eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & Practices with American Institute for Research

October 6th 2014Boston

Privacy Principles & Practices trackAurélie Pols & David Hollender

Summary

1. Global legislative introduction & basic Privacy concepts

2. Serving your customers better through better analytics

3. 5 Online Marketing Rules to Respect Consumer’s Privacy

4. Examples & discussion

Presented by: Aurélie Pols

@AureliePols

INTRODUCTION

Global legislative introduction & basic Privacy concepts


@AureliePols

Privacy vs. National Security

Data Retentionvs. Data Protection

Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg

Eg. DRIP (UK, passed), SOPA (US: Stop Online Privacy Act, similar to French HADOPI) & PIPA (US: Protect IP Act)

http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg


@AureliePols

A Global perspective

US & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)

Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high


@AureliePols

PII: ah but we don’t collect it!

Medical information as PII

California

Arkansas

Missouri

New Hampshire

North Dakota

Texas

Virginia

Financial information as PII

Alaska North Carolina

Iowa North Dakota

Kansas Oregon

Massachusetts South Carolina

Missouri Vermont

Nevada Wisconsin

New York* Wyoming

Passwords as PII

Georgia

Maine

Nebraska

Biometric information as PII

Iowa

Nebraska

North Carolina

Wisconsin

Source: information based on

current ongoing analysis (partial

results)


@AureliePols

So what is considered PII?

Personal Information (based on the definition commonly used by most US states)

i Name, such as full name, maiden name, mother‘s maiden name, or alias

ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number

iii Address information, such as street address or email address

iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)

v Telephone numbers, including mobile, business, and personal numbers.Information identifying personally owned property, such as vehicle registration number or title number and related information

Source: information based on

current ongoing analysis (partial

results)


@AureliePols

If you collect PII… then

US & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)

Business focused Citizen focused

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high


@AureliePols

The upcoming EU Regulation

• Expands data regulation beyond EU borders & to a wider class of data

• Shift from “Personal” to “Regulated” data

• Transparency & Consent

• Data security obligations for brands & their agencies

• Demonstrating that you comply

• Fines: 5% of global turn-over

#EUDataP


@AureliePols

Data ownership? Dutch mobile, more B2B

KPN is a Dutch Telco

Operations are in the Netherlands, Belgium & Germany

Brands: Hi, Simyo, Telfort& KPN, XS4ALL, E-Plus & Base (sold to Telefonica)


@AureliePols

Fair Information Privacy Practices

Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg

https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg

Presented by: David Hollender

@DavidHollender

BETTER

Serving your customers better through better analytics


@DavidHollender

In Concept

If you care about:

• Customer Engagement

• Customer Retention

• Likelihood to Convert

Approach analysis projects from customer-centric perspective


@DavidHollender

What the Studies Say…

ORGANIZATION SCIENCE Jan-Feb 1999 Culnan and Armstrong

Trust moderated by fair information practices as

a key factor in an individual's decision to maintain a customer relationship.

Journal of Marketing Research Oct 2014 Catherine Tucker

Personalized advertising was nearly twice as effective at attracting users … after the shift in Facebook’s policy, which gave users more control over their personal information..


@DavidHollender

Differing Perceptions on Big Data

Key Insights

Personalization

Drive Conversions

Customer

Retention

Make $$$

Relevant

Convenient

Efficient

Creepy

Intrusive

Potentially Harmful

What They SeeWhat We See


@DavidHollender

Privacy Leverage Point

Mary J. Culnan and Pamela K. Armstrong. 1999. Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation. Organization Science 10, 1 (January 1999), 104-115.


@DavidHollender

Should We Do This Analysis?

Consider Benefits vs Potential Harm

• Purpose of Data Collection / Analysis

• Purpose in Integrating Data Sets

• Purpose in Sharing/Selling

Ask: Would Customers Consider this a Win/Win?


@DavidHollender

Do Your Analysis Right

• Make Sure Data Are:

• Relevant

• Timely

• Accurate

• Secure

• Clean and Consistent

• Protect From Unintended Consequences


@DavidHollender

Build Trust – Part I

• What – Data Sources + Items

• Who – Players, Sharing

• Why – Benefits + Risks

• When – For How Long

• Visible

• Clear

• Concise

Communicate With Customers

Customer-Centric Privacy Policies Build Trust


@DavidHollender

• Control of Information by Individual

• Granular Choices

• Easy to Grant/Revoke

• Choice Both of What Data and How Used

Build Trust – Part II


@AureliePols

5 ONLINE MARKETING RULES TO RESPECT CONSUMER’S PRIVACY


@AureliePols

5 Online Marketing rules to respect consumer's privacy

1. Say what you do and do what you say

2. Harness your data liability

3. Foster data frugality & documentation

Agile is the ‘mot du jour’

4. Cherish the human aspect of data protection

5. Dialogue and find common ground


@AureliePols

1. Say what you Do & Do what you Say

Privacy policies statements:

• Publicly available documents

• Date stamp: less than 1 year old

• Implies processes:

– Eg. “we don’t collect data of minors” => COPPA

– Deletion & anonymization

– Bankruptcy or M&A data transfers

• Attributes responsibility: [email protected]

mailto:[email protected]


@AureliePols

Entreprise goal User goals

Privacy Policy

Requirements

Privacy Mechanisms

Procedures & Processes

Privacy Awareness Training

Quality Assurance

Quality AssuranceFeedback


@AureliePols

Yelp said that only about 0.02 percent of users who actually completed the registration process during the time period provided an underage birth rate, “and we have good reason to believe that many of them were actually adults.”

The company had an average of about 138 million unique visitors in Q2 of 2014.

Cost? above 16$/monthly unique …

Source: http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html

http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html


@AureliePols

2. Harness data liability

Across data platforms & flows

– Understand Terms & Conditions

– Sovereignties/legal jurisdictions:

Safe Harbor and

Binding Corporate Rules (BCRs)

– Access!

Tool vetting

Agency vetting


@AureliePols

Cloud tools fines & warnings

Oi, Brazilian Telco & Phorm

France Telecom & email campaign tool


@AureliePols

Responsibility of analytics agency?

Information Security & Compliance: Follow the Data

Define the tools

Grant accesses

Data collection & data lifecycle

Data sharing & data flows

Often a weak link


@AureliePols

Who has access?

Source: Privacy Green seal, specific audit for analytics tools & data agencies


@AureliePols

3. Foster data frugality & documentation

Old adage: “let’s collect everything, just in case”

New adage: cherry pick the data for which the following must be held true:

1. Without X data attribute, I cannot do Y legitimate task and need no less than X to do Y

2. Additionally collecting data point Z will not jeopardize my initial data collection purpose

Agile is the mot du jour, also for data collection


@AureliePols

Agile ways of working with Purpose and ConsentUse meta-data to classify data fields and groups to

– Identify data fields containing PII/personal data, (ad) collection source, use and disclosure/sharing;

– Identify data fields/groups and their storage that need consent;

– Identify data fields that may need correction by individuals;

– Identify data fields that may need de-identification, anonymization or deletion.


@AureliePols

4. Cherish HR in Data Protection

Human error

causes most

data breaches


@AureliePols

Entreprise goal User goals

Privacy Policy

Requirements

Privacy Mechanisms

Procedures & Processes

Privacy Awareness Training

Quality Assurance

And escalation procedures to attribute responsibilityShould we do this analysis?


@AureliePols

Security (technical)

Data Collection

Pro

cess

es R

eso

urce

s


@AureliePols

Purpose, Consent & Data Uses

Purpose

Consent

FIPPs

Data for approved

use

From:

Purpose

Consent

FIPPsData analysis or merging

New business

opportunity

To:


@AureliePols

5. Dialogue & common ground

Trust and Creepiness: Consent is about a reasonable expectation of the use of data

There’s a fine line between:

– Feeling charmed

– Feeling invaded

Create win-win situations:

– Customers give company information

– Customers get better service/value for money


@AureliePols

Creepy?

For some. Risk to the business?


@AureliePols

Where to start?

Compliance?

Privacy?

Security?

Moving targets


@AureliePols

The “Magnum” Plan• Document your data set-up

• Set-up a compliance check-list:

– Applicable legislations to your sector

– Territorial scope

• Evaluate your risk

• Follow-up with information security measures (data protection)

• Adopt global & sustainable Privacy best practices


@DavidHollender

EXAMPLES & DISCUSSION


@DavidHollender

Privacy Policy = Transparency

• Clear & Concise

• Granular

• Data Rentention

• Accuracy

• Promotes Trust Relationship

Characteristics


@DavidHollender

Privacy Policy – Today’s Ordinary

Like

• Organization / Layout• Plain Language• Clearer than Many

Dislike

• Weak on Choices• Sharing Practices• Data Retention• Policy Changes


@DavidHollender

A Different ApproachAt Micycles, we value and respect our customers and visitors to our store. We take great care in learning about your needs, delivering excellent service and providing you with the best products, while protecting your personal information and respecting your privacy rights. Read on to find out how.

When You Visit Our WebsiteTo present you with the most relevant information and offers, our website automatically collects information about the frequency and duration of your visits, as well as available geographic and demographic information and specific content you view. If you login, we also use any profile information you enter, possibly combined with third party public information for the same purpose. To manage the kinds of information we collect and obtain, click here.

When You Make a PurchaseTo process and fulfill your order, we collect information about you, your payments, and delivery instructions. We also use this information, and if you agree third party information, to provide service and to provide you with information about other products and services you many find valuable. To manage how we use the personal information we collect and how long we keep it, click here.

Your Information Privacy PreferencesWe invite you to tell us how you would like your information managed. You can specify the kinds of information you would like us to have, and you can tell us how you wish to have your information used. You can also indicate for how long we may keep particular types of data on file. To manage your information preferences, click here.


@DavidHollender

Think Outside the Box

McAfee’s Privacy Ninja

Source: http://zurb.com/studios/case-studies/mcafee

http://zurb.com/studios/case-studies/mcafee


@DavidHollender

Another Example

Over-Graph, a French social media company

http://www.over-graph.com/commercial/ToS-EN.pdf

http://www.over-graph.com/commercial/ToS-EN.pdf


@DavidHollender

Enabling Choice

Source: WikiCommons


@DavidHollender

Enabling Choice

Aurélie [email protected]

David [email protected]

Thank You

Gracias



Data & Analytics

eMetrics Summit Boston 2014 - Big Data for Marketing - Privacy Principles & Practices with American Institute for Research