Privacy by Design for Consumer Goods and Services), which specifies design processes for consumer goods and services aimed at preventing data breaches and helping companies comply with data protection regulations. A healthy business model then is one that promotes and integrates consumer privacy principles in all products and services, and, to that end, includes legal in product development and marketing discussions.