• Like

What's Left in The Cookie Jar? - EU & US ePrivacy Laws

  • 3,049 views
Uploaded on

Join Duncan Smith, CEO of iCompli and Josh Aberant, Director of Privacy at Marketo in a 45 minute webinar where you will learn about the recent amendments to European and US ePrivacy laws.

Join Duncan Smith, CEO of iCompli and Josh Aberant, Director of Privacy at Marketo in a 45 minute webinar where you will learn about the recent amendments to European and US ePrivacy laws.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,049
On Slideshare
0
From Embeds
0
Number of Embeds
5

Actions

Shares
Downloads
104
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Webinar:What’s Left in The Cookie Jar?EU & US ePrivacy-what You Need To Know.
  • 2. Presenters:Josh Aberant Duncan SmithPrivacy Director Marketo CEO, iCompli
  • 3. US & EU privacy rules share a strongcommon history – although youwouldn’t know it looking @ the currentstate of privacy protections.How did we get here? What do youneed to do to protect your business inthe future?
  • 4. Global ‘State-of-Nation’ • “ONLINE TRACKING TECHNOLOGIES HAVE ERODED PRIVACY TO AN UNACCEPTABLE POSITION” • How have the US and EU .. o Lawmakers o Technology companies o Regulators o Self-regulators o Marketers o Individuals .. reacted, and what are the IMPLICATIONS for marketers?Page 4© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 5. It’s a simple problem really... CRM #1 CRM #2 • Target is Male • Duncan is Male • Target is 45 • Duncan is 45 • Target reads the • Duncan reads the Guardian online Guardian online • Target has three • Duncan has three children children • Target’s car insurance • Duncan has purchased expires on 31.1.12 Viagra online • Duncan’s car insurance expires on 31.1.12Page 5© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 6. Compared and contrasted approaches EU AND US LAWPage 6© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 7. Electronic Communications Framework Framework Directive 2002/21/EC Access Directive 2002/19/EC Authorisation Directive 2002/20/EC Universal Service Directive 2002/22/EC Directive on privacy and electronic communications 2002/58/ECPage 7© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 8. Electronic Communications Framework ‘Bundled’ into new Directive 2009/136/EC Framework Directive 2002/21/EC ‘Citizens’ Rights Directive Access Directive 2002/19/EC Article 5(3) Confidentiality of Communications; Authorisation Directive 2002/20/EC Opt-in Universal Service Directive 2002/22/EC Directive on privacy and electronic communications 2002/58/ECPage 8© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 9. Amended UK Law (PEC Regs) 6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. (2) The requirements are that the subscriber or user of that terminal equipment-- (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.Page 9© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 10. ‘Affirmative Question’ equals disruption and is bad for business • DCMS (UK Gov) does NOT propose asking an affirmative question to ‘harvest consent’ • A combination of enhanced browser settings and enhanced information WILL BE SUFFICIENT to meet the requirements of opt-in consentPage 10© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 11. Amended UK Law, LOTS of words! (3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. (4) Paragraph (1) shall not apply to the technical storage of, or access to, information-- (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.Page 11© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 12. Common History Both EU and US privacy regulations are based on:Page 12© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 13. Fair Information Practices • Notice/Awareness (Fundamental Principle) Give consumers notice of an entitys information practices before any personal information is collected from them. (No secret data collection agencies) • Choice/Consent Giving consumers options as to how any personal information collected from them may be used. • Access/Participation Give consumers the ability both to access data about him or herself -- i.e., to view the data in an entitys files -- and to contest that datas accuracy and completeness. • Integrity/Security Data should be accurate and secure • Enforcement/Redress The above core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.Page 13© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 14. Fair Information Practices in US law • Privacy Act (1974 - applies to Federal agencies) • Family Educational Rights & Privacy Act (1974) • Right to Financial Privacy Act (1978 • Cable Communications Policy Act (1984) • Electronic Communications Privacy Act (1986) • Employee Polygraph Act (1988) • Video Privacy Protection Act (1988) • Telephone Consumer Protection Act (1991) • Driver’s Privacy Protection Act (1994) • Health Insurance Portability & Accountability Act (1996) • Children’s Online Privacy Act (1998) • Gramm-Leach-Bliley Act (1999) • CAN-SPAM (2003) • Fair & Accurate Credit Transaction Act (2003)Page 14© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 15. US Law Making • Senate Bills • John Kerry (D) & John McCain (R) o The Commercial Privacy Bill of Rights Act of 2011 • Jay Rockefeller (D) o Do-Not-Track Online Act of 2011 • Jackie Speier (D) o Do Not Track Me Online Act of 2011 • Politics is Politcs • E.g. Internet Privacy: The Impact and Burden of EU Regulation o Sept 15 - the House Subcommittee on Commerce, Manufacturing and Trade o Chaired by Bono Mack (R)Page 15© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 16. Who are they and what are they saying? THE ‘REGULATORS’Page 16© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 17. EU: Regulators • WHO: Information Commissioners and the Article 29 working party • SAYING WHAT: 95/46/EC (The Data Protection Directive) is under review.. • In the reform I [Viviane Reding] wants to introduce four important changes: o “Companies outside the EU - if they directly target their activities to EU citizens - will need to abide to the new EU data protection rules”Page 17© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 18. Article 29 Working Party • I suggest A29’s Advisory status set to be tested • Its July 2011 ‘Opinion 15/2011’ sets it on a collision course with Businesses and UK Gov! • whenever consent is required, it must be prior to the data processing starting • Consent, based on the lack of individuals action, for example, through pre-ticked boxes, does not meet the requirements of valid consent under the Directive 95/46/EC.Page 18© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 19. US Regulators • FTC • Do Not Track List • Opt-out of 3rd party tracking • US Dept of Commerce • Green Paper • Baseline federal privacy regulation o No more patchwork of local & state laws • Enforcement Dept (within Commerce Dept) • Patchwork of state & local regulators • E.g. Data breach notification regulations are at the state levelPage 19© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 20. US Self Regulators • OTA – Online Trust Alliance • IAB - Interactive Advertising Bureau • NAI - Network Advertising Initiative • DAA - Digital Advertising Alliance • BBB - Better Business Bureau • AAAA - American Association of Advertising Agencies • TRUSTe Online Trust Alliance - https://otalliance.org/Page 20© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 21. Are they saying anything? THE MARKETERS AND CITIZENSPage 21© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 22. EU: The Marketers • Any big brands set out their stall yet?Page 22© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 23. EU: The Citizen • Emerging qualitative data • Participants were given the choice to buy a DVD from one of two online stores • One store consistently required more sensitive personal data than the other • when prices were identical, participants bought from both shops equally oftenPage 23© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 24. What’s being done? THE TECHNOLOGY RESPONSEPage 24© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 25. US Technology Response In many ways the organizations leading current US privacy developments are US technology providers • Do Not Track (DNT) header • Firefox first… • then Microsoft… • then Apple… • then… (we’re looking @ you Google) Will Norway based Opera also get with this US program?Page 25© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 26. Firefox Do Not Track HeaderPage 26© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 27. US Technology Response • Open question on what does DNT mean • No tracking whatsoever o How do you make web apps and services work? (shopping baskets?) • Anonymous tracking only o Still breaks many web apps o Reduces revenue from ad support content • No 3rd party tracking o FTC alignment o Is this what consumer think? • Apply opt-outs o How do we explain this one to consumers?Page 27© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 28. So what are the implications? What are our recommendations? OUR ADVICEPage 28© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 29. US Marketers – 5 Steps to Be Prepared 1. Define your Do Not Track program 2. Record DNT header meta-data for audit purposes 3. Get Safe Harbor certified 4. Make sure the partners you share data with are Safe Harbor certified 5. Secure your data o There is no privacy without security o Security By Design  https://otalliance.org/resources/securitybydesign.htmlPage 29© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 30. Consumers – 4 Ways To Protect Your Data 1. Be mindful of what data you share 2. Share the minimum amount of data 3. Clear your personal information o Search engine history o Web apps history o Locally stored objects (e.g. cookies)  CC Cleaner 4. Keep your computing systems secure o Anti-virus o Anti-spyware o Download and run applications from trusted sources onlyPage 30© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 31. Be Mindful of Security • Corporate culture • Long-term commitment • An marketer’s mind set • Three fundamental truths: • Your data includes some PII • You will have a data incident • Data stewardship is everyone’s responsibility. Build Trust SourcePage 31© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 32. Top 3 Things marketers can do now 1. Document a realistic plan to achieve compliance • Write down .. o What technologies do you employ? o How intrusive are they (Risk assessment)? o How will you obtain consent? 2. Identify data partners and ‘get on the same page!’ o Incld. The likes of third party lead forensics, up-sell engines, data appending services etc. 3. Prepare a business plan for centralised ‘consent management’ • Managing ‘over-riding’ consent could become very important in the world of ‘DNT’Page 32© 2011 Marketo, Inc. Marketo Proprietary and Confidential
  • 33. Thank YouQuestions and Answers #Marketo
  • 34. Post-webinar discussion http://bit.ly/MarketoChat Webinar slides and discussion highlights http://linkd.in/marketo-group#Marketo
  • 35. © 2011 Marketo, Inc.