Beruflich Dokumente
Kultur Dokumente
4imprint.com
1 Powell, Kenton, and Greg Chen. NSA Files Decoded: Edward Snowdens Surveillance Revelations Explained. The Guardian. N.p., n.d. Web. 13 Nov. 2013. <http://www.theguardian.com/world/interactive/2013/nov/01/ snowden-nsa-les-surveillance-revelations-decoded>. 2 Meece, Mickey. President Obamas Consumer Privacy Bill of Rights. Forbes. Forbes Magazine, 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.forbes.com/sites/mickeymeece/2012/02/23/president-obamas-consumer-privacybill-of-rights/>.
2013 4imprint, Inc. All rights reserved
Commission Act Section 5 which bars unfair and deceptive acts and practices in or affecting commerce. In addition to the FTC Act, there are 33 other laws, rules and guides that provide the agency with enforcement authority to protect consumers privacy. Its a lot to take in and can leave many organizations wondering what they should be doing to protect consumer data within the confines of the law. This Blue Paper looks at the landscape of consumer privacy and security, particularly how it applies to U.S. corporations. The paper begins with a synopsis on consumer data and a review of the current landscape of privacy controls in the United States. The paper also highlights the directives from the Federal Trade Commission and the suggested best practices corporations should implement to protect consumer data. The final section explores some of the privacy controls in other countries, and how it may impact U.S. corporations that operate globally. Prepare for a journey into a maze of confusion, because privacy and security online is a moving target, but there are some things your corporation should know to be in compliance and protect consumer data appropriately.
doing things like clearing cookies or encrypting email.3 Another 55 percent have taken steps to avoid observation by specific people, organizations or the government. Other data shows that Americans use mobile technology more than ever and they are selective when using apps that require personal information. Pew Internet revealed that: 88 percent of U.S. adults own a cell phone; 43 percent download cell phone applications to their phones; 54 percent of app users decided not to install a cell phone app when they discovered how much personal information they would need to share in order to use it; and, 30 percent of app users have uninstalled an app because they learned it was collecting personal information they didnt wish to share.4 Moreover, a representative survey of 792 Internet users found that a number of users say they have experienced problems because others stole their personal information or otherwise took advantage of their visibility online. In particular: 21 percent of Internet users have had an email or social networking account compromised or taken over by someone else without permission; and, 11 percent have had important personal information stolen such as their social security number, credit card or bank account information. According to Lee Rainie, Director of the Pew Research Centers Internet Project [users] clearly want the option of being anonymous online and increasingly worry that this is not possible.5
part, U.S. consumers are forced to rely on the promises from businesses and local governments that their information will not be sold or given away to other entities. These promises, however, are not legally binding and are often broken without consequence.6 In the United States, a host of loosely defined consumer privacy laws and regulations seek to protect any individual from loss of privacy due to failures or limitations of corporate customer privacy measures. Privacy concerns exist whenever data relating to a person or persons are collected and stored. Much of the privacy protection policies in the United States are dictated by the Electronic Communications Privacy Act, which was passed in 1986, before the Internet was a reality. Today, for the most part, regulations that dictate how companies must maintain and protect consumer information are driven by the Federal Trade Commission. Indeed, protecting consumer privacy is a hot topic, and one that the Federal Trade Commission (FTC) takes seriously. In 2012, Google and the FTC agreed to a $22.5 million settlement, the largest penalty in the agencys history, on charges that Google misrepresented its actions to users of Apples Safari browser.7 Specifically, the FTC charged that Google placed tracking cookies on users computers, in some cases working around the privacy settings within the browser. In the settlement, Google agreed not to misrepresent its privacy policies to consumers. FTC Chairman Jon Leibowitz said that the penalty highlights the agencys commitment to enforcing its orders on privacy. The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order, Leibowitz said.No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place. To reign in some of the debate, in March 2012, The Federal Trade Commission released a report on Protecting Consumer Privacy in an Era of Rapid Change that outlines some best practices for businesses to help protect the privacy of American consumers.8 It outlines methods that give consumers greater control over the collection and use of personal data. The report expands on a directive from December 2010, which proposed a framework for consumer privacy in light of
6 Harris, Maryls. Why Doesnt the State Protect Our Online Privacy? Its Not as Easy as You Think. MinnPost. N.p., 11 Nov. 13. Web. 15 Nov. 2013. <http://www.minnpost.com/politics-policy/2013/11/why-doesn-t-stateprotect-our-online-privacy-it-s-not-easy-you-think?utm_source=MinnPost-RSS>. 7 Tsukayama, Hayley. Google Settles FTC Privacy Case for $22.5 Million, Agencys Largest Penalty. Washington Post. The Washington Post, 10 Aug. 2012. Web. 14 Nov. 2013. <http://www.washingtonpost.com/blogs/posttech/post/google-settles-ftc-privacy-case-for-225-million-agencys-largest-penalty/2012/08/09/e048f6a2-e23611e1-a25e-15067bb31849_blog.html>. 8 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
2013 4imprint, Inc. All rights reserved
new technologies that allow more sophisticated data collection and information sharing. If you dont have time (or inclination) to read the 112 page report, it can be broken down into three basic categories your organization should reevaluate to make sure you are doing the right things. These include privacy by design, simplified consumer choice and transparency.
services include technologies or features that drive privacy and data protection. In addition, the company is constantly researching new privacy features in computer science and software engineering. Part of the Microsoft strategy incorporates outreach to customers, industry leaders, civil society and governments in order to establish standards and policies that can help people and organizations better manage and protect personal information. Another good example of privacy by design is found in Googles social network, Google+. With Google+, contacts are placed in nonpublic circles and users are asked to designate the circle to share with for every post they make.12 Circles might include friends, colleagues or family, but users are responsible for denoting what circles receive information for every post they make. Apples iPhone incorporated privacy by design methods by adding a purple arrow icon that appears on the screen letting a user know when their location information is being sent to an app. The idea is to make sure users a re aware when sensitive information is shared. At a minimum, companies should review what they are doing in terms of privacy by design. Does your company embed privacy and data protection throughout the lifecycle of every process? Is user data private by default? Reviewing these questions is critical to make sure your corporation adheres to the basic principles of privacy by design. There are a number of online resources that can help you define and implement privacy by design. Consider downloading a document from the Information and Privacy Commissioner on Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices. In addition, the Center for Democracy and Technology Online also has a helpful section on privacy by design that walks companies through basic understanding and implementation.
How can you simplify consumer choice? Its really about providing consumer choices in just in time scenarios. Whether the behavior is online, such as the site where an online consumer is providing personal data, or offline, such as requiring the cashier to ask the customer whether he or she would like to receive marketing offers from other companies, its important to present consumers with the ability to make meaningful choices at the point when the consumer is providing data or engaging with the company.Companies should also offer one choice at a time and obtain affirmative express consent before using consumer data. That said, the FTC noted that there are some commonly accepted practices where a company is not required to seek consumer consent. These include the following: Product and service fulfillment:Websites collectcontact information for shipping requests and credit card information for payment. Internal operations: Hotels and restaurants collect customer satisfaction surveys to improve their customer service.Websites collect information about visits and click-through rates to improve site navigation. Fraud prevention: Offline retailers check drivers licenses when consumers pay by check to monitor against fraud.Online businesses also employ fraud-detection services to prevent fraudulent transactions. Legal compliance and public purpose:Search engines, mobile applications and pawn shops share their customer data with law enforcement agencies in response to subpoenas. A business reports a consumers delinquent account to a credit bureau. First-party marketing: Online retailers recommend products and services based upon consumers prior purchases on the website. Offline retailers do the same and may, for example, offer frequent purchasers of diapers a coupon for baby formula at the cash register. For now, if your organization is collecting consumer information in the above areas, consent is not required. However, a good faith practice is to inform the consumer how and why information is gathered whenever possible. Of course, its always a best practice to make sure you obtain consent when requiring and offering simplistic and meaningful choices to consumers.
whether to be tracked across other parties websites (including affiliates websites). Many companies have made strides in this area to assist consumers in controlling what information is accessible and for what purposes, but the FTC encourages continued progress and more complete implementation of consumer control mechanisms. The FTC established a workgroup of several companies to further develop controls that can be adopted universally. The FTC suggests that Do Not Track should be put into effect through legislation or robust self-regulation, but it is not legally binding.The framework states that the most practical method to apply this function would likely involve placing a setting similar to a persistent cookie on a consumers browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. Last year, a standardized Do Not Track feature implemented by some organizations allowed consumers to opt out receiving targeted ads from up to 114 third-party advertisers. A million people used the tool and more than 5 million visited the site for information about online ads.14 Right now, you can select Do Not Track options in Firefox, Internet Explorer and Safari, which send messages to websites that users do not want to be followed online with cookies or other mechanisms. Some companies are being proactive when it comes to adding Do Not Track Features. You can check out FireFox for example, and its defined Do Not Track options online. Twitter is another company that receives high marks for Do Not Track compliance. The company gives users the option to opt out of being tracked and provides easy-to-follow directions on how to do it. Also, Twitter recently fought a court order asking for users data, which demonstrates a commitment to protecting user privacy on a whole.15 Its not a bad idea to check out what other companies are doing with Do Not Track to get some ideas for your own organization. Keep in mind though, the Do Not Track feature is unresolved and there is no consensus on what should be included and how companies should be required to use it. A working group on the issue is affiliated with the World Wide Web Consortium (W3C), the official custodian of Web standards. The collection of ad companies, privacy advocates and outside experts convened to settle the longstanding debate about consumer privacy and determine the future of advertising technology. The working group is stalled on a number of issues,
14 Fung, Brian. The Internets Best Hope for a Do Not Track Standard Is Falling Apart. Heres Why. The Switch: Where Technology and Policy Connect. The Washington Post, 11 Oct. 2013. Web. 15 Nov. 2013. <http://www. washingtonpost.com/blogs/the-switch/wp/2013/10/11/the-internets-best-hope-for-a-do-not-track-standard-isfalling-apart-heres-why/>. 15 Wagstaff, Keith. Grading How Well Companies Are Cooperating with Do Not Track | TIME.com. Time. Time, 12 May 2012. Web. 26 Nov. 2013. <http://techland.time.com/2012/05/21/grading-how-companies-arecooperating-with-do-not-track/>.
2013 4imprint, Inc. All rights reserved
including the obligations advertising companies have with regard to online tracking and what the word tracking even means. The Electronic Frontier Foundation asked for the group to disband, citing lack of agreement and loss of confidence in the process. At issue is the fact that although the opt-out function is meant to guarantee the end of targeted advertising, it doesnt rule out the collection of consumer data. As of October 2013, the future of Do Not Track negotiations is delayed, pending the establishment of Do Not Track guidelines and steps for compliance.
16 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>. 17 Ibid.
2013 4imprint, Inc. All rights reserved
In 2012, Epsilon, another data collection agency, began providing customers with a paper report for a small fee that discloses all the data the company has collected on them. Likewise, BlueKai and Exelate, both companies that collect behavioral data for online ad targeting, are also providing data-transparency systems. The BlueKais registry aims to put consumers in control of their digital footprint by allowing consumers to see what preferences are being logged by other third-party data creators on their computer. As BlueKai states on its home page, its a way to be transparent about what data companies think about your computer. Consumers can control their anonymous profile by managing topics of interest, changing preferences or choosing to opt out of future marketing efforts. Michael Nadeau, the publisher of Data Informed, put together a list of things every company should tell their consumer regarding its data policies and collection.18 According to Nadeau, companies should share the following: exactly what data is being collected, how the data collection technology works, how the data is secured, why the data is collected, how the data is analyzed and reported, who is seeing the data, and how the collected data benefits the consumer. Once your company outlines the answers to these questions, it should be circulated in a way that makes it easy for consumers to find. Providing the answers to simple questions like these helps promote full transparency and often puts consumers at ease regarding your data collection policies.
18 Nadeau, Michael. To Win Consumer Trust, You Need Transparent Data Collection Policies - See More At: Http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/#sthash.omc8YzVF. dpuf. Data Informed: Big Data and Analytics in the Enterprise. N.p., 20 Sept. 2013. Web. 17 Nov. 2013. <http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/>.
2013 4imprint, Inc. All rights reserved
The Consumer Privacy Bill of Rights proposes the following: Individual control: Consumers have a right to exercise control over what personal information companies collect from them and how they use it. Transparency:Consumers have a right to easily understandable and accessible information about privacy and security practices. Respect for context:Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Security: Consumers have a right to secure and responsible handling of personal data. Access and accuracy:Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Focused collection:Consumers have a right to reasonable limits on the personal data that companies collect and retain. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. President Obama challenged companies to begin immediately working with privacy advocates, consumer protection enforcement agencies, and others under the direction of the Commerce Department to develop enforceable codes of conduct. The goal is for Congress to put those agreed-upon guidelines into law. Thus far, the response to the bill has been varied. Some claim that the bill is largely aspirational because it does not create any enforceable obligations. In truth, the framework simply creates suggested guidelines for companies that collect personal data as a primary function of their business operations. There is no legislation officially in place to monitor corporate behaviors, and as the administration recognizes, in the absence of legislation these are only general principles that afford companies discretion in how they implement them.19 As a corporation, you may be asking, whats next? Thats a good question, and one that is not clearly answered. While the bill proposes a list of suggestions and ideas, it is not legally binding. Until more legislation is approved by Congress, the impact of the bill remains to be seen.
19 We Cant Wait: Obama Administration Unveils Blueprint for a Privacy Bill of Rights to Protect Consumers Online. The White House. N.p., 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.whitehouse.gov/the-pressofce/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights>.
2013 4imprint, Inc. All rights reserved
What about privacy and security laws in the rest of the world?
Internet privacy laws across the globe vary from robust, non-existent and ambiguous.China has some of the strongest consumer privacy and security rules in the world. Effective in September 2013, Chinas Ministry of Industry and Information Technology (MIIT) passed strict regulations aimed to protect the personal information of telecommunication and Internet users. Companies are required to post personal information collection polices in their place of business (or online) and may not use personal information without explicit user consent. Organizations must also notify users regarding the collection, purpose, methods and scope of use when collecting personal information. These are considered binding requirements in China and legal action can be taken if a company violates the policy. However, Chinas Internet regulations are not applied to other countries. The European Union (EU) also adopted strict data privacy laws as well. The EUs General Data Protection Regulation (GDPR) is applied to 28-member nations and is planned to take effect in 2016, after a two-year transition period. It harmonizes the current data protection laws in place across all EU member states. Basically, the GDPR establishes a regulatory framework that outlines a number of restrictions designed to protect the privacy of individuals and personal data within the European Union (EU). It also establishes strict limits on the collection and use of personal data, and demands that every EU state creates an independent national body responsible for the protection of these data. Among other things, the measure limits the tracking and profiling activities that allow for targeted advertising and the ability of a consumer to erase personal data information. To ensure compliance, fines can be imposed that range anywhere from .5 percent to two percent of an organizations global sales. Some companies are already taking note of the EU legislation. Google, Microsoft, Apple and Facebook have already modified privacy policies as a result of the mandate. To be compliant with EU regulations, U.S. companies that operate in Europe must address what the EU calls the right to be forgotten. It essentially means that the user owns his or her information and that the user has the right to prevent websites and other online services from keeping it and storing it. In short, it means providing a system that allows users to erase data after it has been collected. U.S. companies will also need to gain explicit consent to share data. Currently in the U.S., everything from financial institutions to social networking sites share user data with partners and advertising firms. According to the EU proposal,
2013 4imprint, Inc. All rights reserved
users should decide if and when a company can share his or her data. That means American companies must become more upfront about exactly what data they are sharing and give users the opportunity to opt out of that sharing without being penalized.
20 Tucker, Catherine, and Avi Goldfarb. Why Managing Consumer Privacy Can Be an Opportunity. MIT Sloan Management Review RSS. N.p., 19 Mar. 2013. Web. 26 Nov. 2013. <http://sloanreview.mit.edu/article/whymanaging-consumer-privacy-can-be-an-opportunity/>. 21 Ibid.
2013 4imprint, Inc. All rights reserved
By giving consumers power to control their data, it can increase their comfort with how companies use their data to improve their product offerings. The key for companies is to employ consumer-centric controls and to view them as an integral part of managing a positive customer relationship. Another best practice is to avoid multiple intrusions. Ultimately, just because you can intrude on a consumer by either using data or pushing content and pop up ads, it does nothing to obtain customer loyalty. In fact, the combination of multiple intrusive tactics usually backfires. Research shows that customers will accept one targeted intrusion (e.g. pop-up ads) but when its combined with another intrusion (e.g. targeted advertising) it harms the customer perceptions of the company. Below is a list of techniques to consider to avoid multiple intrusions: When using customer data to target messages, make sure that customers do not feel taken advantage of in other ways. Ads that target Web-browsing behavior are more effective if they do not intrude on the computer screen. Ads that pop up or take over a computer screen will be more effective if they do not also target prior Web-browsing behavior. Automated telephone messages feel more intrusive if they start with a robotized voice addressing the consumer by name. Finally, consider using automation to prevent human intrusion. Consumers are more comfortable when a machine processes their personal data than when a person does. Automated systems search habits, buying patterns and trends, and do not pass judgment on consumer behavior. As a result, consumers find its much easier to forgive an automated system for sending dieting tips instead of an actual person. The idea is to ensure consumers that their privacy, particularly consumer privacy, is valued by your organization. A best practice is to reinforce an informal culture in which privacy is respected and privacy violations are punished internally. Overall, companies have an opportunity to demonstrate to consumers that they care about privacy issues. As noted in the MIT article: Companies [need to] shift from thinking about privacy as a compliance burden to thinking of treating data with courtesy as a fundamental part of the relationship with their customers. Privacy policies should be organized around managing customer data courteously, in accordance with consistent principles that customers feel comfortable with.22
22 Ibid.
2013 4imprint, Inc. All rights reserved
Whats next?
The rapid growth of technology, the Internet and electronic commerce have sparked a debate on privacy and security that will continue to evolve. Privacy issues are at the forefront of government agencies, businesses, politicians and the public. No doubt the debate will continue and more changes will be required. Until then, its a good idea to make sure your company is doing all it can to promote transparency, consumer choice and privacy by design. If you havent already, review your privacy policies and make sure they are in sync with the latest legislative requirements. There are a number of organizations that conduct a privacy audit and a basic Internet search will yield several experts in the area. For example, The American Library Association provides a number of free resources that can help you get started. Theres also a Privacy Toolkit that walks companies through the basics of evaluating your privacy strategy. Whatever you do, its a good idea to do it soon. Privacy and security online is a moving target, but one that demands your attention. If anything, the controls will only get stronger as more legislation is introduced. If you reign in privacy controls now, youll be ready for whatever comes next.
4imprint serves more than 100,000 businesses with innovative promotional items throughout the United States, Canada, United Kingdom and Ireland. Its product offerings include giveaways, business gifts, personalized gifts, embroidered apparel, promotional pens, travel mugs, tote bags, water bottles, Post-it Notes, custom calendars, and many other promotional items. For additional information, log on to www.4imprint.com.