IAPP-GDPR Web Banners-300x250-FINAL

Peter Cullen

As consumers increasingly rely on the Internet for shopping, banking, e-government and other activities, privacy has become both a major public concern and a barrier to the growth of Internet services and online commerce. Widely publicized data breaches, alarming statistics about privacy incidents and fear of identity theft all threaten to erode trust in the Internet. In fact, RSA Security's 2006 Internet Confidence Index found that nearly half of U.S. consumers have "little or no confidence" that organizations are taking sufficient steps to protect their personal data. At the same time, consumers are more frustrated with software and Web sites that do not clearly communicate the potential impact to their privacy, or do not consistently offer them controls over how their personal information is used.

The software industry can help address these issues by establishing a high bar for respecting customer privacy. However, there are currently no industry-wide practices to help standardize the user experience for privacy-oriented software features, or to address privacy issues and concerns in the software development process. To help establish a starting point for these efforts and open an industry dialogue about privacy guidelines for development, Microsoft has released an extensive set of public privacy guidelines for developing software products, Web sites and services. These guidelines draw from the company's experience incorporating privacy into its development processes and address customers' expectations about privacy as well as privacy legislation in effect worldwide. For example, they reflect the core concepts of the Organization for Economic Cooperation and Development (OECD)'s Fair Information Practices and privacy laws such as the European Union Data Protection Directive, the Children's Online Privacy Protection Act of 1998 (COPPA), and the Computer Fraud and Abuse Act.

The Privacy Guidelines for Developing Software Products and Services can be found in the "Related Links" section of www.microsoft.com/privacy.

Privacy concerns are easy to understand in principle, but challenging to address in practice, particularly in the development of software. Similar guidelines have helped Microsoft's developers to better understand and address privacy issues. Our hope is releasing a public version of the guidelines can promote an ongoing industry dialogue on protecting privacy through consistent development practices.

The public Privacy Guidelines for Developing Software Products and Services are based on the internal privacy practices incorporated in the Microsoft Security Development Lifecycle (SDL), a process that helps ensure that the company's products and services are built from the ground up with security and privacy in mind. The SDL implements a rigorous process of secure design, coding, testing, review and response for all Microsoft products deployed in an enterprise, that are routinely used to handle sensitive or personal information, or that regularly communicate via the Internet.

The guidelines cover a wide range of topics, including:

  • Definitions of different types of customer data, including personally identifiable information (PII) such as the user's name and email address, sensitive PII such as credit card or Social Security numbers, and anonymous or pseudonymous data.
  • Guidelines and sample mechanisms for notifying users that their personal data may be collected, and offering them ways to consent (or not) to the collection of this data.
  • Guidelines for making disclosures to the users about how their personal information may be used.
  • Reasonable steps to protect PII from loss, misuse or unauthorized access, including access controls, encryption, physical security, disaster recovery and auditing.
  • Control mechanisms for users to express their privacy preferences, taking into account the needs of system administrators, as well as special guidelines for shared computers.
  • Strategies to prevent data leakage by minimizing the amount of personal information that needs to be collected.

To set the proper foundation, the first half of the guidelines is devoted to general concepts and definitions. The second half lays out specific rules for common scenarios that can affect a customer's privacy, such as transferring PII to and from the customer's system, installing and updating software on the customer's system, storing and processing customer data over the Internet, and transferring customer data to third parties. The guidelines also provide additional requirements for deploying Web sites, for software targeted or attractive to children, and for server products within an enterprise (including measures to help system administrators protect the privacy of their end users).

One example scenario covers the development and policy guidelines for deploying a public Web site. According to the guidelines, the site must provide a link to a company-approved privacy statement on every page, regardless of whether PII is collected on that page. The link should not be smaller than other links on the page, such as legal notices, and it should be in a consistent location, such as the page footer. This rule also applies to pop-up windows that collect PII. For lengthy or complex privacy statements, the site should adopt a "layered notice" format, which includes a single-page summary of the statement that provides links to more detail. Additionally, the privacy statement should be compliant with the Platform for Privacy Preferences (P3P) standards for machine-readable statements, and, if appropriate, certified by an independent organization such as TRUSTe.

The site also should avoid the unnecessary use of persistent cookies when a session cookie, which is retained only for the duration of the browser session, would be adequate. When using persistent cookies that store PII, the site should get explicit opt-in consent from the user and store the PII in an encrypted form.

If a site collects any form of PII from the user, it must adhere to specific guidelines for notice and consent, security and data integrity, and customer access and control. If it stores persistent data on the customer's system, in cookies or any other form, it must adhere to a number of additional guidelines, including appropriate user notice and consent for storing PII, using encryption where relevant and other methods that help secure data in storage such as file permissions, as well as a consistent means to give users the opportunity to view and delete their PII, or prevent it from being stored at all.

Finally, if the site is directed at children, it should adhere to even stricter guidelines across the board, to empower parents to supervise and control their children's browsing experience as well as comply with legislation such as COPPA.

For several years, a number of product groups at Microsoft have been following similar privacy guidelines as part of the SDL. For example, development of the recently released Microsoft Phishing Filter included a number of key design decisions to help reduce the impact on our customers' privacy, including not storing IP addresses with the other data collected by the Phishing Filter (Web site addresses to be checked) to avoid potential correlation. Other decisions included having the Phishing Filter only send the domain and path of the Web sites to Microsoft (removing search terms) and sending the Web site addresses to Microsoft via SSL. We invited Jefferson Wells, an independent third-party auditor, to run two separate audits on the technology, which validated and confirmed our claims regarding how we handle customer data with the service.

Similarly, when customers run the current version of Windows Media Player for the first time, their privacy experience directly reflects our internal privacy guidelines. The user is presented with a link to the privacy statement as well as a number of privacy-related options that govern how their data is collected and used, including whether data about their music library is sent to Microsoft in order to display additional information (such as album art), whether licenses for protected content are acquired automatically, or whether the player remembers the user's viewing and listening history. The user also is asked whether he or she wishes to send data about player usage and errors to Microsoft as part of the company's Customer Experience Improvement Program.

With the release of the public Privacy Guidelines for Developing Software Products and Services, Microsoft hopes to promote a broader industry discussion about development guidelines to help protect individual privacy and ensure appropriate data governance. The benefits of such guidelines are clear; not only do consistent user experiences and development practices help protect against misuse of data and other privacy violations, they also promote trust among customers and organizations. Additionally, a reputation for responsible privacy protection has become a market differentiator for companies, attracting and retaining customers based on clear standards and reliable experiences.

No single company has all the answers when it comes to privacy. Addressing these issues requires broad collaboration among software developers, governments and industry organizations. In releasing these guidelines, our hope is that we can further the discussion on how consistent software development practices can make a difference in protecting privacy and preserving public trust in computing.

As Microsoft's Chief Privacy Strategist, Peter Cullen, CIPP, is directly responsible for managing the development and implementation of programs that enhance the privacy of Microsoft products, services, processes and systems, both internally and worldwide. With more than a decade of privacy and data protection policy expertise, he serves as a leading advocate for strong and innovative personal information privacy and data safeguards, meeting regularly with global industry and public policy leaders and frequently speaking at international conferences. Cullen is a member of the IAPP Board of Directors.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»