Who owns the personal data you collect from users?

Data ownership can be a hazy concept for some online businesses. For example, users will always own their names and addresses, but who owns the data about their activity on the websites they use — is it the owner of the website, or the users who comprise the data?

If your app or website collects personal data from users too, it might not always be clear who owns this data — and thus, who is responsible for protecting it. But before we can begin to answer this question, let’s get clear on what “ownership” really means.

What is data ownership?

According to Techopedia, data ownership is defined as:

“the act of having legal rights and complete control over a single piece or set of data elements.”

These legal rights include creating, editing, modifying, sharing and controlling access to the data, as well as the ability to delegate, share or transfer these right to a third party.

At the time of this article, there is no catch-all legislation around data ownership. However, laws like the GDPR are starting to more clearly define ownership and protect the rights that individuals have over their personal data.

The GDPR begins by defining personal data as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

In practice, this means information like names, email addresses, phone numbers, location data, and photos — as long as they can identify an individual in some way — all count as personal information.

The laws state that “data subjects” — i.e. your customers — will always maintain ownership over any personal data they share with you. To give data subjects more control over their privacy, the GDPR prescribes the following rights (which your business may need to comply with):

• The right to be informed. Data subjects must be informed when their personal data is being collected and used by your business.
• The right of access. Customers can request a copy of the personal data being processed by your business.
• The right to rectification. If a customer’s data is incomplete or inaccurate, they can ask you to rectify or complete it.
• The right to erasure. If you no longer need a customer’s data for its original legal purpose; have processed their data unlawfully; or they formally object to or withdraw their consent to processing, you must delete their personal data.
• The right to restrict processing. In some cases, customers can ask you to restrict or stop processing their personal data.
• The right to data portability. Your customers should be able to copy or transfer their personal data securely and easily from your business to another organisation.
• The right to object. Customers can object to you processing their data and its use in direct marketing.
• Rights in relation to automated decision-making and profiling. If your data processing involves automated decision-making that legally or significantly impacts your customers (such as building up a profile of who your customer is and how they behave, or if you use an AI), you must inform them and get their consent to do so.

Why is data ownership important?

In the past, many organisations have taken advantage of the gray areas surrounding data ownership. As a result, consumers may have put their privacy at risk by blindly consenting to terms of service agreements that increasingly encroach on their rights.

An infamous example is FaceApp — an app where users upload selfies and edit them to change gender or to look older or younger. Following its initial viral success, users discovered that the terms of service they had agreed to granted the company “irrevocable” access to use their personal data in a multitude of ways.

This was particularly concerning to privacy advocates, as the app developers now had access to the biometric data of thousands of people. As a user of the app, you’d still own your photo and personal details, but by agreeing to their terms of service, you agreed to give the app’s parent company a license to use your data for any purpose they wish.

We now live in a post-GDPR world, a world of of growing privacy awareness in an age of increasingly sophisticated technology. While the legal intricacies around data ownership can be tricky to navigate, businesses are now more than ever held up to scrutiny on the information they collect and how responsibly they protect it.

Communicating openly with your customers and putting their privacy at the forefront of your app or website isn’t just respectful practice, it’s a proactive start in protecting their data (and your business).

Looking for a free Terms of Service generator?

Get your app, website or blog ready for launch with GetTerms.io. Generate your Terms of Service now.