Next time: pass it by your lawyers for a quick review if you can't trust your own judgment on things like this. Ditto for all the dark patterns you are still using today on your website, clean up your act. Note that you are firmly in the crosshairs of the EU data privacy watchdogs and that the fines are nothing to sneeze at, if you expect to establish and maintain a foothold in this market realize two things:

- trust is a crystal ball, you can drop it and break it, patch it back together again but it will never ever be the same way it was before, it can only degrade

- if you plan on being a player in this field you will have to take the privacy of your users serious, this includes doing your privacy and security reviews by the book because if there ever is an involuntary disclosure what you've seen in the last couple of days will come back hundredfold.

This is good advice, but I'll add to it. Your general counsel is an acceptable, but not great, substitute for a real VP-level privacy officer. Lawyers tend to look at privacy issues with an eye towards compliance, i.e. does this privacy issue subject us to regulatory scrutiny or open us up to lawsuits? They don't always look at these issues from the point of view of "What is our company's philosophy around the sharing of our users' data, around providing transparency and control for users, and does this feature align with that philosophy?" A dedicated privacy professional will explore that question deeply.

In my opinion, in 2020, any company that releases software and has more than like 20 engineers should have at least one VP-level privacy approver who has the power to block releases.

I hope you went back to Aaron and thanked him for that input and perhaps apologized for dismissing it. It can be really frustrating to lead something and have founders/execs shoot down your professional input, ideas, or concerns because... Well, why did you?

Though you are small and do not have an official chief privacy officer or CISO, do you have personnel that are champions of those desires? If not, nurture or acquire. If so, listen to them. This is 2020. If you look at Zoom, you can argue that security and privacy can come later, that the market will do anything for features and forgive any security or privacy faux pas. You would not be wrong, but such a calculus is what people in this forum are objecting to. People mainly feel bad that the economic incentive for privacy is weak. Are you following GDPR? Have you heard of it? A privacy move on top of your apology and retraction could differentiate your company as the privacy aware alternative, much like DuckDuckGo has made privacy its key differentiator, or, if you need a stronger financially motivating example, much like Apple is touting privacy in all that they do.