A presentation by Commissioner Cavoukian to the Canadian Institute Advertising and Marketing Law Conference on how Privacy by Design can give a sustainable competitive advantage in advertising and marketing.
Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design
1. Say Good-Bye to Zero-Sum:
Say Hello to Privacy and Marketing
by Design
Ann Cavoukian, Ph.D.
Information and Privacy Commissioner
Ontario, Canada
Canadian Institute
Advertising and Marketing Law Conference
January 23, 2013
2. Presentation Outline
1. We Need a Paradigm Shift
2. Positive-Sum, NOT Zero-Sum
3. Privacy by Design: The Gold Standard
4. Privacy in Advertising and Marketing
5. Why Privacy is Good for Business
6. Operationalizing Privacy by Design
7. Conclusions
4. Why We Need Privacy by Design
Most privacy breaches remain
undetected – as regulators, we
only see the tip of the iceberg
The majority of privacy breaches remain
unchallenged, unregulated ... unknown
Regulatory compliance alone, is unsustainable as
the sole model for ensuring the future of privacy
5. The Future of Privacy
Change the Paradigm to
Positive-Sum,
NOT
Zero-Sum
6. Positive-Sum Model
Change the paradigm
from a zero-sum to
a “positive-sum” model:
Create a win-win scenario,
not an either/or (vs.)
involving unnecessary trade-offs
and false dichotomies …
replace the “vs.” with “and”
7. Privacy by Design: “Build It In”
• I first developed the concept of “Privacy by Design” in the 90s,
as a response to the growing threats to online privacy that were
beginning to emerge;
• “Privacy by Design” seeks to build in privacy – up front,
right into the design specifications; into the architecture;
embed privacy into the technology used – bake it in;
• Data minimization is key: minimize the routine collection
and use of personally identifiable information – use encrypted
or coded information whenever possible;
• Use privacy-enhancing technologies (PETs) plus where
possible: give people maximum control over their own data.
9. Adoption of “Privacy by Design”
as an International Standard
Landmark Resolution Passed to Preserve
the Future of Privacy
By Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
JERUSALEM, October 29, 2010 – A landmark Resolution by
Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian,
was approved by international Data Protection and Privacy
Commissioners in Jerusalem today at their annual conference. The
resolution recognizes Commissioner Cavoukian's concept of Privacy
by Design - which ensures that privacy is embedded into new
technologies and business practices, right from the outset - as an
essential component of fundamental privacy protection.
Full Article:
http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
10. Privacy by Design:
The 7 Foundational Principles
1. Proactive not Reactive:
Preventative, not Remedial;
2. Privacy as the Default setting;
3. Privacy Embedded into Design;
4. Full Functionality:
Positive-Sum, not Zero-Sum;
5. End-to-End Security:
Full Lifecycle Protection;
6. Visibility and Transparency:
Keep it Open;
7. Respect for User Privacy:
Keep it User-Centric.
www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf
13. Personal Information Protection
and Electronic Documents Act (PIPEDA)
• Online behavioural advertising may be considered a
reasonable purpose under PIPEDA;
• PIPEDA requires an individual’s knowledge and consent
for the collection, use, or disclosure of personal
information;
• PIPEDA also requires that the purposes for which an
individual’s information is to be collected, used or
disclosed be explained in a clear and transparent manner;
• Any collection or use of an individual’s web browsing
activity must be done with that person’s knowledge and
consent.
14. Report from Advertising Standards Canada
According to a report from Advertising Standards Canada:
•89% agreed with the statement, “people share far too much
personal information online these days;”
•72% responded that they were worried about the erosion of
personal privacy;
•73% said they were aware that businesses were tracking
people's activities on the Web in order to understand their
interests.
— Susan Krashinsky,
Give consumers choice, control on personal data, advertisers
urged; ASC recommending a four-step process for building trust,
Globe and Mail, November 20, 2012.
www.theglobeandmail.com/report-on-business/give-consumers-choice-control-on-personal-data-advertisers-urged/article5461959/
15. Consumers Favour
Do Not Track (DNT) by Default
“Seventy-five percent of the consumers we
surveyed in the U.S. and Europe said they
wanted DNT on, by default.”
— Brad Smith
Microsoft Executive Vice-President
December, 2012.
http://www.bloomberg.com/news/2012-12-
13/microsoft-rankles-advertisers-with-web-user-
privacy-plan.html
16. Microsoft Internet Explorer 10
Do Not Track
• June 2012 – Microsoft announced the Do Not Track option would be
activated by default in Internet Explorer 10 on Windows 8, as part of its
commitment to user privacy;
• The Default Rules – research shows that whatever the default condition is,
that is the one that will prevail;
• Microsoft was criticized by advertising companies, who said Do Not Track
must be a choice made by users and should not be automatically enabled –
this despite the fact that they have been making the choice for users all along;
• Companies have always made the choice for their users – the existing
default is one of tracking/advertising;
• Microsoft responded that users would prefer a browser that automatically
respected their privacy – I totally agree – see my YouTube video here:
http://www.youtube.com/watch?v=1OtV-sGu17U
17. Berkeley Center for Law and Technology
Survey on Online Privacy
• At the Amsterdam Privacy Conference in October, 2012,
the Berkeley Center for Law and Technology released its
survey findings:
• 87% of those surveyed had not heard about proposals to create
a Do Not Track option for the Internet;
• 30% understood that advertisers can track users on medical
information sites;
• 40% believed they had fewer privacy rights when visiting
a free website supported by advertising.
www.law.berkeley.edu/13260.htm
18. “Most consumers want Do Not Track to mean
exactly that: do not collect information that
allows companies to track them across the
Internet. This may seem obvious, but even the
definition articulated by the FTC may fall short
of these consumer expectations.”
— Chris Jay Hoofnagle,
Director, Information Privacy Programs,
Berkeley Center for Law & Technology,
October, 2012.
19. Would you allow a social networking app to collect
your contact list in order to suggest more friends?
51%
30%
www.law.berkeley.edu/13260.htm
20. Would you allow a coupons app to collect your contact list in
order to offer coupons to your contacts?
75%
18%
www.law.berkeley.edu/13260.htm
21. Would you allow your cell phone provider to use
your location to tailor ads to you?
70%
22%
www.law.berkeley.edu/13260.htm
22. There is another way …
Applying Fair Information Practices
to CRM:
• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting Use, Disclosure,
and Retention
• Accuracy
• Safeguards
• Openness
• Individual Access
• Challenging Compliance
www.ipc.on.ca/English/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=234
23. Permission-Based Marketing:
The Personal Touch
• Essential premise: persuade consumers to
volunteer their attention;
• Predicated on Consent: make consumers active
recipients of marketing information;
• Puts control in the hands of consumers;
“Just because you somehow get my email
address doesn’t mean you have permission.”
.
— Seth Godin,
Permission-Based Marketing, 2001.
25. The Privacy Dividend
1. The Business Case
2. Personal Information in the
Business Context
3. Creating the Business Case
“In the words of Commissioner
Cavoukian, “The ‘payoff’ to privacy-
respecting organisations is ... ultimately,
enduring competitive advantage. In a
world of increasingly savvy and inter-
connected customers, an organisation’s
approach to privacy may offer precisely the
competitive advantage needed to succeed.”
www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/privacy_dividend.pdf
26. • Bering Media has built
Privacy into IP Geolocation:
• Using a unique double-blind
privacy architecture;
• Minimum-match thresholds/
Anti-inference algorithms;
• Dynamic IP address
management;
• Persistent, permanent
opt-out, globally.
www.ipc.on.ca/images/Resources/pbd-ip-geo.pdf
27. The Bottom Line
Privacy should be viewed as a
business issue, not a
compliance issue
Think strategically and transform privacy into a
competitive business advantage
28. Cost of Taking the Reactive Approach
to Privacy Breaches
Damaged
Lawsuits Brand Name
Proactive
Reactive
Loss of Consumer Trust
29. Consumer Choice and Privacy
• There is a strong competitive advantage for
businesses to invest in good data privacy and
security practices;
• “A significant portion of the population is
becoming concerned about identity theft, and
it is influencing their purchasing decisions.”
— Rena Mears, Deloitte & Touche LLP,
Survey Reports An Increase in ID Theft and Decrease in
Consumer Confidence, 2005.
30. Online Consumers Willing to
Pay for Privacy
• A study conducted at Carnegie-Mellon University found
that when privacy information is made more salient and
accessible, some consumers are willing to pay a premium
to purchase goods from privacy-protective websites;
• When shopping online, participants made significantly
more purchases from sites rated “High Privacy” (47.4%)
compared to participants buying from sites rated
“No Privacy” (5.6%).
— Online Consumers Willing to Pay Premium for Net Privacy, Study Finds,
ScienceDaily, July 11, 2011.
Study conducted by Janice Y. Tsai, Serge Egelman, Lorrie Cranor, and
Alessandro Acquisti of Carnegie Mellon University
http://www.informs.org/Pubs/ISR
31. Bottom Line:
It’s All About Trust
“Trust is more important than ever online …
Price does not rule the Web … Trust does.”
— Frederick F. Reichheld,
Loyalty Rules: How Today’s Leaders
Build Lasting Relationships
32. Reasons for Building Consumer Trust
• Continuation of valuable business
relationships;
• Loyal, repeat customers;
• Sustainable competitive edge;
• Consumer confidence and trust.
— Ann Cavoukian, Ph.D., Tyler Hamilton, The Privacy Payoff: How Successful
Businesses Build Consumer Trust, McGraw-Hill Ryerson, 2002, pp. 13-14.
33. Operationalizing Privacy by Design
9 PbD Application Areas
•CCTV/Surveillance cameras in
mass transit systems;
•Biometrics used in casinos and
gaming facilities;
•Smart Meters and the Smart Grid;
•Mobile Communications;
•Near Field Communications;
•RFIDs and sensor technologies;
•Redesigning IP Geolocation;
•Remote Home Health Care;
•Big Data and Data Analytics.
www.privacybydesign.ca
34. Conclusions
• Make privacy a priority – ensure that privacy
is embedded into your systems and
operational processes – into your business practices;
• It is easier and far more cost-effective to build
in privacy up-front, rather than after-the-fact;
• Privacy risks are best managed by proactively
embedding the principles of Privacy by Design;
• Get smart – lead with Privacy – by Design, not
privacy by chance or, worse, Privacy by Disaster!
35. How to Contact Us
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario, Canada
M4W 1A8
Phone: (416) 326-3948 / 1-800-387-0073
Web: www.ipc.on.ca
E-mail: info@ipc.on.ca
For more information on Privacy by Design,
please visit: www.privacybydesign.ca
Notas del editor
Presentation Outline
Paradigm Shift
Why We Need PbD
Positive-Sum, Not Zero-Sum Compliance alone, is unsustainable as the sole model for ensuring the future of privacy; for that, we must turn to proactive measures such as Privacy by Design: embedding privacy proactively into the core of all that we do. Lessig Book – Code: Version 2.0 Further, the average individual’s “information footprint” (digitization of entertainment, healthcare, security, and retail preferences) will grow from 1 terabyte per year to more than 16 terabytes by 2020. — IBM Press Release, September 8, 2008. The collection of personal information is not going to stop or decline. In fact, it will only continue to grow exponentially. Legislation can be proactive by requiring certain practices and standards; arranging for audits; providing incented activities; and by ensuring that certain large organizations, such as government departments themselves, will become models for the required change and activity - so maybe the contrast is not between legislation and PbD, but between proactive and reactive approaches with Privacy by Design being the best model for the proactive approach.
Positive-Sum Model
PbD – Build It In A Positive-Sum (or “win-win” or “non zero-sum”) paradigm, by contrast, describes a concept or situation in which participants can all gain or suffer together. That is, the sum of gains and losses by the participants are always more or less than what they began with, depending on their choices and behaviour. If privacy and security are not a ‘zero sum game’, and if we need to ensure strong security and strong privacy what are we left with? We can’t leave privacy to policies and procedures alone, as that ignores the reality of the systems in which so much personal information resides. We can’t focus on security alone, as I talked about earlier. There isn’t a balance to be sought. What is required is a WIN-WIN situation, in which strong privacy policies mutually reinforce a strong security focus. “ We need better options for securing the Internet. Instead of looking primarily for top-down government intervention, we can enlist the operators and users themselves.” — Jonathan Zittrain, Freedom and Anonymity: Keeping the Internet Open, Scientific American, February 24, 2011
Privacy by Design
Jerusalem Resolution I first developed the concept of Privacy by Design in the ’ 90s, as a response to the growing threats to online privacy that were beginning to emerge; Privacy by Design seeks to build in privacy – up front, right into the design specifications; into the architecture; embedding privacy into the very technology used – bake it in ; Data minimization is key : minimize the routine collection and use of personally identifiable information – use encrypted or coded information, whenever possible; Use privacy-enhancing technologies (PETs) where possible, but make it PETs Plus , invoking a positive-sum paradigm, and giving people maximum control over their own data.
PbD – 7 Foundational Principles
PbD in 29 Langauges Proactive not Reactive; Preventative not Remedial Privacy as the Default Privacy Embedded into Design Full Functionality: Positive-Sum, not Zero-Sum End-to-End Lifecycle Protection Visibility and Transparency Respect for User Privacy
Privacy in Advertising and Marketing
PIPEDA
Report of Advertising Standards Canada Online behavioural advertising may be considered a reasonable purpose under PIPEDA, provided it is carried out under certain parameters, and is not made a condition of service for accessing and using the Internet, generally. PIPEDA defines personal information as “information about an identifiable individual”. Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information. PIPEDA requires an individual’s knowledge and consent for the collection, use, or disclosure of personal information. PIPEDA also requires that the purposes for which an individual’s information is to be collected, used or disclosed be explained in a clear and transparent manner. In addition, PIPEDA does recognize that the form of consent can vary: for example, express consent (opt-in) when dealing with sensitive information, and implied consent (opt-out) when the information is less sensitive. It is important to note that the sensitivity of information depends on the nature of the information and the context in which it is being collected, used or disclosed. Opt-out consent for online behavioural advertising could be considered reasonable providing that: Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their online behavioural advertising practices, by using a variety of communication methods, such as online banners, layered approaches, and interactive tools; Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in online behavioural advertising; Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected; The opt-out takes effect immediately and is persistent; The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and Information collected and used is destroyed as soon as possible or effectively de-identified. Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes. At present, this could include, for example, so-called zombie cookies, super cookies and device fingerprinting.
Consumers Favour DNT As part of the report, the group is recommending a four-step process for building trust with consumers. These four elements are: control (ensuring people know what will happen to their information); choice (allowing people to choose what information to hold back from marketers); commitment (making people aware of privacy and security policies); and compensation (helping people understand "what's in it for me" if they share information
Microsoft DNT
Berkeley Survey on Online Privacy
Quote from Chris Hoofnagle – Director of Berkley Center
Would you allow a social networking app to collect your contact list in order to suggest more friends? The FTC has called for consumers to be given a simple “Do Not Track” mechanism that would allow them to choose whether they want to allow websites to collect information about their Internet activity and use it to deliver targeted advertisements and for other purposes. The FTC specifically recommends a mechanism that would be practical, and would probably involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices (see the FTC’s 2010 preliminary staff report and 2012 Privacy Report: Balancing Privacy and Innovation). FTC’s DNT would consist of the following five elements: First, a Do Not Track system should be implemented universally to cover all parties that would track consumers. Second, the choice mechanism should be easy to find, easy to understand, and easy to use. Third, any choices offered should be persistent and should not be overridden if, for example, consumers clear their cookies or update their browsers. Fourth, a Do Not Track system should be comprehensive, effective, and enforceable. It should opt consumers out of behavioral tracking through any means and not permit technical loopholes. Finally, an effective Do Not Track system should go beyond simply opting consumers out of receiving targeted advertisements; it should opt them out of collection of behavioral data for all purposes other than those that would be consistent with the context of the interaction (e.g., preventing click-fraud or collecting deidentified data for analytics purposes).
Would you allow a coupons app to collect your contact list in order to offer coupons to your contacts ?
Would you allow your cell phone provider to use your location to tailor ads to you?
IPC Paper – Applying Privacy into Marketing
Permission-Based Marketing
Why Privacy is Good for Business
The Privacy Dividend
Bering Media – IP Geolocation Taking a more resolute approach to protecting privacy could increase the magnitude of the benefits well beyond any increase in costs. This approach is sometimes referred to as “privacy by design.” How the organisation handles people’s personal information is central to the degree of trust on which the relationships the organisation has with the people it serves are based. Protecting privacy builds trust and strengthens those relationships, making them more long-lasting and productive. It also strengthens the organisation’s reputation and that helps to attract new customers. In the words of Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada, (show book – “Privacy Payoff”) “The ‘payoff’ to privacy-respecting organisations is ... ultimately, enduring competitive advantage. In a world of increasingly savvy and inter-connected customers, an organisation’s approach to privacy may offer precisely the competitive advantage needed to succeed.”
The Bottom Line The Internet and its associated marketing practices have rapidly evolved, to a point where much of the online advertising is provided by companies with whom the individual does not have a direct business relationship. And yet, such companies collect and manage a great deal of data about individuals. This has opened up a broad and ongoing debate in the area of privacy and online targeted advertising. The purpose of this paper is to explore new, original contributions to this discussion, highlighting the solutions made possible through a combination of innovative thought and “baked-in” privacy – which I call Privacy by Design. The subject of targeted advertising brings with it a host of privacy issues, from those directly connected with the practice (the tracking of online behaviours, the use of location data as reported by mobile devices, etc.) to broader, Internet-wide topics (IP address as personal information, etc.). Privacy choices and consumer trust have remained at the forefront of these concerns. In this paper, we focus on a single facet of targeted advertising – the developing area of precise IP geolocation, and the potential role of ISPs in the ad serving model. In particular, we describe the work of Ontario company Bering Media, Inc. Bering Media set out to develop an innovative technology to allow ISPs that have made the decision to partner with an ad server to provide IP geolocation services, to do so with zero disclosure of potentially personally identifiable information about subscribers. This would further allow the ISP to partner with an ad server without the need for reading or modifying any packets travelling through the ISP’s network.
Costs of Privacy Breach
Consumer Choice and Privacy A U.S. study found that the cost of a data breach was $202 per record; the average cost per operating company was more than $6.6 million per breach. 2008 Annual Study: Cost of a Data Breach, Ponemon Institute, February 2009. Legal liabilities, class action suits; Loss of client confidentiality and trust; Diminution of brand and reputation; Loss of customers, competitive edge; Penalties and fines levied; Costs of crisis management, damage control, review and retrofit of information systems, policies and procedures.
Consumers Willing to Pay for Privacy
It’s All About Trust The study -- by Janice Y. Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti of Carnegie Mellon University -- appears in the current issue of the INFORMS journal Information Systems Research. The authors note that most online privacy policies are difficult for consumers to use and are often overlooked. Challenging a predominant belief that consumers would not sacrifice for greater Internet privacy, they designed their research to determine if consumers would pay extra to make a purchase at an online store whose privacy policy was medium to high and could easily be determined. The authors invited a different set of participants to test a new search engine in an experimental setting. These participants were asked to search for and purchase products online using the search engine shopping interface. Participants were randomly assigned to three groups: one group did not see any privacy meter icons associated with the search engine results; one group saw the icons, but was told that they were indicators for the degree of "handicap accessibility" of the website (a characteristic chosen as a "control" condition precisely for its irrelevancy to most consumers' online decision processes); the last group saw the icons and were indeed told that they were indicators for the degree of privacy protection offered by the website. Because participants used their own credit cards to pay for the products, their personal information was exposed to real merchants during the study. The websites were real merchant sites. Purchasing either item forced individuals to reveal personal information (their credit card number) to unknown merchants.