A closer look at TomTom’s privacy policy

Privacy is complicated, but it shouldn’t be. If a tech company says that it’s not tracking your location, it shouldn’t be tracking your location at all. If you opt out of being tracked, it’s clear what your intention is; it’s not an invitation for the tech company to find ways around your intention. With the help of a few industry experts, I put TomTom’s approach to privacy under the microscope and found it has a refreshingly unique and progressive approach to data privacy.

Sadly, not a month goes by without goes by without privacy in the tech domain making headlines. Usually, those headlines center around one of two things: there being a data breach where user data has been compromised, or a situation where a company has gained unexpected access to user data through deceptive or obscure means.

Both these cases are a result of one thing: the value of data. For most tech companies, data is their most valuable commodity. So much so, it’s been described as the “new oil”. With such financial gain on the line, it’s not surprising to see some companies place strong emphasis on acquiring and manipulating data, specifically connected to individual identity with the purpose of advertising and selling.

But not all companies are created equally. In my experience, it’s usually pretty clear whether you should be concerned about how a company is gathering and using your data based on how they talk about their approach to privacy and what their business model is.

If privacy policies are hidden, wrapped up in legalese, described in unnecessarily complicated terms or glossed over, it’s usually a good idea to tread with caution. If it’s open, candid and very clear about its approach to privacy it’s usually a good sign as there’s no complex terminology for the company to hide behind.

If the company’s business model is closely related to advertising and their core product is free to use, be even more weary. These general rules have never steered me too far wrong, at least.

So, with those basic rules in mind, let’s take a look at how TomTom approaches privacy.

What you need to know about TomTom’s privacy policy

First of all, finding TomTom’s privacy policy is quite simple. It’s not hidden behind countless links, simply go to the website, click on “About us”, “Company” and then “Privacy” and you’re presented with an easy-to-understand overview of how the company approaches the topic.

What’s refreshing to see is that it’s all very much to the point. The language is plain, clear and concise. As a result, it’s easy to see what the company is trying to achieve when it comes to protecting and using data. It’s putting a lot on the line doing this, when language is this easy to understand it’s hard to hide behind complex legal terms when indemnification is sought.

The opening of the page reads: “At TomTom, we design our products to protect your personal data at all costs, not use it for profit. We do it because it’s the right thing to do, and it helps us give you greater peace of mind on the road.”

I also asked a couple of security professionals for their take. James Bore, a cyber security consultant and Chartered Security Professional said, “Overall it's a clear policy which states their [TomTom’s] principles, how they use your data and why they do it, in clear simple language. Probably one of the easiest reads I've found in a privacy policy in a long time. Kind of a refreshing break from the usual approach I have to deal with.”

Jules Polonetsky, the CEO of Future of Privacy Forum, a think tank and advocacy group focused data privacy, echoed Bore’s statement. He said TomTom’s approach is: “Uniquely straightforward, refreshingly honest, the policy is written to actually engage the reader in the value equation of how data is used by the company.”

What makes a good policy?

Bore and Polonetsky both seem to appreciate TomTom’s straightforward approach when talking about privacy. To get more detail on what a good privacy policy looks like, I asked James Ward, a privacy lawyer and co-author of the book Data Leverage.

“A privacy policy has to do three things: explain what data is collected, how it’s used and who sees it,” he tells me. This sounds simple enough, but it’s still open for interpretation. “In the US, it has typically been a vague, anodyne statement about ‘we value your privacy’. That doesn’t cut it in Europe, where GDPR imposes much more specific requirements like naming parties who receive data and setting explicit uses for data.”

Speaking generally of privacy policies he’s come across during his career, Ward says that most policies are a mix of the two approaches. “They say just enough to be confusing and not enough to be untrue,” he says. With that in mind, Bore and Polonetsky’s comments about TomTom’s simple and clear approach being unique hold up.

Indeed, it might seem unconventional to be clear about privacy, as it leaves less room for interpretation in litigious situations, but according to Ward taking this approach is not a bad thing for business.

Ward expects that we’ll start to see more help from regulators when it comes to understanding what qualifies as “confusing, but that there’ll continue to be a tug of war for years.” Indeed, with that in mind, it seems that TomTom might be ahead of the curve and in future we’ll see many more tech companies talk about privacy in a similar way.

The four pillars of privacy

Cassandra Moons, TomTom’s Sr. Privacy Legal Counsel and Data Protection Officer, tells me the company’s approach to privacy is backed by four main principles, which are also clearly detailed on the “Privacy” section of its website.

These are: protecting identity, never selling data to other companies or individuals, providing control to those who generate the data and no advertising. Indeed, it keeps things clear, to the point, there’s little ambiguity over the company’s intentions to protect data.

“No advertising” seems like the odd one out, however, it’s vitally important when it comes to data privacy. In a significant number of cases where individuals have had their personal data gathered, infringed or manipulated, it’s for advertising purposes.

The more digital advertisers know about individuals, the more targeted (and effective) their adverts can become. The more effective they become, the more money they can make. Therefore, the more data they have on an individual, the better the adverts can work, the more influence they can exert, the more clients sell, the more money advertisers can make. In this industry, it’s a vicious circle.

In these cases, it’s become common to hear people say, “If you’re not paying, then you’re the product.” But there is always a cost, and when not financial, the cost is usually your data privacy.

TomTom specifically references this phenomenon on its approach to privacy page. “We’re not using you to make money in other ways [such as selling data]. You are not the product,” the company says.

The good side of data collection

For companies like TomTom, there is no need to collect data on, and attribute it to, individuals. There are no benefits to the company’s core products and business to gather this kind of data, so it takes an active approach to protecting user data.

Indeed, data collection isn’t all bad. Collecting things like GPS trace data, speed data and so on, has allowed TomTom over the past 30 years to amass one of the most broad and detailed data sets on how the world’s roads work. The location tech company doesn’t need to know who is driving, simply that there was a drive that took place and how it took place.

This data has allowed it to develop robust traffic information that can warn drivers of hold ups, jams and congestion in real time, allowing them to avoid it. It can warn truck drivers of dangerous bends in the road. Detailed contextual data about roads helps active cruise control systems take the road gradient into account, saving fuel and emissions.

What’s more, as the company says on its privacy page, it aggregates data through a series of randomizations to protect personal information and prevent journeys and trips from being connected to an individual.

Societally speaking, our notion of data and privacy is inextricably linked with who we are. However, that only matters to businesses when they need to target individuals. For TomTom, it doesn’t need to do that.

Of course, the company could sell personal data, there is an incredibly valuable market for that kind of information. As this article from The Markup explores, it’s a dark and murky business to be part of.

Justin Sherman, a cyber policy fellow at the Duke Tech Policy Lab, is quoted in the article saying: “There isn’t a lot of transparency and there is a really, really complex shadowy web of interactions between these companies that’s hard to untangle.”

In a world that’s putting privacy itself under the microscope, it doesn’t seem like a safe long-term bet or a sustainable business model to primarily make money out of gathering data on people, their whereabouts and who they are.

Moons tells me that TomTom tries to bake its approach to privacy into its product development process. When the company is developing new products, it undertakes a privacy impact assessment, to fully understand how the new product could create concerns for privacy. This helps it get an understanding for what specific privacy features need to be built for the tech to meet the company’s standards and exceed legislation like GDPR.

The bottom line

TomTom’s products are reliant on data, the more data the better, but importantly the company knows it doesn’t need to know about individuals, so it respects and builds its approach around that. The location tech company knows that it has to respect its drivers and not exploit them. If TomTom didn’t have access to driver data, it would not be able to build many of its products. The company would lose out and so would motorists around the world.

Data is powerful. Not to sound too cliché, but with great data comes great responsibility. Data is incredibly useful and helps us realize efficiencies that would otherwise be impossible. But it needs to be respected. More so, those that share it and generate it need to be respected too.