Gravy CTO’s Point of View: Privacy in an “Always-On” World

I recently read a great article in MediaPost on the need to better address privacy in the “always on” world. Although its focus was on the privacy implications of devices with voice controls, it compelled me to share some ideas around what our company is doing from a mobile location-based services perspective, to protect the privacy of our clients’ customers and increase data security.

We all know that smart devices and their related features are already gathering useful information about users. Unfortunately, some platforms are doing so with users not being adequately made aware and with privacy and security not adequately protected. This data could eventually be used in either an unintended or malicious way, causing a backlash to not only the involved company, but also to every company which gathers data on users.

Yet when collected intelligently and in an above-board way, data can be an incredibly valuable resource for companies, enabling them to better serve their customers. Users are demanding more personalized customer experiences and this data provides the tools needed to give them that. So, the question becomes: How do you offer customers the advanced experiences they want while ensuring their privacy is still respected?

There is a wrong way and a right way to go about this. At Gravy, when we began offering advanced, location-based behavioral analytics to help brands and publishers personalize customer relationships and cultivate loyalty, we recognized the essential need to design for privacy at the very beginning. We adopted the principles of Privacy by Design and engineered them into each of our platform-level requirements. The key platform principles Gravy adheres to include:

  • User Choice – Opt-in is always required. Opt-out is always supported
  • Data that is not vital to our services or should generally just not be collected, is not collected – Such as personally identifiable information (PII)
  • Data stored on the Gravy GOLD platform is completely anonymized
  • Gravy consults with clients in terms of incorporating both industry and client-specific best practices in the use of data gathered throughout our processes

Let’s delve into each of these principles in more detail.

User Choice

Opt-in is always required. The mobile user must choose to allow their location to be used. Opt-out is provided through both our SDK and API features. The SDK supports a method which allows SDK location acquisition to be turned off while allowing the app, which it is embedded in, to use non-recorded locations for implementing “nearby” features such as searching for nearby restaurants. These features also support Children’s Online Privacy Protection Act (COPPA) compliance, allowing the use of location to be turned off when the app is initiated, or at a later time by the parent of the user.

iPhone Mobile Location Opt In

Data that is not vital to our services or should generally not be collected, is not collected

Gravy gathers location data signals based on the local events, activities and places that mobile customers go in their daily lives. This enables customer segmentation, personalization, campaign attribution and competitive visit insights. These use cases don’t require the analysis or collection of visits to privacy-sensitive places such as medical facilities and residences – so Gravy simply doesn’t enable data collection for these types of places.

Additionally, Gravy AdmitOne™ attendance verification technology identifies location data points which for a number of reasons (e.g. visit to a location outside of actual business hours, etc.), provide no value for our client’s specific use case and as a result, does not retain that data. This disregarded data, having not been collected and persisted, cannot be inadvertently disclosed or disclosed by malicious intent.

Privacy By Deisgn Filter

Data stored on the Gravy GOLD platform is completely anonymized

Gravy does not store any PII on its GOLD platform. Data collected from a device is identified only through a Gravy unique ID, once stored in our platform. If a client does wish to store an identifier on Gravy’s platform for their own ease of use, it must be non-PII and hashed with a strong hash algorithm.

App User Information

Gravy consults with clients in terms of industry and client-specific best practices in the use of data
Support guest users as well as logged in users

Many uses of data generated by the Gravy GOLD platform can be applied to clients’ guest users as well as they can be to their logged in users. These use cases include both personalization and attribution. Therefore, app developers are encouraged to support guest use for those users who don’t wish to sign up/sign in. When users don’t sign in, there is less opportunity to attach or disclose personally identifiable information. This leads to the follow-on best practice below.

Non-identification and de-identification

Most, if not all of the Gravy GOLD platform use cases can be supported without matching Gravy data with PII user data. If such a use case does occur, the best practice is to match the data in memory and not persist it – thereby immediately de-identifying the user data. For example, if a client wants to personalize email content based on a user’s Gravy segment, we suggest the following: (a) match the user’s segment/personalization data with a non PII based identifier, (b) generate the email using the personalization data provided by the Gravy platform and (c) address the email data from their account and send. Do not persist the segment data with the user account data, which contains email and name.

Use aggregate data for analysis

Many of the use cases the Gravy GOLD platform supports only requires aggregate data. For example, a client trying to better understand the behavior and interest of its customers is best served by aggregate data versus detail data, for understanding the percentage of their customers who prefer fast food versus full service restaurants, or the percentage which prefer performing arts vs. sports events vs. participatory sports. Aggregate data removes the need to expose individual records and can be used to non-identify and de-identify user data, so it is always a best practice.

By following these principles for our own platform, Gravy provides a solid foundation for privacy. We pride ourselves on continually learning and sharing best practices with our clients to support an unparalleled, personalized experience for their users without compromising their privacy.