Informational self-determination and ethical design
In German law, the right to informational self-determination is the right of the individual to determine the disclosure and use of their personal data.
Modern technology makes it difficult for individuals to know when and under what circumstances personal information is being collected. Subsequent use in particular is difficult to control. It is all the more important that special attention is paid during application desing and development.
Websiteoperator, Blogger & Co
In the editorial preparation of topics, links to other sites are often included.
These links are usually not displayed in full, but for example like this: Finom Bank. This example is an affiliate link that is tracked on the landing page and can link the following actions to the blog owner's account.
Alternatively, links can also be displayed like this https://app.finom.co. A simple click on the link opens the target page, but you also automatically submit information about which page you just came from. Whether and how this information is used is the responsibility of the operator of the landing page.
Link to copy yourself
The most inconvenient solution for the user is to provide the link as text (https://app.finom.co) for the user to copy to the clipboard and then paste in a new browser window. No meta information about the origin of the link is passed on to the provider of the target page.
In order to give the user a choice, all alternatives can be offered explicitly:
The description and the link do not have to match.
The user believes that the link leads to https://very.secure.xyz In truth, however http://something-totally-different.abc
There are technically necessary cookies, for example to stay logged in. The current legal situation requires the user to be informed and asked for permission to use it. "Cookie" technology is also used to analyze user behavior. Often the cookie consent requests are designed in such a way that it is super easy to accept all cookies and data usages, while restricting them to what is technically necessary is just cumbersome and visually difficult to see. This is not a technical problem, but an active decision by the provider, to whom the user's data is more important than the user's right to self-determination.
Advertising & Cookies
Advertising banners are displayed by advertising material providers and always contain a high level of tracking. Why? To be able to pay the website owner for the advertising space. Where is the problem? These ads are integrated with several independent websites, allowing the ad provider to create an accurate profile and customize the ad accordingly. You have no insight into what data is stored and what it is used for.
If you are ad-supported, you should actively inform the customer which advertising partner uses which tracking and provide easily accessible information on how to request data access or deletion.
Every application processes data and often has personalization or access protection via personal user profiles. In addition to the explicitly requested data such as e-mail, name, telephone number, there is also a lot of meta information. Meta information may be browser fingerprints collected to increase user account security. Another common case is logging login times for access checking.
Data collected for the purpose of security makes a lot of sense for both users and operators. However, a problem arises when this data is used for other purposes, e.g. grouping for marketing purposes.
- All users who log in at night between 1 a.m. and 4 a.m. should be shown targeted advertising or sent by e-mail.
- Sale of the information which browser types are active and when. This data can then be correlated with other data and supplement the user profile.
This data can then be correlated with other data and supplement the user profile.
For each piece of information collected and stored, one should document exactly what it was originally collected for. Before using it for other purposes, the user must be informed and agree to this.
As a company, you can collect data in the best interest of the user and use it responsibly. But the question also arises as to what will happen if the company one day changes hands. This change can be made through sale or inheritance. How do you ensure that the data is handled just as responsibly? Data protection can be contractually agreed and also technologically enforced. While the contractual protection offers a certain level of liability, a technical solution offers additional security in the event of cyber attacks, security gaps or people with administrator access to the data.