How to Build a Tech Company Focused on Privacy

In this post, we'll explain how we use trust as a guiding principle to create the type of tech company our parents would be proud of.

How to Build a Tech Company Focused on Privacy

"We take your privacy seriously" – it's pretty sad that this statement has become effectively meaningless. Nearly every company that exploits user privacy can still legally say this. It's easy to say you take privacy seriously, but what does it mean to live up to this in practice?

Make Trust a Stakeholder

Anyone can make Trust a core value of their company. But there's nothing accountable about core values. In order to build a privacy-focused tech company, trust needs to be more than a word plastered on a wall–it needs to be an actual input into decision-making.

When we talk about Trust as a Stakeholder, we are essentially saying that Trust should have a say in key decisions; Trust should have a voice. You can think of Trust as a person with a controlling interest in your company. However you need to think of it, the idea that trust has a voice will be incredibly useful for the moments where you need to evaluate something seemingly counter-intuitive to the growth of your company.

There will be a number of times where the conventional wisdom in the tech world is to do things a certain way, but if you listen to the Stakeholder of Trust, you'll find yourself questioning if the accepted way is in fact the right way. Let's look at a few examples to see how this framework can play out in practice.

Monetize Users (not User Data)

Data is the new oil. That's what we've been told. The question is if you want to be in the oil business, or if you want to find cleaner alternatives. If you want to build an ad-supported free product, thanks for reading this far and best of luck. But, if you truly want to build a privacy-focused tech company, you're going to have to think about how to monetize your users, not your user data.

Why not monetize both? One theme that I hope will emerge in this post is a sense that while you legally could do a lot of things with user data, that in and of itself doesn't mean that you should. The danger of monetizing user data is that it's a bit of a Pandora's box – once you start monetizing user data, it will be hard to draw the line. Facebook is so big that they now do things illegally with your data as a cost of doing business.

Once you commit to never monetizing user data, you'll be forced to find ethical alternatives. Don't get me wrong, ad-based models are not inherently unethical, but they drive unethical behaviors and tendencies in the contemporary digital landscape – companies simply bury everything deep in an unreadable privacy policy and then exploit user "agreement" to such a policy.

We considered a variety of options for the business model for Slimbox including freemium, "pay what you want", and even donation-based ideas. Ultimately we landed on a subscription model that underpins the value of Slimbox running 24/7 to keep your inbox decluttered and sending a summary email every day.

Competing with free services is difficult, but it raises the bar for the value you need to deliver to users. It also raises the bar for accountability to your customers – the fact that they are paying you keeps you laser-focused on their needs (and not on some 3rd-party data aggregator or advertiser).

It's not easy. Building a product worth paying for, and asking users to pay for it, is an incredible challenge. The Psychology of Pricing alone is enough to make you want to simply offer a free product. Almost nothing about building a privacy-focused tech company is easier than not doing so. But the key is to remember that you do indeed have a choice.

Pew Research Center recently released a study that showed that half of Americans have decided not to use a product or service because of privacy concerns. Just as it's more difficult to build an electric car than a gas-guzzler, what kind of company do you want to be in five years time? Ten years? Let's look at some simple choices you can make that you might not otherwise think to question.  

Consider Alternatives to Google Analytics

Yes, Google Analytics is a powerful and free tool. So is Facebook. If you're committed to privacy for your users, "powerful and free" should set off an alarm in your soul. It takes a bit of research, but there are some great alternatives to Google Analytics that put user privacy first.

Fathom Analytics is service that provides key metrics without going overboard. Fathom offers a great live demo on their site as well. While you give up some of the power of Google Analytics, you also simplify your compliance with GDPR, CCPA, and other privacy regulations because you're simply not collecting more than the key analytics metrics.

We tried Fathom Analytics originally, and while it's probably perfect for an informational site (e.g., a personal blog), we wanted the ability to better understand signups for Slimbox on our site through conversion paths while still keeping user data sufficiently anonymized: Enter Matomo Analytics.

Matomo Analytics emerged from an open-source project into a full-fledged privacy-focused analytics package. We felt an instant alignment with their positioning and believe that they offer fair pricing plans. If you're a larger organization, or you have an ecommerce focus, Matomo Analytics could be the Google Analytics alternative that you've been looking for.

A Note on Invasive Analytics

Wouldn't it be great if you could know exactly how a visitor interacted with your website? Great for whom is the question. Of course having more user data would be great, but at what cost? The most powerful analytics products today are staggering in their level of invasiveness.

Many analytics tools now offer something called "session replay." Fullstory Analytics describes watching a session replay akin to "watching a video reproduction of what a user did on a web site." Fullstory reminds companies that "a session replay tool should provide for the exclusion of sensitive data from being recorded (e.g. passwords)." [emphasis added] We agree – an analytics product should exclude a user's password being entered. Yikes.

If you find that you really need a deeper level of user insight, consider conducting a legitimate user research test instead where users have actively opted in through a service like UserTesting or DScout.

Could you gather more data on the user without their knowledge? Of course you could. But, where does it end? If analytics services could legally access our webcams and watch our eyes and expressions, I'm sure they would do that too. There's a good chance someone will find a way to bury access to your webcam in a privacy policy one day, so let's look at a radical rethink of the privacy policy next.

Write a Readable Privacy Policy

Radical, right? A privacy policy that is readable. Simplicity is what we strive for at every user touchpoint, so why would our privacy policy be any different? We've all generally accepted that a privacy policy needs to be in strict legalese, but in order to put privacy first, we found ourselves asking if a privacy policy could be re-written from scratch with the reader in mind (and not the lawyer).

We are fortunate to have a lawyer as one of our founders. But even if you don't have a team member that can write the policy from scratch, you can still work with your attorney to augment a standard policy with readable snippets.

After you get your privacy policy drafted from your attorney, ask them to explain each section to you over the phone or via email. Their explanation will be the plain-english, easily-understood version of each major clause. Simply intersperse these conversational snippets in the privacy policy and you've effectively provided a simple summary of the legal language.

You can use design to easily make these summary sections pop out to the user while still retaining full legal compliance.

Put Ethics Above Metrics

To rewrite a privacy policy from scratch certainly takes effort and time. Ultimately though, it takes empathy and understanding.

If you want to build a privacy-focused tech company, you need to "think like a user" but you also need to feel like a user – this is the empathy piece. How would you feel as a user if you knew a company was doing _____ ? If you're not used to this method of thinking, just try to remember that "the user is my mom."

Continually ask yourself: "Does _____ compromise user trust in any way?" This simple question can help you evaluate and prioritize high-level strategy to low-level features. When you put ethics above metrics, you'll soon realize that almost every decision can be measured by this single question.

The Landscape is Shifting

Perhaps the biggest challenge to building a privacy-focused tech company is that it requires rejecting the conventional wisdom of the past decade that more user data equals more success.

Much of this conventional wisdom arose during an era of Silicon Valley innovation that stressed hyper-growth over monetization. While this plan can do wonders for investors, it doesn't always work out well for the end user. If you've grown a massive user base, you'll likely find yourself turning to advertising to monetize – and digital advertising is inherently not built with user privacy in mind.

Fortunately, the implosion of many "we'll figure out a business model later" high-profile startups, along with changing user expectations regarding privacy, are shifting the landscape towards privacy as a value-add. This is a remarkable shift and the most obvious example of a company that is now selling privacy is Apple.

Apple's privacy page is simple and beautiful, but it's much more than marketing speak. Apple is making privacy a core differentiator for their business relative to their competitors (mainly Google). Apple is selling privacy as a feature.

Can you build a product that is worth paying for? In many ways this is the first question you may need to consider if you want to build a privacy-focused tech company. If you can, you may find that there is a market waiting to pay with dollars instead of data. Investors are looking for companies that can grow revenue, not simply grow users. Users are looking for companies that can provide value to them, and not simply extract value from them.

It's not easier to build a privacy-focused tech company. But it is easier to look at yourself in the mirror each morning knowing that when your friend's mom signs up, she will have the experience she expects and deserves.