Netflix knows what you’ve been watching. (AP)
Tiffany Li is an attorney and resident fellow at the Information Society Project at Yale Law School.

The Internet was in an uproar recently about a tweet from Netflix’s official account spotlighting (and shaming) 53 of its users for watching a specific Christmas movie on 18 consecutive days. Spotify has come under fire for running similar ads about its own users’ listening habits. Privacy advocates and consumers alike decried the marketing tactics as “creepy.”

The ads aren’t what’s creepy, though. Reality is creepy. But we can fix it.

It’s true that, generally, companies like Spotify and Netflix are collecting more and more data on consumers. But that’s not the real problem. The real problem is a disconnect between privacy reality and privacy expectations.

The negative reaction to Netflix’s tweet and Spotify’s ads shows that the average consumer likely does not realize the sheer amount of data that such services collect on every single user. Essentially, almost every Internet-related company collects a significant amount of data on its users — from your ISP collecting browsing history (even in incognito mode!) to half the apps on your phone collecting data through hidden trackers. You have probably encountered the phenomenon of looking at a product for sale somewhere online and then being offered ads for that product or that brand everywhere you go on the Internet afterward. This happens because web trackers embedded in common online advertising networks follow you around as you visit different sites across different devices.

There are, of course, legitimate reasons companies like Netflix and Spotify collect and use large amounts of user data. Netflix uses viewers’ watching preferences to influence development of new movies and television shows. Did you love “Stranger Things?” Then you should probably thank Netflix’s collection and use of user data to create new shows based on what genres, actors and directors existing users already enjoy watching. Spotify uses listening data in interesting ways as well, including custom playlists it recommends to users. The same technology and data collection that allowed the service to make your custom Time Capsule playlist was what powered its ads that called out individual user playlists by title. Using user data in novel ways is not necessarily detrimental for consumers, but we should demand that companies protect user privacy as much as possible while doing it.

Ultimately, the “creepy” ads and tweet are not really that creepy, either, when taken into context. No particular user was named or identified. The ads do not violate any terms in either company’s privacy policy or terms of service. This use of data in marketing also likely does not violate U.S. privacy laws and regulations, mostly because no information was personally tied to a user.

But the negative public reaction does reveal some lessons tech companies and individuals can follow to bridge the gap between privacy expectations and privacy reality.

Companies should recognize their responsibility to their users and to the broader goal of creating a strong environment that supports privacy protection for future generations. All companies, but especially tech companies, must invest in maintaining strong privacy and cybersecurity protections, including implementing Privacy by Design protocols in product development, enforcing internal guidelines and training on privacy and data security, and publishing clear and accurate privacy policies. The best way to avoid the public relations backlash (or legal and financial consequences) of bad privacy decisions is to practice good privacy companywide. In other words, if Silicon Valley firms don’t want to be called a creep, they should stop being creepy.

As technology progresses, it is likely that companies will collect increasingly large amounts of data on users. To fix the disconnect between consumer privacy expectations and actual privacy reality, consumers need more information from the industry to fully understand how consumer data can be used for good (or bad). Modern, tech-savvy consumers can be sophisticated enough to understand that giving up data to companies often yields benefits, like more tailored services. It’s up to tech companies to be better at telling that story and educating the public on how consumer data can be used to help the rest of us.

As for individual consumers, you can take some simple steps to educate yourself on privacy and protect your data. Periodically check the privacy settings for your mobile devices and turn off permissions for apps that don’t need it. (For example, many apps have location tracking turned on unnecessarily.) Check the privacy settings for your email accounts and social media accounts. Read the privacy policies when you sign up for a new service, and put pressure on companies to make their policies clear and understandable. To learn more, check out the many freely available guides on online privacy.

Being aware of how your data is being used is the first step to bridging the gap between consumer expectations of privacy and actual practice. Empower yourself with knowledge about corporate privacy norms so you know when something is just standard data analysis (like, arguably, the “creepy” ads) versus when something is egregiously harmful (e.g., the shoddy cybersecurity practices that led to the Equifax breach). Never doubt your ability as an individual to influence the direction of the tech industry or of the law and policy decisions that impact privacy. The public backlash against the “creepy” ads is just one example of the ways in which regular consumers like you and me can change the way the tech industry approaches privacy.

What’s at stake here isn’t whether Spotify or Netflix will be able to run “creepy” marketing campaigns in the future. The choices companies and individuals make regarding privacy today will affect how our society understands privacy expectations in the future.

Read more:

How the Supreme Court could keep police from using your cellphone to spy on you

Your WiFi-connected thermostat can take down the whole Internet. We need new regulations.

Hackers don’t want to crash stock exchanges. They want to make money off them.