HEATHER ZACHARY
Wilmer Hale
Give an overview of topics at a very high level
1. EU (European Union) Data Privacy
2. FTC's role in regulatoring roles in US
3. Specific sectors, Financial, Education, Children's apps
4.
1. EU (European Union) Data Privacy
More restrict then US. Things we consider public information are more often private in the EU
Individual countries with the EU can layer on their own laws, eg. Anonymous sign-up on Facebook
Can apply to many US companies, even if you are not in the EU
If you drop a cookie on someone's computer, you may be violating privacy law in EU
EU is becoming even more restrictive, new laws proposed
2. US: Sectorial Privacy
Financial
Health
Children's
Video history
Exception: FTC's ability to investigate deceptive trade practices & unfair practices
Would that include dual agency?
If you privacy policy says "we don't collect and share your info"
FTC's "unfair definition" even scarier
eg. Collecting consumer info in public space via mobile app could be considered "unfair"?
March 20, 2012: FTC Privacy Guidebook
Goes beyond law to "Best Practices"
Mobile apps used to be Wild, Wild West, could collect anything
In last two months allow, CA and other group have issued
CA Online Privacy Protection Act: CA Attorney General issuing $2,500 per download of App -- WOW!
Mobile App Privacy Policy:
Move away from device to ...?
If doing out of app advertising, get consent ahead of time?
App developers pushing back -- say CA going beyond the law.
FTC also published privacy guidelines
If you are going to collect mobile data, must get consent
FINANCIAL DATA:
GLB Act
Graham Leach Bialley Act (sp?) may apply to the data you are collecting
If collecting info to qualify for credit or housing, have to comply with the FCRA: What does it stand for?
HEALTH DATA:
do not get close to health data without understanding of HIPA
CHILD RELATED:
VIDEO PRIVACY PROTECTION:
-----
MARC ROSSEN
MediaMath
@marcprossen
Work with anonymized cookie level data
Help clients understand more about consumers
Consumers, friends and family reflecting a lot of fear in the market place
Surprises me on a day to day basis -- not trying to scare people, but for consumers who do NOT understand technology, the prospect of being tracked everywhere is threatening
We see the upside, positive side
Lot of jobs being created
We should be concerned about protected children
Do not track
PII Data / Non-PII Data
PII = Personally Identifiable Individual Data
Should have extreme protection around it
I don't want people to be able to see my credit card data
Non-PII Data
Can be anonymized, can't be tracked back to people
Track back to zip code, at most -- so can't track individuals
Consumers don't realize how serious business take this privacy
Example: Remove cookie level data after 90 days
IAB:
People don't really have need for data
When you're building models in real-time, aggregating data beyond 90 days doesn't do much for you
When a client wants to link up behavior, the policies that oversee how we use data are SO STRICT that PII Data is anonymized?
My point about fear: Don't care who the person is, we use data understand the relative value to different cookies not individuals
You don't need to know who people are to do that
Story: My wife was on the computer, looking at Yahoo Mail, day after going to Nordstorm's, and she was not pleased to see an ad related to her recent purchase
US is known for creating free-market solutions, legislation is good and necessary for extremes -- eg. protecting consumers
But when consumers respond to things, the marketplace responds
Let consumers make choices -- if they don't want to be trapped, give them data opt-out on Non-PII Data
Most consumers won't go through effort to make sure their data is erased?
Most people like the fact that Amazon refers books they would like
If you turn your cookie's off, you'll lose that functionality
People in this space need to address fear, let people know what protections there are out there
=====
CARL KALAPESI
Boston Consulting Group
Working with World Economic Forum re Personal Data
Also working with executive and regulators in the public sector
Led a globe dialogue, culminated at Davos
Go to WEF site on Friday do download
Who owns personal data?
1. I own it; Votes: 9
2. The organization that collected it: 4
3. The government
4. Combination: I own it, as well as the site or organization that collected it
Repeated the same survey on Facebook
Over half of people thought / believed they owned their own data
WEForum Project is designed to find balance between personal ownership and other ownership
Focusing on data
1. Security
2. Rights and responsibilities
3. Holding people accountable for how they use or misuse data
Started with principles written in 1980
How has world changed since then
Davos session, a month ago
AddValue
Described 2.5 hours brainstorm in this sketch
WEF conversation has changed pretty significantly over the past 2 years
Has moved from sideshow to main stream - getting attention at most senior level of business and government
CONCENSUS: Big shifts
1. Conversation has moved from data to usage
Stop thinking about data as good or bad. Data is neutral - value is how do we manage the use of data?
2. In terms of how we engage individuals, transparency and long privacy policies are NOT enough
Need to create a way to help people UNDERSTAND how their data is being used [and how might benefit]
3. Want something more than a check-off box to control consent
Need to have more conversation about whether opt-in or opt-out preference
4. Don't live in a black & white world anymore
Context goes meaning - even things like PII are no longer obvious
=====
COLIN O'MALLEY
Evidon
@micshasn
Involved in EU groups across Europe
Had the privilege of working with some of the smartest attorney's in the world
Involve in @Ghostery
Can see who is tracking you, and lock down who is tracking you if you don't like it! YEAH!
We also build compliance tools
Our job is to build pragmatic tools people can use
Particularly consent related issues on the ground
Work with 50-60 ad networks across the world, load about 2 billion "Ad Choice" icon ads a day
Practical insights:
1. PII and Non-PII
Agree how little that distinction means anymore
Once was don't need to worry about non-PII, but no longer the case
Regulators are struggling with this...
Privacy by Design:
EU moving towards "if you add a cookie to a person's device" that is a violation
For practitioners, need to understand you are really
2. Fear - media coverage is overblown but needs attention
But still our fault
Industry continued to talk itself despite rising fears of consumers
If someone comes into your house, and says we're not taking anything of value burden of proof is on us
As an industry, need to think about the best tools to provide transparency
If you aspire to "best practices" you should have a good base layer to tweak for different jurisdictions
Legal and technical issues
Do Not Track / DNT gets a lot of attention
18 months in discussion, still not concensus
Default setting on DNT cookies will have a significant impact
3. Mobile browsers becoming more powerful
Cookies not used on mobile apps now, but more powerful browsers could raise new tracking issues
=====
Q & A:
Q1. How can we develop regulations that balance need for consumer privacy without stifling competition?
Industry initiatives are moving forward, but there is also momentum towards EU-like restrictions
Needs to balance -- industry needs to take leadership or policy makers will
Alternative response: Give people personal clouds and other apps to manage their own digital identity
Smart people in this room working on it
Main concern: How do we reach scale
How do we automate import of data
Corporate sector is just starting to get there
No longer telling government to get off their back, but acknowledging issue and some -- including British Petroleum -- providing solutions
Implemented a sliding scale which revealed: What we will be able to do, what we won't be able to do
Q2.
Start to use technology to insure that permissions flow with the data
Most of us don't have a clue how credit transactions take place
Solution: More transparency about transaction, combined with rising confidence that things will be OK like a credit card transaction
Going to cost money to implement solutions
It's an issue of incentives -- when an industry realizes there's a benefit in responding, they will
Consumer's don't really understand how behavioral tracking works now
Lawyer says, "people don't care?"
@Ghostery based on patterns, built their own pattern libary
=====
@DSearls
Swift has worked for 2.5 years on DAG: Digital Asset Grid
Open Source work ready to be picked up
The industry is all companies that are advertisers
Publishing companies are also players
http://WEForum.org/personaldata
Q3. If personal data is the new money, how do we value it?
@CarlKalapesi Hard to model value
Only useful way of doing this is to take application
ValueOfPersonalData.com
Put all of the case studies that are all out there
Kaiser report, for example, report on value of better care to their patients
@micshasan
Can look at single high value transactions, like high value transactions for high network individuals might be $10
Massively valuable in the aggregate, but minimal with pooling -- might buy you a drink in Manhattan each year?
We're very early in figuring out uses
If you could value data right now, will multiple by a factor or four or five times in the next 5 years
@marcprossen
Need to look at value to industry back into value
Who is responsible for educating the consumer?
Is it the companies who are offering services?
@carlkalapesi
When we give consumers the ability to make meaningful choices, they will care -- see BP example
Unless we want to rely on the press, we as industry need to educate consumers otherwise the press will sensationalize fear
Example: One scandal story about a company misusing data will wipe out benefits of expenditures to create positive impression
If the consumer is the stakeholder, you need to get in front of them and make the case for trust
Comments (0)
You don't have permission to comment on this page.