Skip to content

Devs, are you ready to put privacy nutrition labels on your code?

Devs, are you ready to put privacy nutrition labels on your code?

Happy new year to all of us whose eyes have crossed trying to read our cumulative (and ever-growing~1 million-word privacy policies! And a happy second annual Privacy Week, too — that time of year when the National Cybersecurity Alliance reminds us that your data is valuable, that swaths of online mouth-breathers are happy to pay top dollar for it, and that those data-spongers don’t always have our best interests in mind. … But that it’s in our power to take control of our data. 

You may well wonder, Will 2023 be the year in which the U.S. realizes that privacy isn’t just for Europeans anymore? Will the country finally get around to adopting federal privacy legislation a la Europe’s General Data Protection Regulation (GDPR, which, interestingly enough, is pronounced “Gidper,” according to those in the privacy biz)? Our guess is “highly unlikely,” but hey, you go for it, California, Colorado, Connecticut, Utah and Virginia. 

Granted, it’s complicated. Data privacy is a funky little chameleon. Just ask Contrast Security’s privacy doyenne, Sharron Reed Gavin, vice president of operational risk and data privacy officer, who really wants to write a blog entitled “What the hell is PII?” 

So what the hell is PII?

“The problem is that [personally identifiable information, or PII] is like an onion,” Reed Gavin lamented. “Technically, can be PII. but if we reference it for legitimate business purposes, that’s a valid need. Also, we could use in a private Slack channel that’s dedicated to your company, but not in a ‘public’ (within Contrast) channel.

“There’s really no definitive global guide, because criteria can vary depending on the regulation or legislation.” 

The key word is reasonable, she stressed. Companies have to “make reasonable efforts,” to demonstrate a “reasonable” approach to privacy education and application of privacy principles.. 

What’s “reasonable?” Were we to look past the current or stalled privacy legislation and past the gazillion words’ worth of privacy policies that affect us all, and instead scrutinize the actual software applications that handle our data, maybe we could answer the question with a single word: transparency. 

Transparency about how your data is going to be handled, stored, secured and utilized: That’s reasonable. 

Privacy nutrition labels

Which brings us to this week’s Code Patrol guest — Geoff Lane, who’s actually working on this precise issue. He’s trying to get developers to adopt “nutrition labels” for their software, as in, labels that would inform consumers how companies treat their data in rest, in transit and in use. As it is, data-handling is opaque. Consumers don’t have a clue what companies do with their data, and just about nobody in the U.S. reads privacy policies

Lane is the head of U.S. Policy at the Developers Alliance, the world’s leading advocate for software developers and the companies invested in their success. The alliance advocates in matters related to digital markets; antitrust; competition; and regulation around content data, privacy, and new technology and software. 

An example: The Developers Alliance recently submitted comments to the Federal Trade Commission (FTC) in which Lane suggested that “harmful” consumer surveillance isn’t coming from developers. Rather, it’s coming from regulatory and law enforcement agencies trying to strongarm private actors into violating consumer privacy rights and thereby skewering the trust with consumers that developers have worked so hard to build. 

Let’s hear it for easy-to-digest privacy nutrition labels

Part of the problem are the privacy policies that have long been “almost unreadable,” Lane said.  “You need a lawyer to dissect them.” 

But there’s a growing trend for organizations to be more transparent about data handling. More and more, the alliance is seeing — especially among its small and medium-sized members — adoption of privacy nutrition labels that are easy to digest and that enable consumers to better understand how their data is being used, Lane said. 

“The good actors out there, they're working to be transparent, to let folks know how their data is being used, how it's being stored and how it's being transmitted,” he said. 

Will these labels ensure that bad actors never abuse our data? No, Lane said. But the alliance is encouraging policy makers to “ensure they're not issuing blanket fines and regulations that hurt everyone.”

Privacy is a ‘human right’

We’d be remiss not to point out that, for the second year in a row, Contrast is proud to be a Data Privacy Week Champion. We've also participated in Data Privacy Day — observed for the first time as European Data Protection Day in 2007 — since 2017. The company recognizes and supports the principle that all organizations share the responsibility of being conscientious stewards of personal information and vigorously promotes transparency around how data is used. 

Reed Gavin wouldn’t have it any other way. “"It is incredibly important for us to recognize Data Privacy Week and support the National Cybersecurity Alliance’s initiative because many consumers are unaware of the sheer volume of data that is generated about them online and how vulnerable they could be,” she said. 

This isn’t just about regulations, she added. It’s about fundamental rights. 

“I believe it is a human right to know what and how each individual’s data is being used and stored," Reed Gavin said. "The time is now to work to ensure industry-wide transparency, and Contrast will continue to help advocate for proper safeguarding of data.”  

Hallelujah and pass the privacy labels. 

Have a listen to the podcast to learn more about what the Developers Alliance is up to, how transparency is essential to both consumer trust and keeping governments from flooding the industry with regulation, and why we think developers should join the alliance and get onboard with the privacy label initiative. 

Listen Now


Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas is a content machine, having spent years churning out reporting and analysis on information security and other flavors of technology. She’s now keeping the content engines revved to help keep secure code flowing at Contrast Security.