The role of a product manager is diverse and essential — you make things happen.
But you’re also responsible for data protection and the safe handling of the data your products use.
This post will help you learn what role product managers play in the protection of data privacy. It also clarifies best practices for laws like the General Data Protection Regulation.
What is data privacy?
Data privacy refers to protecting individuals’ personal information from unauthorized use and access. It encompasses people’s rights to control how their personal data gets used.
Some data counts as sensitive information and are subject to more strict guidelines. This includes health information and details about ethnicity and beliefs.
Businesses use personal data to:
- Better align product offerings with the customer needs
- Gauge marketing campaigns’ success
- Improve and enhance user experience
- Personalize products based on individual interests and preferences
- Plan for resource allocation and inventory management
But this information belongs to and comes from consumers. Businesses must handle traditional and sensitive data responsibly.
What laws impact data privacy?
According to UNCTAD, data protection and privacy laws protect 71% of the world’s countries.
This includes the following laws:
- Australia Privacy Act 1988
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Colorado Privacy Act (CPA)
- New Zealand Privacy Act 2020
- Virginia Consumer Data Privacy Act (VCDPA)
Sometimes, a data protection act has a money and data collection threshold, like the CCPA.
Others apply based on where your users come from and the location of your business. For example, this is the case with the GDPR and CalOPPA.
Product managers should know if a data protection regulation impacts their business. This way, they can ensure they meet each privacy rule for all projects.
Why is data privacy important for product managers?
Product managers work in every part of a project’s life cycle. It’s important to build data privacy best practices into each stage. This helps your company follow data privacy laws. It also helps you foster a relationship of trust with your customers.
Additionally, it allows you to prevent cybersecurity issues. For example, data breaches can lead to consumer identity theft and other issues.
Most businesses fall under the legal threshold of one or more data privacy laws. It depends on the business location and where customers come from.
These laws require businesses to meet specific obligations, such as:
- Presenting users with privacy notifications describing what personal data they collect and why
- Explaining the rights users have over their information and how to act on them
- Getting adequate consent from users for certain types of personal data processing
- Safely and securely storing personal data and only keeping it for as long as necessary
Failure to follow a data privacy law, even by mistake, can lead to significant fines. This is especially true if you process sensitive data. For example:
- Meta was issued a €1.2 billion ($1.3 billion) fine for violating the GDPR in 2023, the largest GDPR fine to date.
- DoorDash was issued a $375,000 penalty for violating the CCPA in 2023.
- Sephora was issued a $1.2 million fine for violating portions of the CCPA in 2022.
- Avast was fined $16.5 million by the FTC for illegally selling user personal data.
Data protection authorities could even force the business to stop all processing activities.
The modern consumer also cares about their privacy, especially online. Before buying a product, they look for privacy policies and consent banners on sites. Just take a look at these data privacy statistics:
- 94% of organizations say customers won’t buy from them if they don’t properly protect personal information.
- 48% of internet users have stopped shopping with a business due to privacy concerns
- One in five internet users often read a privacy policy before agreeing to it
Think of it this way — would you give details about yourself to a website without a privacy policy?
Providing users with this information reassures them that you respect their personal data. It also lets them know you’re prepared to protect it if they share it with you.
The product manager’s role in ensuring products follow data privacy laws
Product managers don’t usually create privacy documents or maintain consent management platforms. But, they are responsible for letting the right team know about the personal data a product uses. This helps ensure compliance and keeps everyone on the same page.
As a product manager, you know the ins and outs of everything your business produces better than most. You know why each piece of data is necessary, how it gets used, and how long you need to keep the information.
This knowledge puts you in a position to:
- List every piece of personal data your services collect and use
- Organize personal data based on its level of sensitivity
- Communicate this information by putting it all in a compliant privacy policy
You can also determine the safety measures you must use to keep personal data safe. Cyber threats include unauthorized access, breaches, and other attacks. For example:
- Phishing attacks: when someone sends a message that looks reliable. But it convinces them to click on an insecure link. Clicking on the link downloads a virus to the device. Or, it can trick the individual into providing sensitive personal information. For example, they may ask for passwords or social security numbers. This could lead to identity theft, stolen money, or both.
- Malware: when harmful software enters your computer, phone, or other device. It can come from downloading something that looks safe or clicking a bad link. It can also come from attaching an infected device to your computer, like a compromised USB drive. It leads to computer viruses, spyware, ransomware attacks, or trojans.
- Ransomware: locks you out of your files. The bad actor then demands money to unlock them. This impacts businesses if an employee clicks on an unsafe link in a work email.
- Spyware: malicious software that gets downloaded to your device. This leads to a bad actor watching everything you do. They might steal your passwords, credit card information, and other personal data. This attack can impact businesses. It happens when under-trained employees click on a bad link or download a corrupt file.
- Trojans: occurs when a bad actor uses software to control your device. They also usually steal your data. This impacts businesses if an employee clicks on an insecure link or downloads a bad file.
Prioritizing data privacy is a team effort, and every member of your organization has a role to fill.
Anyone can click on a bad link or download a corrupt file. Training your entire team is the best line of defense.
For example:
- Leadership teams should foster a culture of data privacy for all departments
- Marketing teams should communicate with customers about how they use data
- Product developers should build privacy into all products while limiting data collection
- Legal teams should be up-to-date on which data privacy laws impact the company and how
- Finance teams should be allocating a budget for data privacy and cybersecurity initiatives
It’s not neccessarily a product manager’s job to train everyone on these topics. But they can still ensure everyone is aware of and up to date on the company’s data protection and cybersecurity policies.
Try services like Drata. It keeps your employees engaged in data and cybersecurity best practices.
Data privacy best practices for product managers
Let’s walk through data privacy best practices product managers can follow.
Product development and privacy by design
Privacy by design is a concept. It encourages businesses to include data protection and privacy practices in all stages. Product managers should use this process to build data privacy in their projects.
Some of the key principles of privacy by design include:
- Incorporate privacy measures to prevent issues before they occur
- Install end-to-end security controls
- Provide users with transparency about personal data collection and use
Notification requirements
Product managers play a key role in ensuring privacy policies are up-to-date.
Businesses under privacy laws must give consumers a privacy notification explaining:
- What data you collect
- Why and how you use the data
- If you share the data with third parties
- What rights the user has over their data and how to act on them
- Company contact information
Have this information for each project you oversee. Ensure it ends up in your company privacy policy.
Product managers can also help notify users about changes to the privacy policy. It’s normal to update your privacy policy. You should do so whenever your data collection practices change. Make sure you let users know that the policy has been updated.
For example, add a “last updated” date to your policy. You can also send an email saying the policy has changed. List what’s changed in the email. Let the users know where they can find your new policy on your website. This way, they can read it at their own pace. They can then choose if they still agree to it or not.
See an example of this type of email in the screenshot below from the software developer OpenAI.
OpenAI was clear about what changed in their policy. They gave an effective date, so users know when the changes took place. They also used the subject line “Update to our Terms of Use and Privacy Policy.” This way, users knew exactly what the email was about.
Follow OpenAI’s example when making your own privacy policy update email.
Maintaining an archive of past versions of your company’s privacy policy is also a good idea.
Obtaining consent from consumers
Privacy laws give users the right to opt into or out of certain types of data processing.
Product managers can help identify when it’s necessary to use a tool like a cookie consent manager. This way, you can request consent for specific purposes.
For example, you might work for a company subject to a privacy law like the GDPR or the CCPA. Your website might deploy internet cookies that collect information from users. You might then share that information with external vendors. In this case, you’d need a consent banner on your site. Your users have the right to opt into or out of having their data sold or shared with third parties.
Your project might collect sensitive data from users to function. In this case, you also need consent. This is because privacy laws give people the right to limit the use of sensitive information.
Sensitive information is a type of vulnerable personal data and includes details like:
- Religious or philosophical beliefs
- Race or ethnicity
- Trade membership
- Gender identity
- Biometrics and health data
Determine if consent collection is necessary for each project to meet privacy laws. You can do this by asking yourself the following simple questions:
- Does this project need to use personal data from users?
- If so, is this data protected by privacy laws?
- If so, do the laws need opt-in or opt-out consent?
Your answers will help determine if your consent banner needs an:
- ‘Accept’ button
- ‘Decline’ button
- ‘Preference’ button
- Or a mix of all three
This is a necessary step. Otherwise, you might get fined by data protection authorities. For example, these include the European Commission or the California Privacy Protection Agency.
Effective data security measures
A product manager needs to keep track of the types of personal information your products use. This way, you’ll know what level of data security is necessary to protect that information.
Common data security techniques include:
- Only collecting data that is necessary
- Anonymizing and encrypting the data
- Creating access controls to limit who has access to the information
- Auditing your security protocol to identify weak areas before a breach occurs
- Building data protection and backup recovery plans into your products
- Determining your data retention and deletion strategy
Conclusion: product managers and protection of data privacy
As a product manager, you play a significant role in protecting data privacy. You know what data is necessary to develop different products and services.
You can also incorporate privacy best practices into all project lifecycles. This helps ensure personal data protection at all stages.
Prioritizing data privacy helps your projects follow data privacy laws. This makes it easier to follow laws like the General Data Protection Regulation.
It also proves to customers that they can trust you with their personal information.
