DV 2016: Making Sense of the Current Legal Landscape

© 2016 Tealium Inc. All rights reserved. | 1

Making Sense of the Current Legal LandscapeChris Slovak/ Maltie Maraj, Tealium


Maltie MarajLead Counsel

Chris SlovakVP Solutions Consulting


Topics• Current State of the Industry• Legal Landscape• Potential Impact• Considerations Today


Current StateAn Industry in Flux


Aug 2011Sep 2012

Jan 2014Jan 2015

5


You are here


50% Teams use 21 OR more VendorsPoll of Total Vendor Usage 2012 - 2015

Source: Econsultancy and Tealium, 2015


Vendor Adoption

Is aGoodThing


Vendor MixAs Important as Media Mix

• Technology is a competitive advantage

• Point solutions are reality

• Cost of change is lower than ever


Load JavaScript

on ALL the pages!


Consumer Trust is FragileLove this Site and

totally trust it!


Obvious on the Surface


Difficult to Predict


Far Reaching Implications


Risky Business


At the Brink: Precursors to Change

Consumers•Ad Blockers•Web Browsers•Advocate Groups•Router Hardware

Providers•Apple•Safari•IDFA

•Google•Customer Match•O&O 3rd Party Pixel•AMP

Governments•FTC•Turn/Verizon Ruling•Safe Harbor (Lack of)

Businesses•Self Hosting JS•iFrame JS•Disallowing•Custom Coding


Data and Connected DevicesUS Overview


Role of the FTC/FCC Federal Trade Commission (FTC) – prevent business practices that are

anticompetitive, deceptive or unfair to consumers (Section 5). FTC does not have jurisdiction over common carriers.

– Wyndham Hotels and Resorts – Wyndham failed to safeguard its network where sensitive customer data was stored

– Noni Technologies (in store beacon tracking) – transparency and choice as to how and when data collected

Federal Communications Commission (FCC) – regulate interstate and international communications by radio, television, wire, satellite and cable.

– Cox communications (hack exposing customer data)– Verizon Wireless - $1.35 million fine settlement based on Verizon’s practice of inserting

unique identifier headers (UIDH or supercookies) into customers mobile internet traffic without their knowledge or consent


Verizon Must Obtain Opt-in Verizon inserts UIDH to track mobile customers for ad-targeting

purposes in December 2012, made limited disclosures in its privacy policy but did not specifically disclose until October 2014.

Meanwhile, online advertising clearinghouse, Turn, began to use the supercookies – Turn can restore a cookie ID that a user has cleared from his/her browser if it is associated with a UIDH

FCC said that Verizon’s failure to disclose accurate and adequate information to consumers about the supercookies violated the transparency requirements from the FCC’s 2010 net neutrality rules

Verizon has to implement a 3-year compliance plan, obtain customers’ opt-in consent before sharing UIDH with third parties


FTC: Cross-Device Tracking November 2015 – FTC workshop on cross device tracking Cross device tracking involves linking a wide range of digital or internet-

connected devices to a particular consumer. Linking accomplished via probabilistic or deterministic models.

Probabilistic: based on inferences about likely connections between devices or users. Based on many factors:

– IP Addresses– Device Type– App/Browser Data– Consumer has no control over probabilistic tracking

Deterministic: Tying multiple devices to persistent unique identifier – log in plus broad reach:

– You are required to log in to a service – example email or social networking– This allows the service to link your various devices to a single account

Are device identifiers personally identifiable information?


“We regard data as ‘personally identifiable,’ and thus warranting

privacy protections, when it can be reasonably linked to a particular

person, computer, or device. In many cases, persistent identifiers such as

device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

- Director of FTC Bureau of Consumer Protection


Data Transfers Between the US and the EUSafe Harbor and Privacy Shield


No Safe HarborAlternative in progress

October 2015 – EU Court of Justice invalidated the Safe Harbor framework in the Schrems v Data Protection Commissioner decision

Since then, the US Department of Commerce and EU Commission seeking an alternative framework for EU-US data transfer

February 2016 - New Framework = Privacy Shield released In April 2016, the Article 29 Working Party stated that while the

Privacy Shield is an improvement, among other things, it is still not satisfied with the scope of US surveillance allowed

June 2016 – favorable Article 31 Committee opinion of Privacy Shield expected


Privacy ShieldRequirements Notice

– 13 details that participants must include in privacy notices, including redress – alternative dispute resolution at no cost to EU citizen

Choice– Largely same as Safe Harbor

Accountability for onward transfer– Organization must enter into contract with third party controllers to which it transfers

data Security

– Substantially same as Safe Harbor Data Integrity and Purpose Limitation

– Must adhere to Privacy Shield framework as long as you retain the data Access

– Substantially same as Safe Harbor Recourse, enforcement and liability


General Data Protection Regulation (GDPR)EU Legal Landscape


Background December 2015 – EU Parliament, EU Commission and Council

of Ministers reached agreement on the General Data Protection Regulations

April 14, 2016 – formally adopted by the EU Parliament Next steps:

– Publication in the EU Official Journal– 2 year implementation Period

Organizations will need to be compliant by mid-2018 (May or June)


GDPR: Requirements GDPR applies when:

– Personal Data is processed in connection with the provision of goods and services to EU citizens (even if goods or services are free)

– EU data subjects’ behavior is monitored Location of data controller and processor is not relevant Expanded scope and one-stop shop Enhanced rights of data subject – right to data portability and

right to be forgotten


GDPR: Policies and Safeguards Emphasis on adopting appropriate policies and safeguards to

protect personal data Companies must be clear and transparent in their dealings

with data subjects Some categories of business must appoint a Data Protection

Officer– Organizations that regularly or systematically gathers data as part of their

core activity– Organizations that process large amounts of sensitive personal data

GDPR encourages pseudonymisation and encryption– split personal data into 2 data sets, one with a key and the other with the personal data


GDPR: Explicit Consent Freely given, specific, informed and unambiguous agreement

to the processing– Silence, pre-checked boxes and inactivity not sufficient.

Need new consent for additional processing that is incompatible with the original purpose

Verifiable parental consent required for minors. What is a minor depends on the member state.


GDPR: Processor Obligations GDPR imposes compliance obligations directly on processors,

such as implementing security measures, etc. Processors assume additional responsibility for data transfers Processors must seek permission of the controller prior to

using sub-processors or transferring personal data outside of the EU

Processors will be directly liable in case of non-compliance and may be subject to direct enforcement


GDPR: Rights of Data Subject Right to be forgotten

– Personal data erased without undue delay Data transferability Right to object to automated decision making – i.e., data

subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.


GDPR: Transfers of Data (From the EU) Adequacy finding (e.g., Privacy Shield, if and when it becomes

valid) Binding corporate rules Standard contractual clauses BCRs and SCCs subject to change based on review by Working

Party


Repercussions and Enforcements Two levels of fines

– Infringements (e.g., failure to appoint a DPO) - Up to 10 million EUR or 2% of annual worldwide turnover

– Major infringements (e.g., failure to obtain consents) - Up to 20 million EUR or 4% of annual worldwide turnover

Burden of proof lies with the controller or processor


ConsiderationsWhat You Can Do Today



Brand Responsibility First-party needs to be first

– National Laws– EU Regulations– State Law– Don’t forget about customer

TRUST! Explicit Opt In

– Can’t ASS-u-me anymore Deterministic matching

– Actions enable linking

So… Clear and accurate notice

– Remember Section 5 Discuss cross-device

tracking in privacy notices– Device IDs are PII


Collection Transit Processing StorageExecution / Visualizatio

n

Understand the Process


First• Collected

directly, owned by company

Second• Controlled

sharing of first-party data

Third• Data

aggregated and sold

Know Your Data Types


WIIFM – What’s In It For Me? (er… my brand)?

What is the service?

•Evaluate the vendor’s participation in your marketing program•What features of the service is your organization using?

What data is critical?

•What data is necessary for the vendor to execute?•Do they need to set third-party trackers? Access those trackers?

Where do they fit?

•YOU decide how they fit in your collection directive


Collection DirectiveData Accessibility

Control

Busin

ess

Impa

ct

Trusted / Client Side / Real-Time

Mitigated / Cloud Delivery / Delayed

Untrusted / Non-Critical /

Batch

Data Panel

IT

LEGAL

MARKETING


JUNE 2018


€20,000,000


GDPR: Enforcement Begins by June 2018 Companies subject to SEC regulations many need to disclose

increased operational cost and high liabilities Start a data inventory to understand what personal data your

organization collects, where it is stored, how it is protected, and who may have access to it.

Put processes in place to conduct a PIA if needed (i.e.., if you engage in high risk processing)


GDPR: Preparations Review and revise security policies to ensure the appropriate technical,

administrative, and physical measures to protect personal data and employ proper training for all your employees. Ensure that procedures are in place to continually monitor compliance with these policies prior to, during, and after processing of personal data. Begin performing a gap assessment and consider participation in certification programs

Review and revise privacy policies to ensure they are easily accessible, written in clear and plain language, and include full disclosure of your data collection and processing. Privacy Shield also requires that you implement, and your privacy policy describes, methods for individuals to have their complaints addressed


GDPR: Preparations Maintain detailed records if personal data processing Review and update method for obtaining consent to ensure you get

specific, informed and unambiguous opt-in consent Review your ability to comply with the data subject’s right to be

forgotten and new data portability rights. You must be able to erase personal data and transfer the data to another provider when technically feasible

Begin search for a DPO if applicable Build relationship with DPA Review insurance coverage for scope and limits of coverage. Is there

global coverage?


Tealium PreparationBuilt for Data Goverance Collection

– Client Side TMS– Privacy Widget– Explicit Opt In– DNT– Global Opt Out– Load Rules and Data Mapping– Audit via Verify and DataSource View

Processing– Global Processing Footprint– Geo Latent Based Routing– Intrusion Detection– Multi Factor Authentication (MFA) by Default– Roles and Permissions

Storage– You Choose Location– Private Clouds Available– Purge Rules


Audience Q&A


Thank You:That’s a Wrap for

DV2016!
