Upload
aurelie-pols
View
124
Download
0
Tags:
Embed Size (px)
Citation preview
Summary
1. Global legislative introduction & basic Privacy concepts
2. Serving your customers better through better analytics
3. 5 Online Marketing Rules to Respect Consumer’s Privacy
4. Examples & discussion
Presented by: Aurélie Pols
@AureliePols
INTRODUCTION
Global legislative introduction & basic Privacy concepts
Presented by: Aurélie Pols
@AureliePols
Privacy vs. National Security
Data Retentionvs. Data Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK, passed), SOPA (US: Stop Online Privacy Act, similar to French HADOPI) & PIPA (US: Protect IP Act)
Presented by: Aurélie Pols
@AureliePols
A Global perspective
US & UK EU APEC
Common Law Continental Law Continental law influenced
Class actions Fines (by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per state Risk levels: low, medium, high, extremely high
Presented by: Aurélie Pols
@AureliePols
PII: ah but we don’t collect it!
Medical information as PII
California
Arkansas
Missouri
New Hampshire
North Dakota
Texas
Virginia
Financial information as PII
Alaska North Carolina
Iowa North Dakota
Kansas Oregon
Massachusetts South Carolina
Missouri Vermont
Nevada Wisconsin
New York* Wyoming
Passwords as PII
Georgia
Maine
Nebraska
Biometric information as PII
Iowa
Nebraska
North Carolina
Wisconsin
Source: information based on
current ongoing analysis (partial
results)
Presented by: Aurélie Pols
@AureliePols
So what is considered PII?
Personal Information (based on the definition commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias
ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number
iii Address information, such as street address or email address
iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)
v Telephone numbers, including mobile, business, and personal numbers.Information identifying personally owned property, such as vehicle registration number or title number and related information
Source: information based on
current ongoing analysis (partial
results)
Presented by: Aurélie Pols
@AureliePols
If you collect PII… then
US & UK EU APEC
Common Law Continental Law Continental law influenced
Class actions Fines (by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per state Risk levels: low, medium, high, extremely high
Presented by: Aurélie Pols
@AureliePols
The upcoming EU Regulation
• Expands data regulation beyond EU borders & to a wider class of data
• Shift from “Personal” to “Regulated” data
• Transparency & Consent
• Data security obligations for brands & their agencies
• Demonstrating that you comply
• Fines: 5% of global turn-over
#EUDataP
Presented by: Aurélie Pols
@AureliePols
Data ownership? Dutch mobile, more B2B
KPN is a Dutch Telco
Operations are in the Netherlands, Belgium & Germany
Brands: Hi, Simyo, Telfort& KPN, XS4ALL, E-Plus & Base (sold to Telefonica)
Presented by: Aurélie Pols
@AureliePols
Fair Information Privacy Practices
Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg
Presented by: David Hollender
@DavidHollender
BETTER
Serving your customers better through better analytics
Presented by: David Hollender
@DavidHollender
In Concept
If you care about:
• Customer Engagement
• Customer Retention
• Likelihood to Convert
Approach analysis projects from customer-centric perspective
Presented by: David Hollender
@DavidHollender
What the Studies Say…
ORGANIZATION SCIENCE Jan-Feb 1999 Culnan and Armstrong
Trust moderated by fair information practices as
a key factor in an individual's decision to maintain a customer relationship.
Journal of Marketing Research Oct 2014 Catherine Tucker
Personalized advertising was nearly twice as effective at attracting users … after the shift in Facebook’s policy, which gave users more control over their personal information..
Presented by: David Hollender
@DavidHollender
Differing Perceptions on Big Data
Key Insights
Personalization
Drive Conversions
Customer
Retention
Make $$$
Relevant
Convenient
Efficient
Creepy
Intrusive
Potentially Harmful
What They SeeWhat We See
Presented by: David Hollender
@DavidHollender
Privacy Leverage Point
Mary J. Culnan and Pamela K. Armstrong. 1999. Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation. Organization Science 10, 1 (January 1999), 104-115.
Presented by: David Hollender
@DavidHollender
Should We Do This Analysis?
Consider Benefits vs Potential Harm
• Purpose of Data Collection / Analysis
• Purpose in Integrating Data Sets
• Purpose in Sharing/Selling
Ask: Would Customers Consider this a Win/Win?
Presented by: David Hollender
@DavidHollender
Do Your Analysis Right
• Make Sure Data Are:
• Relevant
• Timely
• Accurate
• Secure
• Clean and Consistent
• Protect From Unintended Consequences
Presented by: David Hollender
@DavidHollender
Build Trust – Part I
• What – Data Sources + Items
• Who – Players, Sharing
• Why – Benefits + Risks
• When – For How Long
• Visible
• Clear
• Concise
Communicate With Customers
Customer-Centric Privacy Policies Build Trust
Presented by: David Hollender
@DavidHollender
• Control of Information by Individual
• Granular Choices
• Easy to Grant/Revoke
• Choice Both of What Data and How Used
Build Trust – Part II
Presented by: Aurélie Pols
@AureliePols
5 Online Marketing rules to respect consumer's privacy
1. Say what you do and do what you say
2. Harness your data liability
3. Foster data frugality & documentation
Agile is the ‘mot du jour’
4. Cherish the human aspect of data protection
5. Dialogue and find common ground
Presented by: Aurélie Pols
@AureliePols
1. Say what you Do & Do what you Say
Privacy policies statements:
• Publicly available documents
• Date stamp: less than 1 year old
• Implies processes:
– Eg. “we don’t collect data of minors” => COPPA
– Deletion & anonymization
– Bankruptcy or M&A data transfers
• Attributes responsibility: [email protected]
Presented by: Aurélie Pols
@AureliePols
Entreprise goal User goals
Privacy Policy
Requirements
Privacy Mechanisms
Procedures & Processes
Privacy Awareness Training
Quality Assurance
Quality AssuranceFeedback
Presented by: Aurélie Pols
@AureliePols
Yelp said that only about 0.02 percent of users who actually completed the registration process during the time period provided an underage birth rate, “and we have good reason to believe that many of them were actually adults.”
The company had an average of about 138 million unique visitors in Q2 of 2014.
Cost? above 16$/monthly unique …
Source: http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html
Presented by: Aurélie Pols
@AureliePols
2. Harness data liability
Across data platforms & flows
– Understand Terms & Conditions
– Sovereignties/legal jurisdictions:
Safe Harbor and
Binding Corporate Rules (BCRs)
– Access!
Tool vetting
Agency vetting
Presented by: Aurélie Pols
@AureliePols
Cloud tools fines & warnings
Oi, Brazilian Telco & Phorm
France Telecom & email campaign tool
Presented by: Aurélie Pols
@AureliePols
Responsibility of analytics agency?
Information Security & Compliance: Follow the Data
Define the tools
Grant accesses
Data collection & data lifecycle
Data sharing & data flows
Often a weak link
Presented by: Aurélie Pols
@AureliePols
Who has access?
Source: Privacy Green seal, specific audit for analytics tools & data agencies
Presented by: Aurélie Pols
@AureliePols
3. Foster data frugality & documentation
Old adage: “let’s collect everything, just in case”
New adage: cherry pick the data for which the following must be held true:
1. Without X data attribute, I cannot do Y legitimate task and need no less than X to do Y
2. Additionally collecting data point Z will not jeopardize my initial data collection purpose
Agile is the mot du jour, also for data collection
Presented by: Aurélie Pols
@AureliePols
Agile ways of working with Purpose and ConsentUse meta-data to classify data fields and groups to
– Identify data fields containing PII/personal data, (ad) collection source, use and disclosure/sharing;
– Identify data fields/groups and their storage that need consent;
– Identify data fields that may need correction by individuals;
– Identify data fields that may need de-identification, anonymization or deletion.
Presented by: Aurélie Pols
@AureliePols
4. Cherish HR in Data Protection
Human error
causes most
data breaches
Presented by: Aurélie Pols
@AureliePols
Entreprise goal User goals
Privacy Policy
Requirements
Privacy Mechanisms
Procedures & Processes
Privacy Awareness Training
Quality Assurance
And escalation procedures to attribute responsibilityShould we do this analysis?
Presented by: Aurélie Pols
@AureliePols
Security (technical)
Data Collection
Pro
cess
es R
eso
urce
s
Presented by: Aurélie Pols
@AureliePols
Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for approved
use
From:
Purpose
Consent
FIPPsData analysis or merging
New business
opportunity
To:
Presented by: Aurélie Pols
@AureliePols
5. Dialogue & common ground
Trust and Creepiness: Consent is about a reasonable expectation of the use of data
There’s a fine line between:
– Feeling charmed
– Feeling invaded
Create win-win situations:
– Customers give company information
– Customers get better service/value for money
Presented by: Aurélie Pols
@AureliePols
Where to start?
Compliance?
Privacy?
Security?
Moving targets
Presented by: Aurélie Pols
@AureliePols
The “Magnum” Plan• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures (data protection)
• Adopt global & sustainable Privacy best practices
Presented by: David Hollender
@DavidHollender
Privacy Policy = Transparency
• Clear & Concise
• Granular
• Data Rentention
• Accuracy
• Promotes Trust Relationship
Characteristics
Presented by: David Hollender
@DavidHollender
Privacy Policy – Today’s Ordinary
Like
• Organization / Layout• Plain Language• Clearer than Many
Dislike
• Weak on Choices• Sharing Practices• Data Retention• Policy Changes
Presented by: David Hollender
@DavidHollender
A Different ApproachAt Micycles, we value and respect our customers and visitors to our store. We take great care in learning about your needs, delivering excellent service and providing you with the best products, while protecting your personal information and respecting your privacy rights. Read on to find out how.
When You Visit Our WebsiteTo present you with the most relevant information and offers, our website automatically collects information about the frequency and duration of your visits, as well as available geographic and demographic information and specific content you view. If you login, we also use any profile information you enter, possibly combined with third party public information for the same purpose. To manage the kinds of information we collect and obtain, click here.
When You Make a PurchaseTo process and fulfill your order, we collect information about you, your payments, and delivery instructions. We also use this information, and if you agree third party information, to provide service and to provide you with information about other products and services you many find valuable. To manage how we use the personal information we collect and how long we keep it, click here.
Your Information Privacy PreferencesWe invite you to tell us how you would like your information managed. You can specify the kinds of information you would like us to have, and you can tell us how you wish to have your information used. You can also indicate for how long we may keep particular types of data on file. To manage your information preferences, click here.
Presented by: David Hollender
@DavidHollender
Think Outside the Box
McAfee’s Privacy Ninja
Source: http://zurb.com/studios/case-studies/mcafee
Presented by: David Hollender
@DavidHollender
Another Example
Over-Graph, a French social media company
http://www.over-graph.com/commercial/ToS-EN.pdf