Upload
dominick-simpson
View
212
Download
0
Embed Size (px)
Citation preview
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 1
Privacy Self-Regulation and Privacy Self-Regulation and EconomicsEconomics
Week 4 - September 21, 23
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 2
Guest speakerGuest speakerAlessandro Acquisti
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 3
Administrative notesAdministrative notesPoster session scheduled for Friday,
December 3, 3-5pm
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 4
Discussion of non-US privacy Discussion of non-US privacy lawslaws
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 5
Privacy self-regulationPrivacy self-regulation Since 1995, the US FTC has pressured
companies to “self regulate” in the privacy area
Self regulation may be completely voluntary or mandatory (or somewhere in between)
Self-regulatory programs and initiativesSealsCPOsPrivacy policiesP3PIndustry guidelines
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 6
Voluntary privacy guidelinesVoluntary privacy guidelines Online Privacy Alliance
http://www.privacyalliance.org
Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml
Network Advertising Initiative Principles http://www.networkadvertising.org/
CTIA Location-based privacy guidelineshttp://www.wow-com.com/news/press/body.cfm?record_id=907
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 7
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 8
Chief privacy officersChief privacy officers Companies are increasingly appointing
CPOs to have a central point of contact for privacy concerns
Role of CPO varies in each companyDraft privacy policyRespond to customer concernsEducate employees about company privacy
policyReview new products and services for
compliance with privacy policyDevelop new initiatives to keep company out
front on privacy issueMonitor pending privacy legislation
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/ 9
Seal programsSeal programs TRUSTe – http://www.truste.org
BBBOnline – http://www.bbbonline.org
CPA WebTrust – http://www.cpawebtrust.org/
Japanese Privacy Mark http://privacymark.org/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/10
Seal program problemsSeal program problems Certify only compliance with stated policy
Limited ability to detect non-compliance
Minimal privacy requirements
Don’t address privacy issues that go beyond the web site
Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/11
Privacy policiesPrivacy policiesPolicies let consumers know about
site’s privacy practices
Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with
The presence of privacy policies increases consumer trust
What are some problems with privacy policies?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/12
Privacy policy problemsPrivacy policy problemsBUT policies are often
difficult to understand hard to findtake a long time to readchange without notice
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/13
Privacy policy componentsPrivacy policy components Identification of site, scope,
contact info
Types of information collected Including information about
cookies
How information is used
Conditions under which information might be shared
Information about opt-in/opt-out
Information about access
Information about data retention policies
Information about seal programs
Security assurances
Children’s privacy
There is lots of informationto conveys -- but policy
should be brief andeasy-to-read too!
What is opt-in? What is opt-out?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/14
Short NoticesShort Notices Project organized by Hunton & Williams law firm
The idea is to create a short version (short notice) of a human-readable privacy notice for both web sites and paper handouts
Sometimes called a “layered notice” as short version would advise people to refer to long notice for more detail
Now being called “highlights notice” Focus on reducing privacy policy to at most 7 boxes Standardized format but only limited standardization of language Proponents believe highlights format may eventually be mandated
by law A work in progress -- not yet in use
Alternative proposals from privacy advocates focus on check boxes
Interest Internationally http://www.privacyconference2003.org/resolution.asp
Interest in the US for financial privacy notices http://www.ftc.gov/opa/2003/12/privnoticesjoint.htm
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/15
Acme CompanyPrivacy NoticeHighlights
For more information about our privacy policy, write to:
Consumer Department Acme Company11 Main StreetAnywhere, NY 10100
Or go to the privacy statement on our website at acme.com.
We collect information directly from you and maintain information on your activity with us, including your visits to our website. We obtain information, such as your credit report and demographic and lifestyle information, from other information providers.P
ER
SO
NA
LIN
FO
RM
AT
ION
We use information about you to manage your account and offer you other products and services we think may interest you. We share information about you with our sister companies to offer you products and services. We share information about you with other companies, like insurance companies, to offer you a wider array of jointly-offered products and services. We share information about you with other companies so they can offer you their products and services.
US
ES
You may opt out of receiving promotional information from us and our sharing your contact information with other companies. To exercise your choices, call (800) 123-1234 or click on “choice” at ACME.com. Y
OU
R C
HO
ICE
S
You may request information on your billing and payment activities.
IMP
OR
TA
NT
INF
OR
MA
TIO
N
HO
W T
O R
EA
CH
US
This statement applies to Acme Company and several members of the Acme family of companies. S
CO
PE
NY142510v15/28/2002
Dated: May 28, 2002
Template prepared by the N
otices Project, a program
of the Center for Inform
ation Policy Leadership at H
unton & W
illiams
© 2002 Center for Inform
ation Policy Leadership
Privacy Notice Highlights Privacy Notice Highlights TemplateTemplate
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/16
Checkbox proposalCheckbox proposalWE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES.
Collection: YES NOWe collect personal information directly from you We collect information about you from other sources: We use cookies on our website We use web bugs or other invisible collection methods We install monitoring programs on your computer
Uses: We use information about you to: With Your Without YourConsent Consent
Send you advertising mail Send you electronic mail Call you on the telephone
Sharing: We allow others to use your information to: With Your Without YourConsent Consent
Maintain shared databases about you Send you advertising mail Send you electronic mail Call you on the telephone N/A N/A
Access: You can see and correct {ALL, SOME, NONE} of the information we have about you.
Choices: You can opt-out of receiving from Us Affiliates Third PartiesAdvertising mail Electronic mail Telemarketing N/A
Retention: We keep your personal data for: {Six Months Three Years Forever}
Change: We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE}
Source: Robert Gellman, July 3, 2003
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/17
Homework 4 DiscussionHomework 4 Discussion http://lorrie.cranor.org/courses/fa04/hw4.ht
ml
Questions or comments on reading
Strengths and weaknesses of web site privacy policies
Prohibit or compensate for sale of personal information?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/18
Homework 5Homework 5http://lorrie.cranor.org/courses/fa04/h
w5.html
Mini project:http://lorrie.cranor.org/courses/fa04/mini
_project.html