Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
4imprint.com
Pr ivacy and Secur i ty
© 2013 4imprint, Inc. All rights reserved
Pr ivacy and secur i ty onl ine: What is the corporate impact?
In June 2013, Edward Snowden fueled the debate on privacy and democracy
in the digital age. He was called everything from a traitor to a hero when he
revealed that the National Security Agency (NSA) has been eavesdropping on
private citizens through cell phones, laptops, Facebook®, Skype®, chat-rooms and
more. One of the first documents released by Snowden showed that the NSA was
collecting telephone records from millions of customers of Verizon®, one of the
largest U.S. telecommunications providers.1
The Snowden affair raises a number of questions pertaining to consumer privacy
and security rights. NSA officials and other intelligence agencies claim that
these activities are constitutional and occur under the umbrella of rigorous
congressional and judicial oversight, and that it’s essential in order to protect
the public from terrorist attacks. But civil liberties groups such as the Electronic
Frontier Foundation and the American Civil Liberties Union warn that this type
of surveillance goes beyond what Congress intended and violates constitutional
rights. At the heart of the issue is whether or not Americans have rights when
it comes to protecting their personal data. A number of laws and regulations
pertaining to this are currently being debated that will likely affect how
corporations collect and maintain consumer data.
Last year, President Obama introduced the Consumer Privacy Bill of Rights to
protect consumer rights online. In the report, the President noted that “[never]
has privacy been more important than today, in the age of the Internet, the
World Wide Web and smartphones.”2 The legislation is designed to give
consumers a clear understanding of what to expect from companies that handle
their personal information and defines basic principles for companies that use
personal data, and now many companies wonder what this means and how it will
be implemented.
In the meantime, the Federal Trade Commission (FTC) continues to enforce the
existing regulations designed to protect consumer rights. As of October 2013,
the FTC has brought 47 legal actions against organizations that have violated
consumers’ privacy rights, or misled them by failing to maintain security for
sensitive consumer information. Most of the cases violated the Federal Trade
1 Powell, Kenton, and Greg Chen. “NSA Files Decoded: Edward Snowden’s Surveillance Revelations Explained.” The Guardian. N.p., n.d. Web. 13 Nov. 2013. <http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded>.
2 Meece, Mickey. “President Obama’s Consumer Privacy Bill of Rights.” Forbes. Forbes Magazine, 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.forbes.com/sites/mickeymeece/2012/02/23/president-obamas-consumer-privacy-bill-of-rights/>.
© 2013 4imprint, Inc. All rights reserved
Commission Act Section 5 which bars unfair and deceptive acts and practices in or
affecting commerce. In addition to the FTC Act, there are 33 other laws, rules and
guides that provide the agency with enforcement authority to protect consumers’
privacy. It’s a lot to take in and can leave many organizations wondering what
they should be doing to protect consumer data within the confines of the law.
This Blue Paper® looks at the landscape of consumer privacy and security,
particularly how it applies to U.S. corporations. The paper begins with a synopsis
on consumer data and a review of the current landscape of privacy controls in
the United States. The paper also highlights the directives from the Federal Trade
Commission and the suggested best practices corporations should implement to
protect consumer data. The final section explores some of the privacy controls in
other countries, and how it may impact U.S. corporations that operate globally.
Prepare for a journey into a maze of confusion, because privacy and security
online is a moving target, but there are some things your corporation should
know to be in compliance and protect consumer data appropriately.
The truth about consumer data
Consumers understand that businesses, governments and other organizations
gather data about them online. There’s a general acceptance that you leave
a digital footprint anytime you go online to make purchases or simply surf
the Web. Personal details about consumers are also online because they
are shared willingly through chats or social sites like Facebook®, Twitter®
or LinkedIn®. And don’t forget there is consumer data available through
government agencies that are fully searchable. For example, users can view
and search real estate transactions and obtain information on a home and
its value. Even things like birth certificates and signature copies can be
found online.
And it is widely accepted and understood that businesses use consumer
information to help complete transactions, remember consumer preferences,
deliver personalized content and special offers, as well as save consumers time.
It’s common for businesses to track website page views and the number of unique
visitors to a website, among other things.
So, how do Americans feel about privacy online? According to a study from the
Pew Internet and American Life Project Data®, most Internet users would like to
be anonymous online but think it is not possible. The study found that 86 percent
of Internet users have taken steps online to remove or mask digital footprints, by
© 2013 4imprint, Inc. All rights reserved
doing things like clearing cookies or encrypting email.3 Another 55 percent
have taken steps to avoid observation by specific people, organizations or
the government.
Other data shows that Americans use mobile technology more than ever and they
are selective when using apps that require personal information. Pew Internet
revealed that:
•88 percent of U.S. adults own a cell phone;
•43 percent download cell phone applications to their phones;
• 54 percent of app users decided not to install a cell phone app when
they discovered how much personal information they would need to
share in order to use it; and,
• 30 percent of app users have uninstalled an app because they learned
it was collecting personal information they didn’t wish to share.4
Moreover, a representative survey of 792 Internet users found that a number of
users say they have experienced problems because others stole their personal
information or otherwise took advantage of their visibility online. In particular:
• 21 percent of Internet users have had an email or social networking account
compromised or taken over by someone else without permission; and,
• 11 percent have had important personal information stolen such as their
social security number, credit card or bank account information.
According to Lee Rainie, Director of the Pew Research Center’s Internet Project
“[users] clearly want the option of being anonymous online and increasingly
worry that this is not possible.”5
The Federal Trade Commiss ion and U.S. pr ivacy regulat ions
At the state level, some legislators have introduced bills that attempt to
provide greater privacy controls with mixed results. California, considered the
privacy leader, passed measures that allows minors the right to erase social
media posts they regret posting. Three other states enacted laws governing
inheritance of digital information, like Facebook pages. But still, for the most
3 Rainie, Lee. “Pew Research Center’s Internet & American Life Project.” Anonymity, Privacy, and Security Online. N.p., 5 Sept. 2013. Web. 13 Nov. 2013. <http://pewinternet.org/Reports/2013/Anonymity-online.aspx>.
4 Boyles, Jan Lauren. “Privacy and Data Management on Mobile Devices.” Privacy and Data Management on Mobile Devices. N.p., 5 Sept. 2012. Web. 15 Nov. 2013. <http://www.pewinternet.org/Reports/2012/Mobile-Privacy.aspx>.
5 Rainie, Lee. “Pew Research Center’s Internet & American Life Project.” Anonymity, Privacy, and Security Online. N.p., 5 Sept. 2013. Web. 13 Nov. 2013. <http://pewinternet.org/Reports/2013/Anonymity-online.aspx>.
© 2013 4imprint, Inc. All rights reserved
part, U.S. consumers are forced to rely on the promises from businesses and
local governments that their information will not be sold or given away to other
entities. These promises, however, are not legally binding and are often broken
without consequence.6
In the United States, a host of loosely defined consumer privacy laws and
regulations seek to protect any individual from loss of privacy due to failures
or limitations of corporate customer privacy measures. Privacy concerns exist
whenever data relating to a person or persons are collected and stored. Much
of the privacy protection policies in the United States are dictated by the
Electronic Communications Privacy Act, which was passed in 1986, before the
Internet was a reality. Today, for the most part, regulations that dictate how
companies must maintain and protect consumer information are driven by
the Federal Trade Commission.
Indeed, protecting consumer privacy is a hot topic, and one that the Federal
Trade Commission (FTC) takes seriously. In 2012, Google® and the FTC agreed
to a $22.5 million settlement, the largest penalty in the agency’s history, on
charges that Google misrepresented its actions to users of Apple’s Safari®
browser.7 Specifically, the FTC charged that Google placed tracking cookies on
users’ computers, in some cases working around the privacy settings within
the browser. In the settlement, Google agreed not to misrepresent its privacy
policies to consumers. FTC Chairman Jon Leibowitz said that the penalty
highlights the agency’s commitment to enforcing its orders on privacy. “The
record-setting penalty in this matter sends a clear message to all companies
under an FTC privacy order,” Leibowitz said. “No matter how big or small, all
companies must abide by FTC orders against them and keep their privacy promises
to consumers, or they will end up paying many times what it would have cost to
comply in the first place.”
To reign in some of the debate, in March 2012, The Federal Trade Commission
released a report on Protecting Consumer Privacy in an Era of Rapid Change that
outlines some best practices for businesses to help protect the privacy of American
consumers.8 It outlines methods that give consumers greater control over the
collection and use of personal data. The report expands on a directive from
December 2010, which proposed a framework for consumer privacy in light of
6 Harris, Maryls. “Why Doesn’t the State Protect Our Online Privacy? It’s Not as Easy as You Think.” MinnPost. N.p., 11 Nov. 13. Web. 15 Nov. 2013. <http://www.minnpost.com/politics-policy/2013/11/why-doesn-t-state-protect-our-online-privacy-it-s-not-easy-you-think?utm_source=MinnPost-RSS>.
7 Tsukayama, Hayley. “Google Settles FTC Privacy Case for $22.5 Million, Agency’s Largest Penalty.” Washington Post. The Washington Post, 10 Aug. 2012. Web. 14 Nov. 2013. <http://www.washingtonpost.com/blogs/post-tech/post/google-settles-ftc-privacy-case-for-225-million-agencys-largest-penalty/2012/08/09/e048f6a2-e236-11e1-a25e-15067bb31849_blog.html>.
8 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
© 2013 4imprint, Inc. All rights reserved
new technologies that allow more sophisticated data collection and information
sharing. If you don’t have time (or inclination) to read the 112 page report, it can
be broken down into three basic categories your organization should reevaluate
to make sure you are doing the right things. These include privacy by design,
simplified consumer choice and transparency.
Pract ice pr ivacy by des ign
Privacy by design refers to the development and implementation of a
corporate privacy strategy. In the simplest form, it means making consumer
privacy a priority at every stage of product development and throughout
the delivery of services. The FTC requires that businesses implement practices
“such as data security, reasonable collection limits, sound retention and
disposal practices, and data accuracy.”9
Additionally, the FTC proposes that companies launch comprehensive data
management procedures, including “designating personnel responsible
for employee privacy training and regularly assessing the privacy impact
of specific practices, products and services” that ensure they can maintain
the substantive integrity of their actions to shield privacy.10 (That’s a mouthful!)
In simpler terms, privacy by design means that privacy and data protection are
embedded throughout the life cycle of technologies, from the early design state
to deployment, use and disposal. It’s also about making users’ data private by
default and allowing them to determine what information is shared.
Microsoft® is one company that effectively articulates and implements privacy
by design. On the corporate website, privacy by design is described as “not only
how we build products but also how we operate our services and organize
ourselves as an accountable technology leader.”11 Microsoft International
President Jean-Philippe Courtois detailed Microsoft’s approach to privacy
by design during a speech to the International Association of Privacy
Professionals in Paris in November 2010. As he describes, privacy by design
is implemented through people, processes, privacy technologies and features,
research and outreach.
Microsoft also established processes that support rigorous technical development
standards and frequently conducts privacy reviews to ensure that privacy and data
protections are incorporated into products and services. Microsoft products and
9 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
10 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
11 “Microsoft.” Privacy by Design. N.p., n.d. Web. 14 Nov. 2013. <http://www.microsoft.com/privacy/bydesign.aspx>.
© 2013 4imprint, Inc. All rights reserved
services include technologies or features that drive privacy and data protection. In
addition, the company is constantly researching new privacy features in computer
science and software engineering. Part of the Microsoft strategy incorporates
outreach to customers, industry leaders, civil society and governments in order
to establish standards and policies that can help people and organizations better
manage and protect personal information.
Another good example of privacy by design is found in Google’s social network,
Google+®. With Google+, contacts are placed in nonpublic “circles” and users
are asked to designate the circle to share with for every post they make.12
Circles might include friends, colleagues or family, but users are responsible for
denoting what circles receive information for every post they make. Apple’s
iPhone® incorporated privacy by design methods by adding a purple arrow icon
that appears on the screen letting a user know when their location information
is being sent to an app. The idea is to make sure users a re aware when sensitive
information is shared.
At a minimum, companies should review what they are doing in terms of privacy
by design. Does your company embed privacy and data protection throughout
the lifecycle of every process? Is user data private by default? Reviewing these
questions is critical to make sure your corporation adheres to the basic principles
of privacy by design. There are a number of online resources that can help you
define and implement privacy by design. Consider downloading a document from
the Information and Privacy Commissioner on Operationalizing Privacy by Design:
A Guide to Implementing Strong Privacy Practices. In addition, the Center for
Democracy and Technology Online also has a helpful section on privacy by design
that walks companies through basic understanding and implementation.
Enact s impl i f ied consumer choice pol ic ies
The FTC promotes simplified consumer choice policies, which essentially
means being more up-front and direct with consumers about how data will
be used. The FTC requires that companies simplify choices when it comes to
how consumers interact with a company to guard their own privacy. The FTC
states that companies need to offer consumers choices “before collecting and
using consumer data for practices that are consistent with the context of the
transaction or the company’s relationship with the consumer.” Particularly, the
FTC recommends that businesses obtain affirmative, express consent before “(1)
using consumer data in a materially different manner than claimed when the data
was collected; or (2) collecting sensitive data for certain purposes.”13
12 Hill, Kashmir. “Why ‘Privacy By Design’ Is The New Corporate Hotness.” Forbes Magazine, 28 July 2011. Web. 14 Nov. 2013. <http://www.forbes.com/sites/kashmirhill/2011/07/28/why-privacy-by-design-is-the-new-corporate-hotness/>.
13 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
© 2013 4imprint, Inc. All rights reserved
How can you simplify consumer choice? It’s really about providing consumer
choices in “just in time” scenarios. Whether the behavior is online, such as the site
where an online consumer is providing personal data, or offline, such as requiring
the cashier to ask the customer whether he or she would like to receive marketing
offers from other companies, it’s important to present consumers with the ability
to make meaningful choices at the point when the consumer is providing data or
engaging with the company. Companies should also offer one choice at a time
and obtain affirmative express consent before using consumer data.
That said, the FTC noted that there are some commonly accepted practices where
a company is not required to seek consumer consent. These include the following:
• Product and service fulfillment: Websites collect contact information for
shipping requests and credit card information for payment.
• Internal operations: Hotels and restaurants collect customer satisfaction
surveys to improve their customer service. Websites collect information
about visits and click-through rates to improve site navigation.
• Fraud prevention: Offline retailers check driver’s licenses when consumers
pay by check to monitor against fraud. Online businesses also employ
fraud-detection services to prevent fraudulent transactions.
• Legal compliance and public purpose: Search engines, mobile applications
and pawn shops share their customer data with law enforcement agencies
in response to subpoenas. A business reports a consumer’s delinquent
account to a credit bureau.
• First-party marketing: Online retailers recommend products and services
based upon consumers’ prior purchases on the website. Offline retailers
do the same and may, for example, offer frequent purchasers of diapers a
coupon for baby formula at the cash register.
For now, if your organization is collecting consumer information in the above
areas, consent is not required. However, a good faith practice is to inform the
consumer how and why information is gathered whenever possible. Of course,
it’s always a best practice to make sure you obtain consent when requiring and
offering simplistic and meaningful choices to consumers.
What about Do Not Track as i t perta ins to consumer choice?
As part of simplified choice principles, the FTC expects companies develop
mechanisms that enable consumers to better control tracking of their online
activities, a concept referred to as “Do Not Track.” Under the proposed
framework, this consumer control includes providing consumers with a choice
© 2013 4imprint, Inc. All rights reserved
whether to be tracked across other parties’ websites (including affiliates’
websites). Many companies have made strides in this area to assist consumers in
controlling what information is accessible and for what purposes, but the FTC
encourages continued progress and more complete implementation of consumer
control mechanisms. The FTC established a workgroup of several companies to
further develop controls that can be adopted universally.
The FTC suggests that Do Not Track should be put into effect through legislation
or robust self-regulation, but it is not legally binding. The framework states that
the most practical method to apply this function “would likely involve placing a
setting similar to a persistent cookie on a consumer’s browser and conveying that
setting to sites that the browser visits, to signal whether or not the consumer
wants to be tracked or receive targeted advertisements. Last year, a standardized
Do Not Track feature implemented by some organizations allowed consumers to
opt out receiving targeted ads from up to 114 third-party advertisers. A million
people used the tool and more than 5 million visited the site for information
about online ads.14
Right now, you can select “Do Not Track” options in Firefox®, Internet Explorer®
and Safari®, which send messages to websites that users do not want to be
followed online with cookies or other mechanisms. Some companies are being
proactive when it comes to adding Do Not Track Features. You can check out
FireFox® for example, and its defined Do Not Track options online. Twitter® is
another company that receives high marks for Do Not Track compliance. The
company gives users the option to opt out of being tracked and provides
easy-to-follow directions on how to do it. Also, Twitter recently fought a court
order asking for user’s data, which demonstrates a commitment to protecting user
privacy on a whole.15 It’s not a bad idea to check out what other companies are
doing with Do Not Track to get some ideas for your own organization.
Keep in mind though, the Do Not Track feature is unresolved and there is no
consensus on what should be included and how companies should be required
to use it. A working group on the issue is affiliated with the World Wide Web
Consortium (W3C), the official custodian of Web standards. The collection of
ad companies, privacy advocates and outside experts convened to settle the
longstanding debate about consumer privacy and determine the future of
advertising technology. The working group is stalled on a number of issues,
14 Fung, Brian. “The Internet’s Best Hope for a Do Not Track Standard Is Falling Apart. Here’s Why.” The Switch: Where Technology and Policy Connect. The Washington Post, 11 Oct. 2013. Web. 15 Nov. 2013. <http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/11/the-internets-best-hope-for-a-do-not-track-standard-is-falling-apart-heres-why/>.
15 Wagstaff, Keith. “Grading How Well Companies Are Cooperating with ‘Do Not Track’ | TIME.com.” Time. Time, 12 May 2012. Web. 26 Nov. 2013. <http://techland.time.com/2012/05/21/grading-how-companies-are-cooperating-with-do-not-track/>.
© 2013 4imprint, Inc. All rights reserved
including the obligations advertising companies have with regard to online
tracking and what the word “tracking” even means. The Electronic Frontier
Foundation asked for the group to disband, citing lack of agreement and loss of
confidence in the process. At issue is the fact that although the opt-out function
is meant to guarantee the end of targeted advertising, it doesn’t rule out the
collection of consumer data. As of October 2013, the future of Do Not Track
negotiations is delayed, pending the establishment of Do Not Track guidelines
and steps for compliance.
Be transparent with consumer data
Keep it short and simple: That’s the FTC’s advice for creating and improving
existing transparent data practices. In particular, companies should use privacy
notices that are “clearer, shorter, and more standardized to enable better
comprehension and comparison of privacy practices.”16 Furthermore, “companies
should provide reasonable access to the consumer data they maintain; the extent
of access should be proportionate to the sensitivity of the data and the nature of
its use.” Finally, organizations should prioritize the education of consumers with
regard to commercial data privacy practices.
The FTC advocated for Congress to enact privacy legislation to give legal
enforceability to its recommended practices; in the meantime, the FTC advised
that companies should “accelerate the pace of self-regulation.”17 To-date there is
no overarching legislation in place, how transparency is available to consumers is
decided by organizations on a case-by-case basis.
Some companies are being proactive in providing consumers with full
transparency. Take for example, the company Acxiom®. The organization
recently launched a site called AboutTheData that invites users to enter
their names, addresses, and the last four digits of their social security
numbers to access a portal that reveals the information the company
has gathered on them. This includes age, estimated income, residence,
ethnicity, marital status and categories of product purchases, including
anything from food to home furnishings that the consumer made via
mail order. It’s a proactive attempt to give consumers a chance to see
what kind of information the company collects combined with the
ability to edit and change any data, as well as opt-out from receiving
targeted ads.
16 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
17 Ibid.
© 2013 4imprint, Inc. All rights reserved
In 2012, Epsilon®, another data collection agency, began providing customers
with a paper report for a small fee that discloses all the data the company has
collected on them. Likewise, BlueKai™ and Exelate®, both companies that collect
behavioral data for online ad targeting, are also providing data-transparency
systems. The BlueKai’s registry aims to put consumers in control of their digital
footprint by allowing consumers to see what preferences are being logged by
other third-party data creators on their computer. As BlueKai states on its home
page, it’s a way to be “transparent about what data companies think about your
computer.” Consumers can control their anonymous profile by managing topics of
interest, changing preferences or choosing to opt out of future marketing efforts.
Michael Nadeau, the publisher of Data Informed®, put together a list of things
every company should tell their consumer regarding its data policies and
collection.18 According to Nadeau, companies should share the following:
•exactly what data is being collected,
•how the data collection technology works,
•how the data is secured,
•why the data is collected,
•how the data is analyzed and reported,
•who is seeing the data, and
•how the collected data benefits the consumer.
Once your company outlines the answers to these questions, it should be
circulated in a way that makes it easy for consumers to find. Providing the
answers to simple questions like these helps promote full transparency and often
puts consumers at ease regarding your data collection policies.
What about the Consumer Pr ivacy Bi l l of R ights?
In 2012, the Obama administration proposed the Consumer Privacy Bill of
Rights, which is the most comprehensive bill designed to address consumer
privacy concerns. Specifically, the bill calls for a multi-stakeholder process to
produce enforceable codes of conduct among organizations and agencies that
collect consumer data. These guidelines outlined in the bill promote the idea of
transparency in all aspects of data use to allow individuals the opportunity to
control when and how their personal information is used.
18 Nadeau, Michael. “To Win Consumer Trust, You Need Transparent Data Collection Policies - See More At: Http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/#sthash.omc8YzVF.dpuf.” Data Informed: Big Data and Analytics in the Enterprise. N.p., 20 Sept. 2013. Web. 17 Nov. 2013. <http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/>.
© 2013 4imprint, Inc. All rights reserved
The Consumer Privacy Bill of Rights proposes the following:
• Individual control: Consumers have a right to exercise control over what
personal information companies collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable and
accessible information about privacy and security practices.
• Respect for context: Consumers have a right to expect that companies will
collect, use, and disclose personal data in ways that are consistent with the
context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of
personal data.
• Access and accuracy: Consumers have a right to access and correct
personal data in usable formats, in a manner that is appropriate to the
sensitivity of the data and the risk of adverse consequences to consumers
if the data is inaccurate.
• Focused collection: Consumers have a right to reasonable limits on the
personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by
companies with appropriate measures in place to assure they adhere to the
Consumer Privacy Bill of Rights.
President Obama challenged companies to begin immediately working with
privacy advocates, consumer protection enforcement agencies, and others under
the direction of the Commerce Department to develop enforceable codes of
conduct. The goal is for Congress to put those agreed-upon guidelines into law.
Thus far, the response to the bill has been varied. Some claim that the bill is
largely aspirational because it does not create any enforceable obligations.
In truth, the framework simply creates suggested guidelines for companies
that collect personal data as a primary function of their business operations.
There is no legislation officially in place to monitor corporate behaviors, and
as the administration recognizes, in the absence of legislation these are only
“general principles that afford companies discretion in how
they implement them.”19 As a corporation, you may be asking,
what’s next? That’s a good question, and one that is not clearly
answered. While the bill proposes a list of suggestions and ideas,
it is not legally binding. Until more legislation is approved by
Congress, the impact of the bill remains to be seen.
19 “We Can’t Wait: Obama Administration Unveils Blueprint for a “Privacy Bill of Rights” to Protect Consumers Online.” The White House. N.p., 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights>.
© 2013 4imprint, Inc. All rights reserved
What about pr ivacy and secur i ty laws in the rest of the world?
Internet privacy laws across the globe vary from robust, non-existent and
ambiguous. China has some of the strongest consumer privacy and security
rules in the world. Effective in September 2013, China’s Ministry of Industry and
Information Technology (“MIIT”) passed strict regulations aimed to protect the
personal information of telecommunication and Internet users. Companies are
required to post personal information collection polices in their place of business
(or online) and may not use personal information without explicit user consent.
Organizations must also notify users regarding the collection, purpose, methods
and scope of use when collecting personal information. These are considered
binding requirements in China and legal action can be taken if a company
violates the policy. However, China’s Internet regulations are not applied to
other countries.
The European Union (EU) also adopted strict data privacy laws as well. The
EU’s General Data Protection Regulation (GDPR) is applied to 28-member
nations and is planned to take effect in 2016, after a two-year transition period.
It harmonizes the current data protection laws in place across all EU member
states. Basically, the GDPR establishes a regulatory framework that outlines a
number of restrictions designed to protect the privacy of individuals and personal
data within the European Union (EU). It also establishes strict limits on the
collection and use of personal data, and demands that every EU state creates an
independent national body responsible for the protection of these data. Among
other things, the measure limits the tracking and profiling activities that allow
for targeted advertising and the ability of a consumer to erase personal data
information. To ensure compliance, fines can be imposed that range anywhere
from .5 percent to two percent of an organization’s global sales.
Some companies are already taking note of the EU legislation. Google,
Microsoft, Apple and Facebook have already modified privacy policies as a
result of the mandate. To be compliant with EU regulations, U.S. companies
that operate in Europe must address what the EU calls “the right to be
forgotten.” It essentially means that the user owns his or her information and
that the user has the right to prevent websites and other online services from
keeping it and storing it. In short, it means providing a system that allows users
to erase data after it has been collected.
U.S. companies will also need to gain explicit consent to share data. Currently in
the U.S., everything from financial institutions to social networking sites share
user data with partners and advertising firms. According to the EU proposal,
© 2013 4imprint, Inc. All rights reserved
users should decide if and when a company can share his or her data. That means
American companies must become more upfront about exactly what data they
are sharing and give users the opportunity to opt out of that sharing without
being penalized.
Seize the opportunity: How to manage consumer pr ivacy
Believe it or not, companies can turn the debate on privacy and consumer
protection into opportunity. According to authors Catherine Tucker and Avi
Goldfarb from MIT Sloan Management Review, by managing consumer privacy
proactively you can improve your brand.20 As the authors describe in the article,
Why Managing Consumer Privacy Can Be an Opportunity: “Companies should
view the establishment of a framework of consumer privacy controls as a key
marketing and strategic variable that conveys considerable benefits.”21
According to the authors, there are three things your company can do right
now to demonstrate a commitment to consumer privacy and establish a privacy
framework. These include:
1. Develop user-centric privacy controls to give customers control.
2. Avoid multiple intrusions.
3. Prevent human intrusion by using automation wherever possible.
Why should you develop user-centric privacy controls? Because it allows
consumers to set limits on what aspects of their data the company can access.
Research shows that if customers feel in control of their data, they become
substantially more responsive to targeted advertising. To develop a user-centric
privacy approach consider the following:
• Be up front about the types of data you are collecting about your consumers
and with whom you are sharing it.
• Offer consumers a short menu of options when they register with your
website or make a purchase.
• Replicate this process to drive registrations by specifying that registered
users get more choice on how their data is used.
20 Tucker, Catherine, and Avi Goldfarb. “Why Managing Consumer Privacy Can Be an Opportunity.” MIT Sloan Management Review RSS. N.p., 19 Mar. 2013. Web. 26 Nov. 2013. <http://sloanreview.mit.edu/article/why-managing-consumer-privacy-can-be-an-opportunity/>.
21 Ibid.
© 2013 4imprint, Inc. All rights reserved
By giving consumers power to control their data, it can increase their comfort
with how companies use their data to improve their product offerings. The key
for companies is to employ consumer-centric controls and to view them as an
integral part of managing a positive customer relationship.
Another best practice is to avoid multiple intrusions. Ultimately, just because
you can intrude on a consumer by either using data or pushing content and pop
up ads, it does nothing to obtain customer loyalty. In fact, the combination of
multiple intrusive tactics usually backfires. Research shows that customers will
accept one targeted intrusion (e.g. pop-up ads) but when it’s combined with
another intrusion (e.g. targeted advertising) it harms the customer perceptions of
the company. Below is a list of techniques to consider to avoid multiple intrusions:
• When using customer data to target messages, make sure that customers do
not feel taken advantage of in other ways.
• Ads that target Web-browsing behavior are more effective if they do not
intrude on the computer screen.
• Ads that pop up or take over a computer screen will be more effective if
they do not also target prior Web-browsing behavior.
• Automated telephone messages feel more intrusive if they start with a
robotized voice addressing the consumer by name.
Finally, consider using automation to prevent human intrusion. Consumers
are more comfortable when a machine processes their personal data than when
a person does. Automated systems search habits, buying patterns and trends,
and do not pass judgment on consumer behavior. As a result, consumers find it’s
much easier to forgive an automated system for sending dieting tips instead of
an actual person. The idea is to ensure consumers that their privacy, particularly
consumer privacy, is valued by your organization. A best practice is to reinforce
an informal culture in which privacy is respected and privacy violations are
punished internally.
Overall, companies have an opportunity to demonstrate to consumers that they
care about privacy issues. As noted in the MIT article: “Companies [need to] shift
from thinking about privacy as a compliance burden to thinking of treating data
with courtesy as a fundamental part of the relationship with their customers.
Privacy policies should be organized around managing customer data courteously,
in accordance with consistent principles that customers feel comfortable with.”22
22 Ibid.
© 2013 4imprint, Inc. All rights reserved
4imprint serves more than 100,000 businesses with innovative promotional items throughout the United States,
Canada, United Kingdom and Ireland. Its product offerings include giveaways, business gifts, personalized gifts,
embroidered apparel, promotional pens, travel mugs, tote bags, water bottles, Post-it Notes, custom calendars,
and many other promotional items. For additional information, log on to www.4imprint.com.
What’s next?
The rapid growth of technology, the Internet and electronic commerce have
sparked a debate on privacy and security that will continue to evolve. Privacy
issues are at the forefront of government agencies, businesses, politicians and the
public. No doubt the debate will continue and more changes will be required.
Until then, it’s a good idea to make sure your company is doing all it can to
promote transparency, consumer choice and privacy by design. If you haven’t
already, review your privacy policies and make sure they are in sync with the latest
legislative requirements. There are a number of organizations that conduct a
privacy audit and a basic Internet search will yield several experts in the area. For
example, The American Library Association provides a number of free resources
that can help you get started. There’s also a Privacy Toolkit that walks companies
through the basics of evaluating your privacy strategy.
Whatever you do, it’s a good idea to do it soon. Privacy and security online is a
moving target, but one that demands your attention. If anything, the controls
will only get stronger as more legislation is introduced. If you reign in privacy
controls now, you’ll be ready for whatever comes next.