Last week, Intel’s director of security policy and global privacy officer, David Hoffman, CIPP/US, wrote a Harvard Business Review piece announcing that “Privacy is a Business Opportunity.” InBloom’s demise yesterday in the face of a flurry of privacy allegations unambiguously demonstrates that privacy can also be a first-order business risk. So much so that it can bring a high-flying, much-celebrated, well-funded and strongly backed organization to its knees.
Financed with $100 million in seed money from the Bill and Melinda Gates Foundation along with the Carnegie Corporation of New York, inBloom provided an interoperability solution designed to improve and standardize the connection among widely varied education applications. It intended to allow schools to centrally store student data in an encrypted, cloud-based system that educators could access to collect data from a variety of third-party vendors. In its mission statement, it promised to “solve a common technology issue facing school districts today: the inability of electronic instructional tools used in classrooms to work in coordination with (or ‘talk to’) one another.” It spearheaded an industry that is all the rage, education technology (ed tech), valued at approximately $8 billion with a hockey stick growth curve.
Unfortunately for inBloom, it became a bogeyman for opponents who portrayed it as a cavalier experiment in children’s data. It raised difficult questions about the reliance of the education sector on private companies and deployment of Big Data techniques in an area fraught with concerns about children’s futures. It surfaced weighty policy choices that require sophisticated technology leadership in the K-12 sector. This eventually led states to backpedal from signed transactions, culminating in New York’s noisy departure last week.
InBloom’s critics hailed its demise as “a much-needed lesson for proponents of ‘Big Data’ and ‘personalized learning.’” They argued that inBloom was designed to "facilitate the sharing of children's personal and very sensitive information with data-mining vendors, with no attention paid to the need for parental notification or consent." InBloom’s CEO responded by writing that the initiative “has been the subject of mischaracterizations and a lightning rod for misdirected criticism.”
Regardless of the merits of either of these arguments, the lesson for companies in ed tech and beyond should be loud and clear: Privacy is a core business concern. And as should be evident from the inBloom case, getting it right means a lot more than just complying with applicable laws and regulations. Privacy isn’t just about regulatory compliance. It’s about setting the tone of your message, managing consumer expectations, bringing the public along with you for the ride, avoiding privacy lurches and not being creepy. It’s more an art than a science.
Alarmingly, getting privacy wrong may mean forsaking the business altogether. As Hoffman wrote, “privacy protection should be a practice as fundamental to the business as customer service.” He conjectured that “It may take time for this idea to sink in at the highest executive levels of some companies.” Alas, for inBloom, it will be too late.