Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design


Published on

A presentation by Commissioner Cavoukian to the Canadian Institute Advertising and Marketing Law Conference on how Privacy by Design can give a sustainable competitive advantage in advertising and marketing.

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Presentation Outline
  • Paradigm Shift
  • Why We Need PbD
  • Positive-Sum, Not Zero-Sum Compliance alone, is unsustainable as the sole model for ensuring the future of privacy; for that, we must turn to proactive measures such as Privacy by Design: embedding privacy proactively into the core of all that we do. Lessig Book – Code: Version 2.0 Further, the average individual’s “information footprint” (digitization of entertainment, healthcare, security, and retail preferences) will grow from 1 terabyte per year to more than 16 terabytes by 2020. — IBM Press Release, September 8, 2008. The collection of personal information is not going to stop or decline. In fact, it will only continue to grow exponentially. Legislation can be proactive by requiring certain practices and standards; arranging for audits; providing incented activities; and by ensuring that certain large organizations, such as government departments themselves, will become models for the required change and activity - so maybe the contrast is not between legislation and PbD, but between proactive and reactive approaches with Privacy by Design being the best model for the proactive approach.
  • Positive-Sum Model
  • PbD – Build It In A Positive-Sum (or “win-win” or “non zero-sum”) paradigm, by contrast, describes a concept or situation in which participants can all gain or suffer together. That is, the sum of gains and losses by the participants are always more or less than what they began with, depending on their choices and behaviour. If privacy and security are not a ‘zero sum game’, and if we need to ensure strong security and strong privacy what are we left with? We can’t leave privacy to policies and procedures alone, as that ignores the reality of the systems in which so much personal information resides. We can’t focus on security alone, as I talked about earlier. There isn’t a balance to be sought. What is required is a WIN-WIN situation, in which strong privacy policies mutually reinforce a strong security focus. “ We need better options for securing the Internet. Instead of looking primarily for top-down government intervention, we can enlist the operators and users themselves.” — Jonathan Zittrain, Freedom and Anonymity: Keeping the Internet Open, Scientific American, February 24, 2011
  • Privacy by Design
  • Jerusalem Resolution I first developed the concept of Privacy by Design in the ’ 90s, as a response to the growing threats to online privacy that were beginning to emerge; Privacy by Design seeks to build in privacy – up front, right into the design specifications; into the architecture; embedding privacy into the very technology used – bake it in ; Data minimization is key : minimize the routine collection and use of personally identifiable information – use encrypted or coded information, whenever possible; Use privacy-enhancing technologies (PETs) where possible, but make it PETs Plus , invoking a positive-sum paradigm, and giving people maximum control over their own data.
  • PbD – 7 Foundational Principles
  • PbD in 29 Langauges Proactive not Reactive; Preventative not Remedial Privacy as the Default Privacy Embedded into Design Full Functionality: Positive-Sum, not Zero-Sum End-to-End Lifecycle Protection Visibility and Transparency Respect for User Privacy
  • Privacy in Advertising and Marketing
  • Report of Advertising Standards Canada Online behavioural advertising may be considered a reasonable purpose under PIPEDA, provided it is carried out under certain parameters, and is not made a condition of service for accessing and using the Internet, generally. PIPEDA defines personal information as “information about an identifiable individual”. Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information. PIPEDA requires an individual’s knowledge and consent for the collection, use, or disclosure of personal information. PIPEDA also requires that the purposes for which an individual’s information is to be collected, used or disclosed be explained in a clear and transparent manner. In addition, PIPEDA does recognize that the form of consent can vary: for example, express consent (opt-in) when dealing with sensitive information, and implied consent (opt-out) when the information is less sensitive. It is important to note that the sensitivity of information depends on the nature of the information and the context in which it is being collected, used or disclosed. Opt-out consent for online behavioural advertising could be considered reasonable providing that: Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their online behavioural advertising practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools; Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in online behavioural advertising; Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected; The opt-out takes effect immediately and is persistent; The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and Information collected and used is destroyed as soon as possible or effectively de-identified. Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes. At present, this could include, for example, so-called zombie cookies, super cookies and device fingerprinting.
  • Consumers Favour DNT As part of the report, the group is recommending a four-step process for building trust with consumers. These four elements are: control (ensuring people know what will happen to their information); choice (allowing people to choose what information to hold back from marketers); commitment (making people aware of privacy and security policies); and compensation (helping people understand "what's in it for me" if they share information
  • Microsoft DNT
  • Berkeley Survey on Online Privacy
  • Quote from Chris Hoofnagle – Director of Berkley Center
  • Would you allow a social networking app to collect your contact list in order to suggest more friends? The FTC has called for consumers to be given a simple “Do Not Track” mechanism that would allow them to choose whether they want to allow websites to collect information about their Internet activity and use it to deliver targeted advertisements and for other purposes.  The FTC specifically recommends a mechanism that would be practical, and would probably involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices (see the FTC’s 2010 preliminary staff report and 2012 Privacy Report: Balancing Privacy and Innovation). FTC’s DNT would consist of the following five elements: First, a Do Not Track system should be implemented universally to cover all parties that would track consumers. Second, the choice mechanism should be easy to find, easy to understand, and easy to use. Third, any choices offered should be persistent and should not be overridden if, for example, consumers clear their cookies or update their browsers. Fourth, a Do Not Track system should be comprehensive, effective, and enforceable. It should opt consumers out of behavioral tracking through any means and not permit technical loopholes. Finally, an effective Do Not Track system should go beyond simply opting consumers out of receiving targeted advertisements; it should opt them out of collection of behavioral data for all purposes other than those that would be consistent with the context of the interaction (e.g., preventing click-fraud or collecting deidentified data for analytics purposes).
  • Would you allow a coupons app to collect your contact list in order to offer coupons to your contacts ?
  • Would you allow your cell phone provider to use your location to tailor ads to you?
  • IPC Paper – Applying Privacy into Marketing
  • Permission-Based Marketing
  • Why Privacy is Good for Business
  • The Privacy Dividend
  • Bering Media – IP Geolocation Taking a more resolute approach to protecting privacy could increase the magnitude of the benefits well beyond any increase in costs. This approach is sometimes referred to as “privacy by design.” How the organisation handles people’s personal information is central to the degree of trust on which the relationships the organisation has with the people it serves are based. Protecting privacy builds trust and strengthens those relationships, making them more long-lasting and productive. It also strengthens the organisation’s reputation and that helps to attract new customers. In the words of Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada, (show book – “Privacy Payoff”) “The ‘payoff’ to privacy-respecting organisations is ... ultimately, enduring competitive advantage. In a world of increasingly savvy and inter-connected customers, an organisation’s approach to privacy may offer precisely the competitive advantage needed to succeed.”
  • The Bottom Line The Internet and its associated marketing practices have rapidly evolved, to a point where much of the online advertising is provided by companies with whom the individual does not have a direct business relationship. And yet, such companies collect and manage a great deal of data about individuals. This has opened up a broad and ongoing debate in the area of privacy and online targeted advertising. The purpose of this paper is to explore new, original contributions to this discussion, highlighting the solutions made possible through a combination of innovative thought and “baked-in” privacy – which I call Privacy by Design. The subject of targeted advertising brings with it a host of privacy issues, from those directly connected with the practice (the tracking of online behaviours, the use of location data as reported by mobile devices, etc.) to broader, Internet-wide topics (IP address as personal information, etc.). Privacy choices and consumer trust have remained at the forefront of these concerns. In this paper, we focus on a single facet of targeted advertising – the developing area of precise IP geolocation, and the potential role of ISPs in the ad serving model. In particular, we describe the work of Ontario company Bering Media, Inc. Bering Media set out to develop an innovative technology to allow ISPs that have made the decision to partner with an ad server to provide IP geolocation services, to do so with zero disclosure of potentially personally identifiable information about subscribers. This would further allow the ISP to partner with an ad server without the need for reading or modifying any packets travelling through the ISP’s network.
  • Costs of Privacy Breach
  • Consumer Choice and Privacy A U.S. study found that the cost of a data breach was $202 per record; the average cost per operating company was more than $6.6 million per breach. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, February 2009. Legal liabilities, class action suits; Loss of client confidentiality and trust; Diminution of brand and reputation; Loss of customers, competitive edge; Penalties and fines levied; Costs of crisis management, damage control, review and retrofit of information systems, policies and procedures.
  • Consumers Willing to Pay for Privacy
  • It’s All About Trust The study -- by Janice Y. Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti of Carnegie Mellon University -- appears in the current issue of the INFORMS journal Information Systems Research.   The authors note that most online privacy policies are difficult for consumers to use and are often overlooked. Challenging a predominant belief that consumers would not sacrifice for greater Internet privacy, they designed their research to determine if consumers would pay extra to make a purchase at an online store whose privacy policy was medium to high and could easily be determined.    The authors invited a different set of participants to test a new search engine in an experimental setting. These participants were asked to search for and purchase products online using the search engine shopping interface. Participants were randomly assigned to three groups: one group did not see any privacy meter icons associated with the search engine results; one group saw the icons, but was told that they were indicators for the degree of "handicap accessibility" of the website (a characteristic chosen as a "control" condition precisely for its irrelevancy to most consumers' online decision processes); the last group saw the icons and were indeed told that they were indicators for the degree of privacy protection offered by the website. Because participants used their own credit cards to pay for the products, their personal information was exposed to real merchants during the study. The websites were real merchant sites. Purchasing either item forced individuals to reveal personal information (their credit card number) to unknown merchants.
  • Privacy Payoff
  • Operationalizing PbD
  • Conclusions
  • How to Contact Us
  • Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design

    1. 1. Say Good-Bye to Zero-Sum:Say Hello to Privacy and Marketing by Design Ann Cavoukian, Ph.D.Information and Privacy Commissioner Ontario, Canada Canadian Institute Advertising and Marketing Law Conference January 23, 2013
    2. 2. Presentation Outline1. We Need a Paradigm Shift2. Positive-Sum, NOT Zero-Sum3. Privacy by Design: The Gold Standard4. Privacy in Advertising and Marketing5. Why Privacy is Good for Business6. Operationalizing Privacy by Design7. Conclusions
    3. 3. We need to changethe paradigm
    4. 4. Why We Need Privacy by Design Most privacy breaches remain undetected – as regulators, we only see the tip of the iceberg The majority of privacy breaches remain unchallenged, unregulated ... unknownRegulatory compliance alone, is unsustainable as the sole model for ensuring the future of privacy
    5. 5. The Future of Privacy Change the Paradigm to Positive-Sum,NOT Zero-Sum
    6. 6. Positive-Sum Model Change the paradigm from a zero-sum to a “positive-sum” model: Create a win-win scenario, not an either/or (vs.) involving unnecessary trade-offsand false dichotomies … replace the “vs.” with “and”
    7. 7. Privacy by Design: “Build It In”• I first developed the concept of “Privacy by Design” in the 90s, as a response to the growing threats to online privacy that were beginning to emerge;• “Privacy by Design” seeks to build in privacy – up front, right into the design specifications; into the architecture; embed privacy into the technology used – bake it in;• Data minimization is key: minimize the routine collection and use of personally identifiable information – use encrypted or coded information whenever possible;• Use privacy-enhancing technologies (PETs) plus where possible: give people maximum control over their own data.
    8. 8. The Decade of Privacy by Design
    9. 9. Adoption of “Privacy by Design” as an International StandardLandmark Resolution Passed to Preserve the Future of PrivacyBy Anna Ohlden – October 29th 2010 -, October 29, 2010 – A landmark Resolution byOntarios Information and Privacy Commissioner, Dr. Ann Cavoukian,was approved by international Data Protection and PrivacyCommissioners in Jerusalem today at their annual conference. Theresolution recognizes Commissioner Cavoukians concept of Privacyby Design - which ensures that privacy is embedded into newtechnologies and business practices, right from the outset - as anessential component of fundamental privacy protection. Full Article:
    10. 10. Privacy by Design: The 7 Foundational Principles1. Proactive not Reactive: Preventative, not Remedial;2. Privacy as the Default setting;3. Privacy Embedded into Design;4. Full Functionality: Positive-Sum, not Zero-Sum;5. End-to-End Security: Full Lifecycle Protection;6. Visibility and Transparency: Keep it Open;7. Respect for User Privacy: Keep it User-Centric.
    11. 11. Privacy by Design: Proactive in 29 Languages!1.English 11.Chinese 21.Greek2.French 12.Japanese 22.Macedonian3.German 13.Arabic 23.Bulgarian4.Spanish 14.Armenian 24.Croatian5.Italian 15.Ukrainian 25.Polish6.Czech 16.Korean 26.Turkish7.Dutch 17.Russian 27.Malaysian8.Estonian 18.Romanian 28.Indonesian9.Hebrew 19.Portuguese 29.Lithuanian10.Hindi 20.Maltese
    12. 12. Privacy in Advertising and Marketing
    13. 13. Personal Information Protection and Electronic Documents Act (PIPEDA)• Online behavioural advertising may be considered a reasonable purpose under PIPEDA;• PIPEDA requires an individual’s knowledge and consent for the collection, use, or disclosure of personal information;• PIPEDA also requires that the purposes for which an individual’s information is to be collected, used or disclosed be explained in a clear and transparent manner;• Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent.
    14. 14. Report from Advertising Standards CanadaAccording to a report from Advertising Standards Canada:•89% agreed with the statement, “people share far too muchpersonal information online these days;”•72% responded that they were worried about the erosion ofpersonal privacy;•73% said they were aware that businesses were trackingpeoples activities on the Web in order to understand theirinterests. — Susan Krashinsky, Give consumers choice, control on personal data, advertisers urged; ASC recommending a four-step process for building trust, Globe and Mail, November 20, 2012.
    15. 15. Consumers Favour Do Not Track (DNT) by Default“Seventy-five percent of the consumers wesurveyed in the U.S. and Europe said theywanted DNT on, by default.” — Brad Smith Microsoft Executive Vice-President December, 2012. 13/microsoft-rankles-advertisers-with-web-user- privacy-plan.html
    16. 16. Microsoft Internet Explorer 10 Do Not Track• June 2012 – Microsoft announced the Do Not Track option would be activated by default in Internet Explorer 10 on Windows 8, as part of its commitment to user privacy;• The Default Rules – research shows that whatever the default condition is, that is the one that will prevail;• Microsoft was criticized by advertising companies, who said Do Not Track must be a choice made by users and should not be automatically enabled – this despite the fact that they have been making the choice for users all along;• Companies have always made the choice for their users – the existing default is one of tracking/advertising;• Microsoft responded that users would prefer a browser that automatically respected their privacy – I totally agree – see my YouTube video here:
    17. 17. Berkeley Center for Law and Technology Survey on Online Privacy• At the Amsterdam Privacy Conference in October, 2012, the Berkeley Center for Law and Technology released its survey findings: • 87% of those surveyed had not heard about proposals to create a Do Not Track option for the Internet; • 30% understood that advertisers can track users on medical information sites; • 40% believed they had fewer privacy rights when visiting a free website supported by advertising.
    18. 18. “Most consumers want Do Not Track to meanexactly that: do not collect information thatallows companies to track them across theInternet. This may seem obvious, but even thedefinition articulated by the FTC may fall shortof these consumer expectations.” — Chris Jay Hoofnagle, Director, Information Privacy Programs, Berkeley Center for Law & Technology, October, 2012.
    19. 19. Would you allow a social networking app to collectyour contact list in order to suggest more friends? 51% 30%
    20. 20. Would you allow a coupons app to collect your contact list in order to offer coupons to your contacts? 75% 18%
    21. 21. Would you allow your cell phone provider to use your location to tailor ads to you? 70% 22%
    22. 22. There is another way …Applying Fair Information Practicesto CRM: • Accountability • Identifying Purposes • Consent • Limiting Collection • Limiting Use, Disclosure, and Retention • Accuracy • Safeguards • Openness • Individual Access • Challenging Compliance
    23. 23. Permission-Based Marketing: The Personal Touch• Essential premise: persuade consumers to volunteer their attention;• Predicated on Consent: make consumers active recipients of marketing information;• Puts control in the hands of consumers; “Just because you somehow get my email address doesn’t mean you have permission.” . — Seth Godin, Permission-Based Marketing, 2001.
    24. 24. Why Privacy is Good for Business
    25. 25. The Privacy Dividend1. The Business Case2. Personal Information in the Business Context3. Creating the Business Case“In the words of CommissionerCavoukian, “The ‘payoff’ to privacy-respecting organisations is ... ultimately,enduring competitive advantage. In aworld of increasingly savvy and inter-connected customers, an organisation’sapproach to privacy may offer precisely thecompetitive advantage needed to succeed.”
    26. 26. • Bering Media has built Privacy into IP Geolocation:• Using a unique double-blind privacy architecture;• Minimum-match thresholds/ Anti-inference algorithms;• Dynamic IP address management;• Persistent, permanent opt-out, globally.
    27. 27. The Bottom Line Privacy should be viewed as a business issue, not a compliance issueThink strategically and transform privacy into a competitive business advantage
    28. 28. Cost of Taking the Reactive Approach to Privacy Breaches Damaged Lawsuits Brand Name Proactive Reactive Loss of Consumer Trust
    29. 29. Consumer Choice and Privacy• There is a strong competitive advantage for businesses to invest in good data privacy and security practices;• “A significant portion of the population is becoming concerned about identity theft, and it is influencing their purchasing decisions.” — Rena Mears, Deloitte & Touche LLP, Survey Reports An Increase in ID Theft and Decrease in Consumer Confidence, 2005.
    30. 30. Online Consumers Willing to Pay for Privacy• A study conducted at Carnegie-Mellon University found that when privacy information is made more salient and accessible, some consumers are willing to pay a premium to purchase goods from privacy-protective websites;• When shopping online, participants made significantly more purchases from sites rated “High Privacy” (47.4%) compared to participants buying from sites rated “No Privacy” (5.6%). — Online Consumers Willing to Pay Premium for Net Privacy, Study Finds, ScienceDaily, July 11, 2011. Study conducted by Janice Y. Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti of Carnegie Mellon University
    31. 31. Bottom Line: It’s All About Trust“Trust is more important than ever online …Price does not rule the Web … Trust does.” — Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships
    32. 32. Reasons for Building Consumer Trust• Continuation of valuable business relationships;• Loyal, repeat customers;• Sustainable competitive edge;• Consumer confidence and trust. — Ann Cavoukian, Ph.D., Tyler Hamilton, The Privacy Payoff: How Successful Businesses Build Consumer Trust, McGraw-Hill Ryerson, 2002, pp. 13-14.
    33. 33. Operationalizing Privacy by Design9 PbD Application Areas•CCTV/Surveillance cameras inmass transit systems;•Biometrics used in casinos andgaming facilities;•Smart Meters and the Smart Grid;•Mobile Communications;•Near Field Communications;•RFIDs and sensor technologies;•Redesigning IP Geolocation;•Remote Home Health Care;•Big Data and Data Analytics.
    34. 34. Conclusions• Make privacy a priority – ensure that privacy is embedded into your systems and operational processes – into your business practices;• It is easier and far more cost-effective to build in privacy up-front, rather than after-the-fact;• Privacy risks are best managed by proactively embedding the principles of Privacy by Design;• Get smart – lead with Privacy – by Design, not privacy by chance or, worse, Privacy by Disaster!
    35. 35. How to Contact UsAnn Cavoukian, Ph.D.Information & Privacy Commissioner of Ontario2 Bloor Street East, Suite 1400Toronto, Ontario, CanadaM4W 1A8Phone: (416) 326-3948 / 1-800-387-0073Web: www.ipc.on.caE-mail: info@ipc.on.caFor more information on Privacy by Design, please visit: