Presentación del Webinar de nuestra hermana Mind Your Privacy y Cardinal Path
En el actual escenario digital, más que nunca los analistas, marketeros y demás profesionales de datos deben conocer los cambios en las normativas nacionales e internacionales así como una serie de principios básicos para respetar la privacidad y la protección de los que sus datos recogen.
Digital Marketing meets Privacy
1. September 24, 2014
Webinar
A Global Marketeer’s Guide
to Privacy
Unlocking Value and Controlling Risk
2. Today’s Speakers
René Dechamps
CEO & co-founder
Mind Your Group
@rdo
Aurélie Pols
Chief Visionary Officer
& co-founder
Mind Your Privacy
@aureliepols
Alex Langshur
Co-founder and Senior
Partner Cardinal Path
@alangshur
3. Summary
1. House keeping and intro
2. How to reconcile Privacy viewpoints on a
Global Level (US, EU, APEC)
3. Key Legal concepts to collaborate with Legal
Council
4. 5 Online Marketing Rules to live by with
respect to Consumer Privacy
5. Q&A
6. National Security vs. Privacy
Data
Retention
vs.
Data
Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK,
passed), SOPA (US:
Stop Online Piracy
Act, similar to
French HADOPI) &
PIPA (US: Protect IP
Act)
8. Regulatory Law
“Every country is a little different.
You run into different regulatory regimes and you need
to make sure you have the right tools so that people
can implement the right policies they are required to
by law…
They aren’t that different”
Source: Bloomberg Singapore Sessions
April 23rd 2014
http://www.bloomberg.com/video/big-data-big-results-singapore-
sessions-4-23-kHN5zrGbR_Wq6hbmV9~aXQ.html
9. A Global Perspective
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Patchwork of sector based
legislations: HIPPA, COPPA,
VPPA, …
Over-arching EU Directives &
Regulations
PII: varies per state Risk levels: low, medium, high,
extremely high
10. PII: ah but we don’t collect it!
Medical information as PII
California
Arkansas
Missouri
New Hampshire
North Dakota
Texas
Virginia
Financial information as PII
Alaska North Carolina
Iowa North Dakota
Kansas Oregon
Massachusetts South Carolina
Missouri Vermont
Nevada Wisconsin
New York* Wyoming
Passwords as PII
Georgia
Maine
Nebraska
Biometric information as PII
Iowa
Nebraska
North Carolina
Wisconsin
Source: information based on
current continuous monitoring
(partial results)
11. So what is considered PII?
Personal Information (based on the definition commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias
ii Personal identification number, such as social security number (SSN), passport
number, driver‘s license number, account and credit card number
iii Address information, such as street address or email address
iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)
v Telephone numbers, including mobile, business, and personal numbers.
Information identifying personally owned property, such as vehicle registration
number or title number and related information
Source: information based on current continuous monitoring (partial results)
12. If you collect PII… then
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector
based legislations:
HIPPA, COPPA, VPPA,
…
Over-arching EU Directives &
Regulations
PII: varies per state Risk levels: low, medium, high,
extremely high
13. Privacy focus: US vs. EU
Customer /
voter /
citizen
Company X
Website
Databroker
Company Y
Website
EU focus US focus
EU focus: controller EU focus: (sub) processor
consent
14. PII vs. Risk levels
Low
Medium
(profiling)
High
(sensitive)
Risk
level
Data type
Information Security Measures
Extremely high
(profiling of sensitive data)
PII
15. EU fines?
Spain: responsible for 80% of data protection fines in the EU
Source: http://i0.kym-cdn.
com/photos/images/newsfeed/00
0/242/381/63a.jpg
Source:
http://www.mindyourprivacy.com/downlo
ad/privacy-infographic.pdf
16. 3. LEGAL CONCEPTS TO EFFICIENTLY
COLLABORATE WITH LEGAL COUNCIL
Privacy cheat sheet
17. Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
18. Fair Information Privacy
Practices (FIPPs)
Source:
https://security.berkeley.edu/sites/default/files
/uploads/FIPPSimage.jpg
19. FIPPs: Fair Information Practice Principles
These principles are not laws, they form the backbone of privacy law and provide
guidance in the collection, use and protection of personal information
Transparency ensures no secrete data collection; provides information about the
collection of personal data to allow users to make an informed choice
Choice gives individuals a choice as to how their information will be used
Information review & correction allows individuals the right to review and
correct personal information
Information protection requires organizations to protect the quality and
integrity of personal information
Accountability holds organizations accountable for complying with FIPPs
20. Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for
approved
use
From:
Purpose
Consent
Data analysis FIPPs
or merging
New
business
opportunity
To:
21. Past: Web Analytics
• “Make your web
experience
better”
• Improve visitor
UX & CRO
• US: none if no
PII, depends per
sector
(& state)
• EU: current
Directive implicit
consent seems to
be the norm
• Dashboards
• A/B testing
• various
analysis to
improve the
anonymous
yet segmented
“digital
experience”
Purpose Consent
Data for
approved use
22. [EU Cookie Directive: implicit consent]
Opt-in vs. Opt-out strategies & consequences on data collection
Source: http://chinwag.com/files/images/photos/ico-traffic-post-cookie-graph.gif
23. Future: Digital Analytics
Multi-channel & Omnichannel data merges
• “Make your web
experience
better”
• Improve visitor
UX & CRO
• Data merging &
sharing
• US: none if no
PII, depends per
sector
(& state)
• EU: current
Directive implicit
consent for 1st
party analytics
cookies, explicit
consent required
for 3rd party
• Transparency
• Choice, opt-out
vs. opt-in
• Information
review &
correction
• Information
protection
• Accountability
• Reporting and
analysis
• A/B testing
• Personalization
• Retargeting,
behavioral
targeting
Purpose Consent FIPPs
Data for
approved use
24. The upcoming EU Regulation
• Expands data regulation beyond EU borders & to a
wider class of data
• Shift from “Personal” to “Regulated” data
• Transparency & Consent
• Data security obligations for brands & their agencies
• Demonstrating that you comply
• Fines up to 5% of global turnover
#EUDataP
25. Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents
Privacy-invasive events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of
Privacy by ensuring that personal data are automatically protected in any given IT
system or business practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s
an essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false
dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle
management of information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated
promises and objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults,
appropriate notice, and empowering user-friendly options
Privacy by Design (PbD)
7 Fundamental Principles
26. Or in a nutshell…
Which
legislation(s)
does your
company need
to respect?
Region/country,
sector,
type/groups of
data
What are the
risks?
Fines, class
actions, customer
complaints.
security breaches
What is the
trade off?
Compliance vs.
data, business
needs and
technology
28. 5 Online Marketing rules to respect
consumer's privacy
1. Say what you Do and Do what you Say
2. Harness your Data Liability
3. Foster Data Frugality & Documentation
Agile is the ‘mot du jour’
4. Cherish the Human Aspect of Data Protection
5. Dialogue and find common ground
29. 1. Say what you Do &
Do what you Say
Privacy policies statements:
• Publicly available documents
• Date stamp: less than 1 year old
• Implies processes:
– Eg. “we don’t collect data of minors” => COPPA
– Deletion & anonymization
– Bankruptcy or M&A data transfers
• Attributes responsibility: privacy@company.com
31. Yelp said that only about 0.02 percent of users who actually completed the
registration process during the time period provided an underage birth rate, “and we
have good reason to believe that many of them were actually adults.”
The company had an average of about 138 million unique visitors in Q2 of 2014.
Cost? above 16$/monthly unique …
Source: http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html
32. 2. Harness data liability
Across data platforms & flows
– Understand Terms & Conditions
– Sovereignties/legal jurisdictions:
Safe Harbor and
Binding Corporate Rules (BCRs)
– Access!
Tool vetting
Agency vetting
33. Cloud tools fines & warnings
Oi, Brazilian Telco & Phorm
France Telecom & email campaign tool
34. Responsibility of analytics agency?
Information Security & Compliance: Follow the Data
Define the tools
Grant accesses
Data collection & data lifecycle
Data sharing & data flows
Often a weak link
35. Who has access?
Source: Privacy Green seal, specific audit for analytics tools & data agencies
36. 3. Foster data frugality & documentation
Old adage: “let’s collect everything, just in case”
New adage: cherry pick the data for which the
following must be held true:
1. Without X data attribute, I cannot do Y
legitimate task and need no less than X to do Y
2. Additionally collecting data point Z will not
jeopardize my initial data collection purpose
Agile is the mot du jour, also for data collection
37. Agile ways of working with
Purpose and Consent
Use meta-data to classify data fields and groups to
– Identify data fields containing PII/personal data,
(ad) collection source, use and disclosure/sharing;
– Identify data fields/groups and their storage that
need consent;
– Identify data fields that may need correction by
individuals;
– Identify data fields that may need de-identification,
anonymization or deletion.
38. 4. Cherish HR in Data Protection
Human error
causes most
data breaches
39. Entreprise goal
User goals
Privacy Policy
Requirements
Privacy
Mechanisms
Procedures
& Processes
Privacy Awareness
Training
Quality Assurance
And escalation
procedures to
attribute responsibility
Should we do this
analysis?
41. Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for
approved
use
From:
Purpose
Consent
Data analysis FIPPs
or merging
New
business
opportunity
To:
42. 5. Dialogue & common ground
Trust and Creepiness: Consent is about a
reasonable expectation of the use of data
There’s a fine line between:
– Feeling charmed
– Feeling invaded
Create win-win situations:
– Customers give company information
– Customers get better service/value for money
44. Where to start?
Compliance?
Privacy?
Security?
Moving targets
45. The “Magnum” Plan
• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures
(data protection)
• Adopt global & sustainable Privacy best practices