• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Whenever you search in PBworks, Dokkio Sidebar (from the makers of PBworks) will run the same search in your Drive, Dropbox, OneDrive, Gmail, and Slack. Now you can find what you're looking for wherever it lives. Try Dokkio Sidebar for free.


PDNYC:  Personal Cloud (Inaugural) NYC MeetUp

Page history last edited by RealEstateCafe 9 years, 9 months ago


Wilmer Hale


Give an overview of topics at a very high level

1.  EU (European Union) Data Privacy 


2.  FTC's role in regulatoring roles in US


3.  Specific sectors, Financial, Education, Children's apps




1.  EU (European Union) Data Privacy 


More restrict then US. Things we consider public information are more often private in the EU

Individual countries with the EU can layer on their own laws, eg. Anonymous sign-up on Facebook

Can apply to many US companies, even if you are not in the EU


If you drop a cookie on someone's computer, you may be violating privacy law in EU


EU is becoming even more restrictive, new laws proposed


2.  US:  Sectorial Privacy




Video history


Exception:  FTC's ability to investigate deceptive trade practices & unfair practices

Would that include dual agency?

If you privacy policy says "we don't collect and share your info"


FTC's "unfair definition" even scarier

eg. Collecting consumer info in public space via mobile app could be considered "unfair"?

March 20, 2012:  FTC Privacy Guidebook

Goes beyond law to "Best Practices"


Mobile apps used to be Wild, Wild West, could collect anything

In last two months allow, CA and other group have issued 

CA Online Privacy Protection Act:  CA Attorney General issuing $2,500 per download of App -- WOW!

Mobile App Privacy Policy:

Move away from device to ...?


If doing out of app advertising, get consent ahead of time?

App developers pushing back -- say CA going beyond the law.


FTC also published privacy guidelines

If you are going to collect mobile data, must get consent




Graham Leach Bialley Act (sp?) may apply to the data you are collecting


If collecting info to qualify for credit or housing, have to comply with the FCRA:  What does it stand for?



do not get close to health data without understanding of HIPA












Work with anonymized cookie level data

Help clients understand more about consumers


Consumers, friends and family reflecting a lot of fear in the market place


Surprises me on a day to day basis -- not trying to scare people, but for consumers who do NOT understand technology, the prospect of being tracked everywhere is threatening


We see the upside, positive side

Lot of jobs being created


We should be concerned about protected children


Do not track


PII Data / Non-PII Data

PII = Personally Identifiable Individual Data

Should have extreme protection around it

I don't want people to be able to see my credit card data


Non-PII Data

Can be anonymized, can't be tracked back to people

Track back to zip code, at most -- so can't track individuals


Consumers don't realize how serious business take this privacy

Example:  Remove cookie level data after 90 days



People don't really have need for data

When you're building models in real-time, aggregating data beyond 90 days doesn't do much for you


When a client wants to link up behavior, the policies that oversee how we use data are SO STRICT that PII Data is anonymized?


My point about fear:  Don't care who the person is, we use data understand the relative value to different cookies not individuals

You don't need to know who people are to do that


Story:  My wife was on the computer, looking at Yahoo Mail, day after going to Nordstorm's, and she was not pleased to see an ad related to her recent purchase


US is known for creating free-market solutions, legislation is good and necessary for extremes -- eg. protecting consumers

But when consumers respond to things, the marketplace responds


Let consumers make choices -- if they don't want to be trapped, give them data opt-out on Non-PII Data

Most consumers won't go through effort to make sure their data is erased?

Most people like the fact that Amazon refers books they would like

If you turn your cookie's off, you'll lose that functionality


People in this space need to address fear, let people know what protections there are out there





Boston Consulting Group


Working with World Economic Forum re Personal Data

Also working with executive and regulators in the public sector

Led a globe dialogue, culminated at Davos


Go to WEF site on Friday do download


Who owns personal data?

1.  I own it;  Votes:  9

2.  The organization that collected it:  4

3.  The government

4.  Combination:  I own it, as well as the site or organization that collected it


Repeated the same survey on Facebook

Over half of people thought / believed they owned their own data


WEForum Project is designed to find balance between personal ownership and other ownership

Focusing on data

1.  Security

2.  Rights and responsibilities

3.  Holding people accountable for how they use or misuse data


Started with principles written in 1980

How has world changed since then


Davos session, a month ago



Described 2.5 hours brainstorm in this sketch



WEF conversation has changed pretty significantly over the past 2 years

Has moved from sideshow to main stream - getting attention at most senior level of business and government


CONCENSUS:  Big shifts


1.  Conversation has moved from data to usage

Stop thinking about data as good or bad.  Data is neutral - value is how do we manage the use of data?


2. In terms of how we engage individuals, transparency and long privacy policies are NOT enough

Need to create a way to help people UNDERSTAND how their data is being used [and how might benefit]


3.  Want something more than a check-off box to control consent

Need to have more conversation about whether opt-in or opt-out preference


4.  Don't live in a black & white world anymore

Context goes meaning - even things like PII are no longer obvious








Involved in EU groups across Europe

Had the privilege of working with some of the smartest attorney's in the world


Involve in @Ghostery 

Can see who is tracking you, and lock down who is tracking you if you don't like it!  YEAH!


We also build compliance tools

Our job is to build pragmatic tools people can use

Particularly consent related issues on the ground


Work with 50-60 ad networks across the world, load about 2 billion "Ad Choice" icon ads a day


Practical insights:


1.  PII and Non-PII

Agree how little that distinction means anymore

Once was don't need to worry about non-PII, but no longer the case


Regulators are struggling with this...


Privacy by Design:  

EU moving towards "if you add a cookie to a person's device" that is a violation


For practitioners, need to understand you are really


2.  Fear - media coverage is overblown but needs attention

But still our fault

Industry continued to talk itself despite rising fears of consumers


If someone comes into your house, and says we're not taking anything of value burden of proof is on us


As an industry, need to think about the best tools to provide transparency

If you aspire to "best practices" you should have a good base layer to tweak for different jurisdictions


Legal and technical issues

Do Not Track / DNT gets a lot of attention

18 months in discussion, still not concensus


Default setting on DNT cookies will have a significant impact


3.  Mobile browsers becoming more powerful

Cookies not used on mobile apps now, but more powerful browsers could raise new tracking issues




Q & A:


Q1.  How can we develop regulations that balance need for consumer privacy without stifling competition?


Industry initiatives are moving forward, but there is also momentum towards EU-like restrictions

Needs to balance -- industry needs to take leadership or policy makers will


Alternative response:  Give people personal clouds and other apps to manage their own digital identity

Smart people in this room working on it

Main concern: How do we reach scale

How do we automate import of data


Corporate sector is just starting to get there

No longer telling government to get off their back, but acknowledging issue and some -- including British Petroleum -- providing solutions

Implemented a sliding scale which revealed:  What we will be able to do, what we won't be able to do




Start to use technology to insure that permissions flow with the data


Most of us don't have a clue how credit transactions take place

Solution: More transparency about transaction, combined with rising confidence that things will be OK like a credit card transaction


Going to cost money to implement solutions


It's an issue of incentives -- when an industry realizes there's a benefit in responding, they will

Consumer's don't really understand how behavioral tracking works now

Lawyer says, "people don't care?"


@Ghostery based on patterns, built their own pattern libary






Swift has worked for 2.5 years on DAG:  Digital Asset Grid

Open Source work ready to be picked up


The industry is all companies that are advertisers


Publishing companies are also players




Q3.  If personal data is the new money, how do we value it?


@CarlKalapesi Hard to model value


Only useful way of doing this is to take application 



Put all of the case studies that are all out there


Kaiser report, for example, report on value of better care to their patients




Can look at single high value transactions, like high value transactions for high network individuals might be $10


Massively valuable in the aggregate, but minimal with pooling -- might buy you a drink in Manhattan each year?


We're very early in figuring out uses 

If you could value data right now, will multiple by a factor or four or five times in the next 5 years




Need to look at value to industry back into value


Who is responsible for educating the consumer?

Is it the companies who are offering services?




When we give consumers the ability to make meaningful choices, they will care -- see BP example


Unless we want to rely on the press, we as industry need to educate consumers otherwise the press will sensationalize fear


Example:  One scandal story about a company misusing data will wipe out benefits of expenditures to create positive impression


If the consumer is the stakeholder, you need to get in front of them and make the case for trust


Comments (0)

You don't have permission to comment on this page.