Privacy and Security - 4imprint Learning Centerinfo.4imprint.com/...1213-Privacy-and-Security-Blue...• 21 percent of Internet users have had an email or social networking account

4imprint.com

Pr ivacy and Secur i ty

© 2013 4imprint, Inc. All rights reserved

Pr ivacy and secur i ty onl ine: What is the corporate impact?

In June 2013, Edward Snowden fueled the debate on privacy and democracy

in the digital age. He was called everything from a traitor to a hero when he

revealed that the National Security Agency (NSA) has been eavesdropping on

private citizens through cell phones, laptops, Facebook®, Skype®, chat-rooms and

more. One of the first documents released by Snowden showed that the NSA was

collecting telephone records from millions of customers of Verizon®, one of the

largest U.S. telecommunications providers.1

The Snowden affair raises a number of questions pertaining to consumer privacy

and security rights. NSA officials and other intelligence agencies claim that

these activities are constitutional and occur under the umbrella of rigorous

congressional and judicial oversight, and that it’s essential in order to protect

the public from terrorist attacks. But civil liberties groups such as the Electronic

Frontier Foundation and the American Civil Liberties Union warn that this type

of surveillance goes beyond what Congress intended and violates constitutional

rights. At the heart of the issue is whether or not Americans have rights when

it comes to protecting their personal data. A number of laws and regulations

pertaining to this are currently being debated that will likely affect how

corporations collect and maintain consumer data.

Last year, President Obama introduced the Consumer Privacy Bill of Rights to

protect consumer rights online. In the report, the President noted that “[never]

has privacy been more important than today, in the age of the Internet, the

World Wide Web and smartphones.”2 The legislation is designed to give

consumers a clear understanding of what to expect from companies that handle

their personal information and defines basic principles for companies that use

personal data, and now many companies wonder what this means and how it will

be implemented.

In the meantime, the Federal Trade Commission (FTC) continues to enforce the

existing regulations designed to protect consumer rights. As of October 2013,

the FTC has brought 47 legal actions against organizations that have violated

consumers’ privacy rights, or misled them by failing to maintain security for

sensitive consumer information. Most of the cases violated the Federal Trade

1 Powell, Kenton, and Greg Chen. “NSA Files Decoded: Edward Snowden’s Surveillance Revelations Explained.” The Guardian. N.p., n.d. Web. 13 Nov. 2013. <http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded>.

2 Meece, Mickey. “President Obama’s Consumer Privacy Bill of Rights.” Forbes. Forbes Magazine, 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.forbes.com/sites/mickeymeece/2012/02/23/president-obamas-consumer-privacy-bill-of-rights/>.


Commission Act Section 5 which bars unfair and deceptive acts and practices in or

affecting commerce. In addition to the FTC Act, there are 33 other laws, rules and

guides that provide the agency with enforcement authority to protect consumers’

privacy. It’s a lot to take in and can leave many organizations wondering what

they should be doing to protect consumer data within the confines of the law.

This Blue Paper® looks at the landscape of consumer privacy and security,

particularly how it applies to U.S. corporations. The paper begins with a synopsis

on consumer data and a review of the current landscape of privacy controls in

the United States. The paper also highlights the directives from the Federal Trade

Commission and the suggested best practices corporations should implement to

protect consumer data. The final section explores some of the privacy controls in

other countries, and how it may impact U.S. corporations that operate globally.

Prepare for a journey into a maze of confusion, because privacy and security

online is a moving target, but there are some things your corporation should

know to be in compliance and protect consumer data appropriately.

The truth about consumer data

Consumers understand that businesses, governments and other organizations

gather data about them online. There’s a general acceptance that you leave

a digital footprint anytime you go online to make purchases or simply surf

the Web. Personal details about consumers are also online because they

are shared willingly through chats or social sites like Facebook®, Twitter®

or LinkedIn®. And don’t forget there is consumer data available through

government agencies that are fully searchable. For example, users can view

and search real estate transactions and obtain information on a home and

its value. Even things like birth certificates and signature copies can be

found online.

And it is widely accepted and understood that businesses use consumer

information to help complete transactions, remember consumer preferences,

deliver personalized content and special offers, as well as save consumers time.

It’s common for businesses to track website page views and the number of unique

visitors to a website, among other things.

So, how do Americans feel about privacy online? According to a study from the

Pew Internet and American Life Project Data®, most Internet users would like to

be anonymous online but think it is not possible. The study found that 86 percent

of Internet users have taken steps online to remove or mask digital footprints, by


doing things like clearing cookies or encrypting email.3 Another 55 percent

have taken steps to avoid observation by specific people, organizations or

the government.

Other data shows that Americans use mobile technology more than ever and they

are selective when using apps that require personal information. Pew Internet

revealed that:

•88 percent of U.S. adults own a cell phone;

•43 percent download cell phone applications to their phones;

• 54 percent of app users decided not to install a cell phone app when

they discovered how much personal information they would need to

share in order to use it; and,

• 30 percent of app users have uninstalled an app because they learned

it was collecting personal information they didn’t wish to share.4

Moreover, a representative survey of 792 Internet users found that a number of

users say they have experienced problems because others stole their personal

information or otherwise took advantage of their visibility online. In particular:

• 21 percent of Internet users have had an email or social networking account

compromised or taken over by someone else without permission; and,

• 11 percent have had important personal information stolen such as their

social security number, credit card or bank account information.

According to Lee Rainie, Director of the Pew Research Center’s Internet Project

“[users] clearly want the option of being anonymous online and increasingly

worry that this is not possible.”5

The Federal Trade Commiss ion and U.S. pr ivacy regulat ions

At the state level, some legislators have introduced bills that attempt to

provide greater privacy controls with mixed results. California, considered the

privacy leader, passed measures that allows minors the right to erase social

media posts they regret posting. Three other states enacted laws governing

inheritance of digital information, like Facebook pages. But still, for the most

3 Rainie, Lee. “Pew Research Center’s Internet & American Life Project.” Anonymity, Privacy, and Security Online. N.p., 5 Sept. 2013. Web. 13 Nov. 2013. <http://pewinternet.org/Reports/2013/Anonymity-online.aspx>.

4 Boyles, Jan Lauren. “Privacy and Data Management on Mobile Devices.” Privacy and Data Management on Mobile Devices. N.p., 5 Sept. 2012. Web. 15 Nov. 2013. <http://www.pewinternet.org/Reports/2012/Mobile-Privacy.aspx>.

5 Rainie, Lee. “Pew Research Center’s Internet & American Life Project.” Anonymity, Privacy, and Security Online. N.p., 5 Sept. 2013. Web. 13 Nov. 2013. <http://pewinternet.org/Reports/2013/Anonymity-online.aspx>.


part, U.S. consumers are forced to rely on the promises from businesses and

local governments that their information will not be sold or given away to other

entities. These promises, however, are not legally binding and are often broken

without consequence.6

In the United States, a host of loosely defined consumer privacy laws and

regulations seek to protect any individual from loss of privacy due to failures

or limitations of corporate customer privacy measures. Privacy concerns exist

whenever data relating to a person or persons are collected and stored. Much

of the privacy protection policies in the United States are dictated by the

Electronic Communications Privacy Act, which was passed in 1986, before the

Internet was a reality. Today, for the most part, regulations that dictate how

companies must maintain and protect consumer information are driven by

the Federal Trade Commission.

Indeed, protecting consumer privacy is a hot topic, and one that the Federal

Trade Commission (FTC) takes seriously. In 2012, Google® and the FTC agreed

to a $22.5 million settlement, the largest penalty in the agency’s history, on

charges that Google misrepresented its actions to users of Apple’s Safari®

browser.7 Specifically, the FTC charged that Google placed tracking cookies on

users’ computers, in some cases working around the privacy settings within

the browser. In the settlement, Google agreed not to misrepresent its privacy

policies to consumers. FTC Chairman Jon Leibowitz said that the penalty

highlights the agency’s commitment to enforcing its orders on privacy. “The

record-setting penalty in this matter sends a clear message to all companies

under an FTC privacy order,” Leibowitz said. “No matter how big or small, all

companies must abide by FTC orders against them and keep their privacy promises

to consumers, or they will end up paying many times what it would have cost to

comply in the first place.”

To reign in some of the debate, in March 2012, The Federal Trade Commission

released a report on Protecting Consumer Privacy in an Era of Rapid Change that

outlines some best practices for businesses to help protect the privacy of American

consumers.8 It outlines methods that give consumers greater control over the

collection and use of personal data. The report expands on a directive from

December 2010, which proposed a framework for consumer privacy in light of

6 Harris, Maryls. “Why Doesn’t the State Protect Our Online Privacy? It’s Not as Easy as You Think.” MinnPost. N.p., 11 Nov. 13. Web. 15 Nov. 2013. <http://www.minnpost.com/politics-policy/2013/11/why-doesn-t-state-protect-our-online-privacy-it-s-not-easy-you-think?utm_source=MinnPost-RSS>.

7 Tsukayama, Hayley. “Google Settles FTC Privacy Case for $22.5 Million, Agency’s Largest Penalty.” Washington Post. The Washington Post, 10 Aug. 2012. Web. 14 Nov. 2013. <http://www.washingtonpost.com/blogs/post-tech/post/google-settles-ftc-privacy-case-for-225-million-agencys-largest-penalty/2012/08/09/e048f6a2-e236-11e1-a25e-15067bb31849_blog.html>.

8 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.


new technologies that allow more sophisticated data collection and information

sharing. If you don’t have time (or inclination) to read the 112 page report, it can

be broken down into three basic categories your organization should reevaluate

to make sure you are doing the right things. These include privacy by design,

simplified consumer choice and transparency.

Pract ice pr ivacy by des ign

Privacy by design refers to the development and implementation of a

corporate privacy strategy. In the simplest form, it means making consumer

privacy a priority at every stage of product development and throughout

the delivery of services. The FTC requires that businesses implement practices

“such as data security, reasonable collection limits, sound retention and

disposal practices, and data accuracy.”9

Additionally, the FTC proposes that companies launch comprehensive data

management procedures, including “designating personnel responsible

for employee privacy training and regularly assessing the privacy impact

of specific practices, products and services” that ensure they can maintain

the substantive integrity of their actions to shield privacy.10 (That’s a mouthful!)

In simpler terms, privacy by design means that privacy and data protection are

embedded throughout the life cycle of technologies, from the early design state

to deployment, use and disposal. It’s also about making users’ data private by

default and allowing them to determine what information is shared.

Microsoft® is one company that effectively articulates and implements privacy

by design. On the corporate website, privacy by design is described as “not only

how we build products but also how we operate our services and organize

ourselves as an accountable technology leader.”11 Microsoft International

President Jean-Philippe Courtois detailed Microsoft’s approach to privacy

by design during a speech to the International Association of Privacy

Professionals in Paris in November 2010. As he describes, privacy by design

is implemented through people, processes, privacy technologies and features,

research and outreach.

Microsoft also established processes that support rigorous technical development

standards and frequently conducts privacy reviews to ensure that privacy and data

protections are incorporated into products and services. Microsoft products and



11 “Microsoft.” Privacy by Design. N.p., n.d. Web. 14 Nov. 2013. <http://www.microsoft.com/privacy/bydesign.aspx>.


services include technologies or features that drive privacy and data protection. In

addition, the company is constantly researching new privacy features in computer

science and software engineering. Part of the Microsoft strategy incorporates

outreach to customers, industry leaders, civil society and governments in order

to establish standards and policies that can help people and organizations better

manage and protect personal information.

Another good example of privacy by design is found in Google’s social network,

Google+®. With Google+, contacts are placed in nonpublic “circles” and users

are asked to designate the circle to share with for every post they make.12

Circles might include friends, colleagues or family, but users are responsible for

denoting what circles receive information for every post they make. Apple’s

iPhone® incorporated privacy by design methods by adding a purple arrow icon

that appears on the screen letting a user know when their location information

is being sent to an app. The idea is to make sure users a re aware when sensitive

information is shared.

At a minimum, companies should review what they are doing in terms of privacy

by design. Does your company embed privacy and data protection throughout

the lifecycle of every process? Is user data private by default? Reviewing these

questions is critical to make sure your corporation adheres to the basic principles

of privacy by design. There are a number of online resources that can help you

define and implement privacy by design. Consider downloading a document from

the Information and Privacy Commissioner on Operationalizing Privacy by Design:

A Guide to Implementing Strong Privacy Practices. In addition, the Center for

Democracy and Technology Online also has a helpful section on privacy by design

that walks companies through basic understanding and implementation.

Enact s impl i f ied consumer choice pol ic ies

The FTC promotes simplified consumer choice policies, which essentially

means being more up-front and direct with consumers about how data will

be used. The FTC requires that companies simplify choices when it comes to

how consumers interact with a company to guard their own privacy. The FTC

states that companies need to offer consumers choices “before collecting and

using consumer data for practices that are consistent with the context of the

transaction or the company’s relationship with the consumer.” Particularly, the

FTC recommends that businesses obtain affirmative, express consent before “(1)

using consumer data in a materially different manner than claimed when the data

was collected; or (2) collecting sensitive data for certain purposes.”13

12 Hill, Kashmir. “Why ‘Privacy By Design’ Is The New Corporate Hotness.” Forbes Magazine, 28 July 2011. Web. 14 Nov. 2013. <http://www.forbes.com/sites/kashmirhill/2011/07/28/why-privacy-by-design-is-the-new-corporate-hotness/>.



How can you simplify consumer choice? It’s really about providing consumer

choices in “just in time” scenarios. Whether the behavior is online, such as the site

where an online consumer is providing personal data, or offline, such as requiring

the cashier to ask the customer whether he or she would like to receive marketing

offers from other companies, it’s important to present consumers with the ability

to make meaningful choices at the point when the consumer is providing data or

engaging with the company. Companies should also offer one choice at a time

and obtain affirmative express consent before using consumer data.

That said, the FTC noted that there are some commonly accepted practices where

a company is not required to seek consumer consent. These include the following:

• Product and service fulfillment: Websites collect contact information for

shipping requests and credit card information for payment.

• Internal operations: Hotels and restaurants collect customer satisfaction

surveys to improve their customer service. Websites collect information

about visits and click-through rates to improve site navigation.

• Fraud prevention: Offline retailers check driver’s licenses when consumers

pay by check to monitor against fraud. Online businesses also employ

fraud-detection services to prevent fraudulent transactions.

• Legal compliance and public purpose: Search engines, mobile applications

and pawn shops share their customer data with law enforcement agencies

in response to subpoenas. A business reports a consumer’s delinquent

account to a credit bureau.

• First-party marketing: Online retailers recommend products and services

based upon consumers’ prior purchases on the website. Offline retailers

do the same and may, for example, offer frequent purchasers of diapers a

coupon for baby formula at the cash register.

For now, if your organization is collecting consumer information in the above

areas, consent is not required. However, a good faith practice is to inform the

consumer how and why information is gathered whenever possible. Of course,

it’s always a best practice to make sure you obtain consent when requiring and

offering simplistic and meaningful choices to consumers.

What about Do Not Track as i t perta ins to consumer choice?

As part of simplified choice principles, the FTC expects companies develop

mechanisms that enable consumers to better control tracking of their online

activities, a concept referred to as “Do Not Track.” Under the proposed

framework, this consumer control includes providing consumers with a choice


whether to be tracked across other parties’ websites (including affiliates’

websites). Many companies have made strides in this area to assist consumers in

controlling what information is accessible and for what purposes, but the FTC

encourages continued progress and more complete implementation of consumer

control mechanisms. The FTC established a workgroup of several companies to

further develop controls that can be adopted universally.

The FTC suggests that Do Not Track should be put into effect through legislation

or robust self-regulation, but it is not legally binding. The framework states that

the most practical method to apply this function “would likely involve placing a

setting similar to a persistent cookie on a consumer’s browser and conveying that

setting to sites that the browser visits, to signal whether or not the consumer

wants to be tracked or receive targeted advertisements. Last year, a standardized

Do Not Track feature implemented by some organizations allowed consumers to

opt out receiving targeted ads from up to 114 third-party advertisers. A million

people used the tool and more than 5 million visited the site for information

about online ads.14

Right now, you can select “Do Not Track” options in Firefox®, Internet Explorer®

and Safari®, which send messages to websites that users do not want to be

followed online with cookies or other mechanisms. Some companies are being

proactive when it comes to adding Do Not Track Features. You can check out

FireFox® for example, and its defined Do Not Track options online. Twitter® is

another company that receives high marks for Do Not Track compliance. The

company gives users the option to opt out of being tracked and provides

easy-to-follow directions on how to do it. Also, Twitter recently fought a court

order asking for user’s data, which demonstrates a commitment to protecting user

privacy on a whole.15 It’s not a bad idea to check out what other companies are

doing with Do Not Track to get some ideas for your own organization.

Keep in mind though, the Do Not Track feature is unresolved and there is no

consensus on what should be included and how companies should be required

to use it. A working group on the issue is affiliated with the World Wide Web

Consortium (W3C), the official custodian of Web standards. The collection of

ad companies, privacy advocates and outside experts convened to settle the

longstanding debate about consumer privacy and determine the future of

advertising technology. The working group is stalled on a number of issues,

14 Fung, Brian. “The Internet’s Best Hope for a Do Not Track Standard Is Falling Apart. Here’s Why.” The Switch: Where Technology and Policy Connect. The Washington Post, 11 Oct. 2013. Web. 15 Nov. 2013. <http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/11/the-internets-best-hope-for-a-do-not-track-standard-is-falling-apart-heres-why/>.

15 Wagstaff, Keith. “Grading How Well Companies Are Cooperating with ‘Do Not Track’ | TIME.com.” Time. Time, 12 May 2012. Web. 26 Nov. 2013. <http://techland.time.com/2012/05/21/grading-how-companies-are-cooperating-with-do-not-track/>.


including the obligations advertising companies have with regard to online

tracking and what the word “tracking” even means. The Electronic Frontier

Foundation asked for the group to disband, citing lack of agreement and loss of

confidence in the process. At issue is the fact that although the opt-out function

is meant to guarantee the end of targeted advertising, it doesn’t rule out the

collection of consumer data. As of October 2013, the future of Do Not Track

negotiations is delayed, pending the establishment of Do Not Track guidelines

and steps for compliance.

Be transparent with consumer data

Keep it short and simple: That’s the FTC’s advice for creating and improving

existing transparent data practices. In particular, companies should use privacy

notices that are “clearer, shorter, and more standardized to enable better

comprehension and comparison of privacy practices.”16 Furthermore, “companies

should provide reasonable access to the consumer data they maintain; the extent

of access should be proportionate to the sensitivity of the data and the nature of

its use.” Finally, organizations should prioritize the education of consumers with

regard to commercial data privacy practices.

The FTC advocated for Congress to enact privacy legislation to give legal

enforceability to its recommended practices; in the meantime, the FTC advised

that companies should “accelerate the pace of self-regulation.”17 To-date there is

no overarching legislation in place, how transparency is available to consumers is

decided by organizations on a case-by-case basis.

Some companies are being proactive in providing consumers with full

transparency. Take for example, the company Acxiom®. The organization

recently launched a site called AboutTheData that invites users to enter

their names, addresses, and the last four digits of their social security

numbers to access a portal that reveals the information the company

has gathered on them. This includes age, estimated income, residence,

ethnicity, marital status and categories of product purchases, including

anything from food to home furnishings that the consumer made via

mail order. It’s a proactive attempt to give consumers a chance to see

what kind of information the company collects combined with the

ability to edit and change any data, as well as opt-out from receiving

targeted ads.


17 Ibid.


In 2012, Epsilon®, another data collection agency, began providing customers

with a paper report for a small fee that discloses all the data the company has

collected on them. Likewise, BlueKai™ and Exelate®, both companies that collect

behavioral data for online ad targeting, are also providing data-transparency

systems. The BlueKai’s registry aims to put consumers in control of their digital

footprint by allowing consumers to see what preferences are being logged by

other third-party data creators on their computer. As BlueKai states on its home

page, it’s a way to be “transparent about what data companies think about your

computer.” Consumers can control their anonymous profile by managing topics of

interest, changing preferences or choosing to opt out of future marketing efforts.

Michael Nadeau, the publisher of Data Informed®, put together a list of things

every company should tell their consumer regarding its data policies and

collection.18 According to Nadeau, companies should share the following:

•exactly what data is being collected,

•how the data collection technology works,

•how the data is secured,

•why the data is collected,

•how the data is analyzed and reported,

•who is seeing the data, and

•how the collected data benefits the consumer.

Once your company outlines the answers to these questions, it should be

circulated in a way that makes it easy for consumers to find. Providing the

answers to simple questions like these helps promote full transparency and often

puts consumers at ease regarding your data collection policies.

What about the Consumer Pr ivacy Bi l l of R ights?

In 2012, the Obama administration proposed the Consumer Privacy Bill of

Rights, which is the most comprehensive bill designed to address consumer

privacy concerns. Specifically, the bill calls for a multi-stakeholder process to

produce enforceable codes of conduct among organizations and agencies that

collect consumer data. These guidelines outlined in the bill promote the idea of

transparency in all aspects of data use to allow individuals the opportunity to

control when and how their personal information is used.

18 Nadeau, Michael. “To Win Consumer Trust, You Need Transparent Data Collection Policies - See More At: Http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/#sthash.omc8YzVF.dpuf.” Data Informed: Big Data and Analytics in the Enterprise. N.p., 20 Sept. 2013. Web. 17 Nov. 2013. <http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/>.


The Consumer Privacy Bill of Rights proposes the following:

• Individual control: Consumers have a right to exercise control over what

personal information companies collect from them and how they use it.

• Transparency: Consumers have a right to easily understandable and

accessible information about privacy and security practices.

• Respect for context: Consumers have a right to expect that companies will

collect, use, and disclose personal data in ways that are consistent with the

context in which consumers provide the data.

• Security: Consumers have a right to secure and responsible handling of

personal data.

• Access and accuracy: Consumers have a right to access and correct

personal data in usable formats, in a manner that is appropriate to the

sensitivity of the data and the risk of adverse consequences to consumers

if the data is inaccurate.

• Focused collection: Consumers have a right to reasonable limits on the

personal data that companies collect and retain.

• Accountability: Consumers have a right to have personal data handled by

companies with appropriate measures in place to assure they adhere to the

Consumer Privacy Bill of Rights.

President Obama challenged companies to begin immediately working with

privacy advocates, consumer protection enforcement agencies, and others under

the direction of the Commerce Department to develop enforceable codes of

conduct. The goal is for Congress to put those agreed-upon guidelines into law.

Thus far, the response to the bill has been varied. Some claim that the bill is

largely aspirational because it does not create any enforceable obligations.

In truth, the framework simply creates suggested guidelines for companies

that collect personal data as a primary function of their business operations.

There is no legislation officially in place to monitor corporate behaviors, and

as the administration recognizes, in the absence of legislation these are only

“general principles that afford companies discretion in how

they implement them.”19 As a corporation, you may be asking,

what’s next? That’s a good question, and one that is not clearly

answered. While the bill proposes a list of suggestions and ideas,

it is not legally binding. Until more legislation is approved by

Congress, the impact of the bill remains to be seen.

19 “We Can’t Wait: Obama Administration Unveils Blueprint for a “Privacy Bill of Rights” to Protect Consumers Online.” The White House. N.p., 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights>.


What about pr ivacy and secur i ty laws in the rest of the world?

Internet privacy laws across the globe vary from robust, non-existent and

ambiguous. China has some of the strongest consumer privacy and security

rules in the world. Effective in September 2013, China’s Ministry of Industry and

Information Technology (“MIIT”) passed strict regulations aimed to protect the

personal information of telecommunication and Internet users. Companies are

required to post personal information collection polices in their place of business

(or online) and may not use personal information without explicit user consent.

Organizations must also notify users regarding the collection, purpose, methods

and scope of use when collecting personal information. These are considered

binding requirements in China and legal action can be taken if a company

violates the policy. However, China’s Internet regulations are not applied to

other countries.

The European Union (EU) also adopted strict data privacy laws as well. The

EU’s General Data Protection Regulation (GDPR) is applied to 28-member

nations and is planned to take effect in 2016, after a two-year transition period.

It harmonizes the current data protection laws in place across all EU member

states. Basically, the GDPR establishes a regulatory framework that outlines a

number of restrictions designed to protect the privacy of individuals and personal

data within the European Union (EU). It also establishes strict limits on the

collection and use of personal data, and demands that every EU state creates an

independent national body responsible for the protection of these data. Among

other things, the measure limits the tracking and profiling activities that allow

for targeted advertising and the ability of a consumer to erase personal data

information. To ensure compliance, fines can be imposed that range anywhere

from .5 percent to two percent of an organization’s global sales.

Some companies are already taking note of the EU legislation. Google,

Microsoft, Apple and Facebook have already modified privacy policies as a

result of the mandate. To be compliant with EU regulations, U.S. companies

that operate in Europe must address what the EU calls “the right to be

forgotten.” It essentially means that the user owns his or her information and

that the user has the right to prevent websites and other online services from

keeping it and storing it. In short, it means providing a system that allows users

to erase data after it has been collected.

U.S. companies will also need to gain explicit consent to share data. Currently in

the U.S., everything from financial institutions to social networking sites share

user data with partners and advertising firms. According to the EU proposal,


users should decide if and when a company can share his or her data. That means

American companies must become more upfront about exactly what data they

are sharing and give users the opportunity to opt out of that sharing without

being penalized.

Seize the opportunity: How to manage consumer pr ivacy

Believe it or not, companies can turn the debate on privacy and consumer

protection into opportunity. According to authors Catherine Tucker and Avi

Goldfarb from MIT Sloan Management Review, by managing consumer privacy

proactively you can improve your brand.20 As the authors describe in the article,

Why Managing Consumer Privacy Can Be an Opportunity: “Companies should

view the establishment of a framework of consumer privacy controls as a key

marketing and strategic variable that conveys considerable benefits.”21

According to the authors, there are three things your company can do right

now to demonstrate a commitment to consumer privacy and establish a privacy

framework. These include:

1. Develop user-centric privacy controls to give customers control.

2. Avoid multiple intrusions.

3. Prevent human intrusion by using automation wherever possible.

Why should you develop user-centric privacy controls? Because it allows

consumers to set limits on what aspects of their data the company can access.

Research shows that if customers feel in control of their data, they become

substantially more responsive to targeted advertising. To develop a user-centric

privacy approach consider the following:

• Be up front about the types of data you are collecting about your consumers

and with whom you are sharing it.

• Offer consumers a short menu of options when they register with your

website or make a purchase.

• Replicate this process to drive registrations by specifying that registered

users get more choice on how their data is used.

20 Tucker, Catherine, and Avi Goldfarb. “Why Managing Consumer Privacy Can Be an Opportunity.” MIT Sloan Management Review RSS. N.p., 19 Mar. 2013. Web. 26 Nov. 2013. <http://sloanreview.mit.edu/article/why-managing-consumer-privacy-can-be-an-opportunity/>.

21 Ibid.


By giving consumers power to control their data, it can increase their comfort

with how companies use their data to improve their product offerings. The key

for companies is to employ consumer-centric controls and to view them as an

integral part of managing a positive customer relationship.

Another best practice is to avoid multiple intrusions. Ultimately, just because

you can intrude on a consumer by either using data or pushing content and pop

up ads, it does nothing to obtain customer loyalty. In fact, the combination of

multiple intrusive tactics usually backfires. Research shows that customers will

accept one targeted intrusion (e.g. pop-up ads) but when it’s combined with

another intrusion (e.g. targeted advertising) it harms the customer perceptions of

the company. Below is a list of techniques to consider to avoid multiple intrusions:

• When using customer data to target messages, make sure that customers do

not feel taken advantage of in other ways.

• Ads that target Web-browsing behavior are more effective if they do not

intrude on the computer screen.

• Ads that pop up or take over a computer screen will be more effective if

they do not also target prior Web-browsing behavior.

• Automated telephone messages feel more intrusive if they start with a

robotized voice addressing the consumer by name.

Finally, consider using automation to prevent human intrusion. Consumers

are more comfortable when a machine processes their personal data than when

a person does. Automated systems search habits, buying patterns and trends,

and do not pass judgment on consumer behavior. As a result, consumers find it’s

much easier to forgive an automated system for sending dieting tips instead of

an actual person. The idea is to ensure consumers that their privacy, particularly

consumer privacy, is valued by your organization. A best practice is to reinforce

an informal culture in which privacy is respected and privacy violations are

punished internally.

Overall, companies have an opportunity to demonstrate to consumers that they

care about privacy issues. As noted in the MIT article: “Companies [need to] shift

from thinking about privacy as a compliance burden to thinking of treating data

with courtesy as a fundamental part of the relationship with their customers.

Privacy policies should be organized around managing customer data courteously,

in accordance with consistent principles that customers feel comfortable with.”22

22 Ibid.


4imprint serves more than 100,000 businesses with innovative promotional items throughout the United States,

Canada, United Kingdom and Ireland. Its product offerings include giveaways, business gifts, personalized gifts,

embroidered apparel, promotional pens, travel mugs, tote bags, water bottles, Post-it Notes, custom calendars,

and many other promotional items. For additional information, log on to www.4imprint.com.

What’s next?

The rapid growth of technology, the Internet and electronic commerce have

sparked a debate on privacy and security that will continue to evolve. Privacy

issues are at the forefront of government agencies, businesses, politicians and the

public. No doubt the debate will continue and more changes will be required.

Until then, it’s a good idea to make sure your company is doing all it can to

promote transparency, consumer choice and privacy by design. If you haven’t

already, review your privacy policies and make sure they are in sync with the latest

legislative requirements. There are a number of organizations that conduct a

privacy audit and a basic Internet search will yield several experts in the area. For

example, The American Library Association provides a number of free resources

that can help you get started. There’s also a Privacy Toolkit that walks companies

through the basics of evaluating your privacy strategy.

Whatever you do, it’s a good idea to do it soon. Privacy and security online is a

moving target, but one that demands your attention. If anything, the controls

will only get stronger as more legislation is introduced. If you reign in privacy

controls now, you’ll be ready for whatever comes next.

Documents

Privacy and Security - 4imprint Learning Centerinfo.4imprint.com/...1213-Privacy-and-Security-Blue...• 21 percent of Internet users have had an email or social networking account