Upload
tealium
View
204
Download
0
Embed Size (px)
Citation preview
© 2016 Tealium Inc. All rights reserved. | 1
Making Sense of the Current Legal LandscapeChris Slovak/ Maltie Maraj, Tealium
© 2016 Tealium Inc. All rights reserved. | 2
Maltie MarajLead Counsel
Chris SlovakVP Solutions Consulting
© 2016 Tealium Inc. All rights reserved. | 3
Topics• Current State of the Industry• Legal Landscape• Potential Impact• Considerations Today
© 2016 Tealium Inc. All rights reserved. | 7
50% Teams use 21 OR more VendorsPoll of Total Vendor Usage 2012 - 2015
Source: Econsultancy and Tealium, 2015
© 2016 Tealium Inc. All rights reserved. | 9
Vendor MixAs Important as Media Mix
• Technology is a competitive advantage
• Point solutions are reality
• Cost of change is lower than ever
© 2016 Tealium Inc. All rights reserved. | 11
Consumer Trust is FragileLove this Site and
totally trust it!
© 2016 Tealium Inc. All rights reserved. | 16
At the Brink: Precursors to Change
Consumers•Ad Blockers•Web Browsers•Advocate Groups•Router Hardware
Providers•Apple•Safari•IDFA
•Google•Customer Match•O&O 3rd Party Pixel•AMP
Governments•FTC•Turn/Verizon Ruling•Safe Harbor (Lack of)
Businesses•Self Hosting JS•iFrame JS•Disallowing•Custom Coding
© 2016 Tealium Inc. All rights reserved. | 18
Role of the FTC/FCC Federal Trade Commission (FTC) – prevent business practices that are
anticompetitive, deceptive or unfair to consumers (Section 5). FTC does not have jurisdiction over common carriers.
– Wyndham Hotels and Resorts – Wyndham failed to safeguard its network where sensitive customer data was stored
– Noni Technologies (in store beacon tracking) – transparency and choice as to how and when data collected
Federal Communications Commission (FCC) – regulate interstate and international communications by radio, television, wire, satellite and cable.
– Cox communications (hack exposing customer data)– Verizon Wireless - $1.35 million fine settlement based on Verizon’s practice of inserting
unique identifier headers (UIDH or supercookies) into customers mobile internet traffic without their knowledge or consent
© 2016 Tealium Inc. All rights reserved. | 19
Verizon Must Obtain Opt-in Verizon inserts UIDH to track mobile customers for ad-targeting
purposes in December 2012, made limited disclosures in its privacy policy but did not specifically disclose until October 2014.
Meanwhile, online advertising clearinghouse, Turn, began to use the supercookies – Turn can restore a cookie ID that a user has cleared from his/her browser if it is associated with a UIDH
FCC said that Verizon’s failure to disclose accurate and adequate information to consumers about the supercookies violated the transparency requirements from the FCC’s 2010 net neutrality rules
Verizon has to implement a 3-year compliance plan, obtain customers’ opt-in consent before sharing UIDH with third parties
© 2016 Tealium Inc. All rights reserved. | 20
FTC: Cross-Device Tracking November 2015 – FTC workshop on cross device tracking Cross device tracking involves linking a wide range of digital or internet-
connected devices to a particular consumer. Linking accomplished via probabilistic or deterministic models.
Probabilistic: based on inferences about likely connections between devices or users. Based on many factors:
– IP Addresses– Device Type– App/Browser Data– Consumer has no control over probabilistic tracking
Deterministic: Tying multiple devices to persistent unique identifier – log in plus broad reach:
– You are required to log in to a service – example email or social networking– This allows the service to link your various devices to a single account
Are device identifiers personally identifiable information?
© 2016 Tealium Inc. All rights reserved. | 21
“We regard data as ‘personally identifiable,’ and thus warranting
privacy protections, when it can be reasonably linked to a particular
person, computer, or device. In many cases, persistent identifiers such as
device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”
- Director of FTC Bureau of Consumer Protection
© 2016 Tealium Inc. All rights reserved. | 22
Data Transfers Between the US and the EUSafe Harbor and Privacy Shield
© 2016 Tealium Inc. All rights reserved. | 23
No Safe HarborAlternative in progress
October 2015 – EU Court of Justice invalidated the Safe Harbor framework in the Schrems v Data Protection Commissioner decision
Since then, the US Department of Commerce and EU Commission seeking an alternative framework for EU-US data transfer
February 2016 - New Framework = Privacy Shield released In April 2016, the Article 29 Working Party stated that while the
Privacy Shield is an improvement, among other things, it is still not satisfied with the scope of US surveillance allowed
June 2016 – favorable Article 31 Committee opinion of Privacy Shield expected
© 2016 Tealium Inc. All rights reserved. | 24
Privacy ShieldRequirements Notice
– 13 details that participants must include in privacy notices, including redress – alternative dispute resolution at no cost to EU citizen
Choice– Largely same as Safe Harbor
Accountability for onward transfer– Organization must enter into contract with third party controllers to which it transfers
data Security
– Substantially same as Safe Harbor Data Integrity and Purpose Limitation
– Must adhere to Privacy Shield framework as long as you retain the data Access
– Substantially same as Safe Harbor Recourse, enforcement and liability
© 2016 Tealium Inc. All rights reserved. | 25
General Data Protection Regulation (GDPR)EU Legal Landscape
© 2016 Tealium Inc. All rights reserved. | 26
Background December 2015 – EU Parliament, EU Commission and Council
of Ministers reached agreement on the General Data Protection Regulations
April 14, 2016 – formally adopted by the EU Parliament Next steps:
– Publication in the EU Official Journal– 2 year implementation Period
Organizations will need to be compliant by mid-2018 (May or June)
© 2016 Tealium Inc. All rights reserved. | 27
GDPR: Requirements GDPR applies when:
– Personal Data is processed in connection with the provision of goods and services to EU citizens (even if goods or services are free)
– EU data subjects’ behavior is monitored Location of data controller and processor is not relevant Expanded scope and one-stop shop Enhanced rights of data subject – right to data portability and
right to be forgotten
© 2016 Tealium Inc. All rights reserved. | 28
GDPR: Policies and Safeguards Emphasis on adopting appropriate policies and safeguards to
protect personal data Companies must be clear and transparent in their dealings
with data subjects Some categories of business must appoint a Data Protection
Officer– Organizations that regularly or systematically gathers data as part of their
core activity– Organizations that process large amounts of sensitive personal data
GDPR encourages pseudonymisation and encryption– split personal data into 2 data sets, one with a key and the other with the personal data
© 2016 Tealium Inc. All rights reserved. | 29
GDPR: Explicit Consent Freely given, specific, informed and unambiguous agreement
to the processing– Silence, pre-checked boxes and inactivity not sufficient.
Need new consent for additional processing that is incompatible with the original purpose
Verifiable parental consent required for minors. What is a minor depends on the member state.
© 2016 Tealium Inc. All rights reserved. | 30
GDPR: Processor Obligations GDPR imposes compliance obligations directly on processors,
such as implementing security measures, etc. Processors assume additional responsibility for data transfers Processors must seek permission of the controller prior to
using sub-processors or transferring personal data outside of the EU
Processors will be directly liable in case of non-compliance and may be subject to direct enforcement
© 2016 Tealium Inc. All rights reserved. | 31
GDPR: Rights of Data Subject Right to be forgotten
– Personal data erased without undue delay Data transferability Right to object to automated decision making – i.e., data
subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
© 2016 Tealium Inc. All rights reserved. | 32
GDPR: Transfers of Data (From the EU) Adequacy finding (e.g., Privacy Shield, if and when it becomes
valid) Binding corporate rules Standard contractual clauses BCRs and SCCs subject to change based on review by Working
Party
© 2016 Tealium Inc. All rights reserved. | 33
Repercussions and Enforcements Two levels of fines
– Infringements (e.g., failure to appoint a DPO) - Up to 10 million EUR or 2% of annual worldwide turnover
– Major infringements (e.g., failure to obtain consents) - Up to 20 million EUR or 4% of annual worldwide turnover
Burden of proof lies with the controller or processor
© 2016 Tealium Inc. All rights reserved. | 36
Brand Responsibility First-party needs to be first
– National Laws– EU Regulations– State Law– Don’t forget about customer
TRUST! Explicit Opt In
– Can’t ASS-u-me anymore Deterministic matching
– Actions enable linking
So… Clear and accurate notice
– Remember Section 5 Discuss cross-device
tracking in privacy notices– Device IDs are PII
© 2016 Tealium Inc. All rights reserved. | 37
Collection Transit Processing StorageExecution / Visualizatio
n
Understand the Process
© 2016 Tealium Inc. All rights reserved. | 38
First• Collected
directly, owned by company
Second• Controlled
sharing of first-party data
Third• Data
aggregated and sold
Know Your Data Types
© 2016 Tealium Inc. All rights reserved. | 39
WIIFM – What’s In It For Me? (er… my brand)?
What is the service?
•Evaluate the vendor’s participation in your marketing program•What features of the service is your organization using?
What data is critical?
•What data is necessary for the vendor to execute?•Do they need to set third-party trackers? Access those trackers?
Where do they fit?
•YOU decide how they fit in your collection directive
© 2016 Tealium Inc. All rights reserved. | 40
Collection DirectiveData Accessibility
Control
Busin
ess
Impa
ct
Trusted / Client Side / Real-Time
Mitigated / Cloud Delivery / Delayed
Untrusted / Non-Critical /
Batch
Data Panel
IT
LEGAL
MARKETING
© 2016 Tealium Inc. All rights reserved. | 43
GDPR: Enforcement Begins by June 2018 Companies subject to SEC regulations many need to disclose
increased operational cost and high liabilities Start a data inventory to understand what personal data your
organization collects, where it is stored, how it is protected, and who may have access to it.
Put processes in place to conduct a PIA if needed (i.e.., if you engage in high risk processing)
© 2016 Tealium Inc. All rights reserved. | 44
GDPR: Preparations Review and revise security policies to ensure the appropriate technical,
administrative, and physical measures to protect personal data and employ proper training for all your employees. Ensure that procedures are in place to continually monitor compliance with these policies prior to, during, and after processing of personal data. Begin performing a gap assessment and consider participation in certification programs
Review and revise privacy policies to ensure they are easily accessible, written in clear and plain language, and include full disclosure of your data collection and processing. Privacy Shield also requires that you implement, and your privacy policy describes, methods for individuals to have their complaints addressed
© 2016 Tealium Inc. All rights reserved. | 45
GDPR: Preparations Maintain detailed records if personal data processing Review and update method for obtaining consent to ensure you get
specific, informed and unambiguous opt-in consent Review your ability to comply with the data subject’s right to be
forgotten and new data portability rights. You must be able to erase personal data and transfer the data to another provider when technically feasible
Begin search for a DPO if applicable Build relationship with DPA Review insurance coverage for scope and limits of coverage. Is there
global coverage?
© 2016 Tealium Inc. All rights reserved. | 46
Tealium PreparationBuilt for Data Goverance Collection
– Client Side TMS– Privacy Widget– Explicit Opt In– DNT– Global Opt Out– Load Rules and Data Mapping– Audit via Verify and DataSource View
Processing– Global Processing Footprint– Geo Latent Based Routing– Intrusion Detection– Multi Factor Authentication (MFA) by Default– Roles and Permissions
Storage– You Choose Location– Private Clouds Available– Purge Rules