What's Left in The Cookie Jar? - EU & US ePrivacy Laws
Transcript of What's Left in The Cookie Jar? - EU & US ePrivacy Laws
US & EU privacy rules share a strong
common history – although you
wouldn’t know it looking @ the current
state of privacy protections.
How did we get here? What do you
need to do to protect your business in
the future?
Page 4
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Global ‘State-of-Nation’
• “ONLINE TRACKING TECHNOLOGIES HAVE ERODED PRIVACY TO AN UNACCEPTABLE POSITION” • How have the US and EU ..
o Lawmakers
o Technology companies
o Regulators
o Self-regulators
o Marketers
o Individuals
.. reacted, and what are the IMPLICATIONS for marketers?
Page 5
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
It’s a simple problem really...
CRM #1
• Target is Male
• Target is 45
• Target reads the
Guardian online
• Target has three
children
• Target’s car insurance
expires on 31.1.12
CRM #2
• Duncan is Male
• Duncan is 45
• Duncan reads the
Guardian online
• Duncan has three
children
• Duncan has purchased
Viagra online
• Duncan’s car insurance
expires on 31.1.12
Page 6
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
EU AND US LAW
Compared and contrasted approaches
Page 7
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Framework Directive 2002/21/EC
Access Directive 2002/19/EC
Authorisation Directive 2002/20/EC
Universal Service Directive 2002/22/EC
Directive on privacy and electronic communications 2002/58/EC
Electronic Communications
Framework
Page 8
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Framework Directive 2002/21/EC
Access Directive 2002/19/EC
Authorisation Directive 2002/20/EC
Universal Service Directive 2002/22/EC
Directive on privacy and electronic communications 2002/58/EC
Electronic Communications
Framework
‘Bundled’ into new
Directive
2009/136/EC
‘Citizens’ Rights
Directive Article 5(3)
Confidentiality of
Communications;
Opt-in
Page 9
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Amended UK Law (PEC Regs)
6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Page 10
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
‘Affirmative Question’ equals
disruption and is bad for business
• DCMS (UK Gov) does NOT propose asking an affirmative question to ‘harvest consent’
• A combination of enhanced browser settings and enhanced information WILL BE SUFFICIENT to meet the requirements of opt-in consent
Page 11
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Amended UK Law, LOTS of words!
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. (4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Page 12
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Common History
Both EU and US privacy regulations are based on:
Page 13
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Fair Information Practices
• Notice/Awareness (Fundamental Principle) Give consumers notice of an entity's information practices before any personal information is collected from them. (No secret data collection agencies)
• Choice/Consent Giving consumers options as to how any personal information collected from them may be used.
• Access/Participation Give consumers the ability both to access data about him or herself -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness.
• Integrity/Security Data should be accurate and secure
• Enforcement/Redress The above core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.
Page 14
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Fair Information Practices in US law
• Privacy Act (1974 - applies to Federal agencies)
• Family Educational Rights & Privacy Act (1974)
• Right to Financial Privacy Act (1978
• Cable Communications Policy Act (1984)
• Electronic Communications Privacy Act (1986)
• Employee Polygraph Act (1988)
• Video Privacy Protection Act (1988)
• Telephone Consumer Protection Act (1991)
• Driver’s Privacy Protection Act (1994)
• Health Insurance Portability & Accountability Act (1996)
• Children’s Online Privacy Act (1998)
• Gramm-Leach-Bliley Act (1999)
• CAN-SPAM (2003)
• Fair & Accurate Credit Transaction Act (2003)
Page 15
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
US Law Making
• Senate Bills • John Kerry (D) & John McCain (R)
o The Commercial Privacy Bill of Rights Act of 2011
• Jay Rockefeller (D)
o Do-Not-Track Online Act of 2011
• Jackie Speier (D)
o Do Not Track Me Online Act of 2011
• Politics is Politcs • E.g. Internet Privacy: The Impact and Burden of EU
Regulation
o Sept 15 - the House Subcommittee on Commerce, Manufacturing and Trade
o Chaired by Bono Mack (R)
Page 16
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
THE ‘REGULATORS’
Who are they and what are they saying?
Page 17
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
EU: Regulators
• WHO: Information Commissioners and the Article 29 working party
• SAYING WHAT: 95/46/EC (The Data Protection Directive) is under review.. • In the reform I [Viviane Reding] wants to introduce four
important changes:
o “Companies outside the EU - if they directly target their activities to EU citizens - will need to abide to the new EU data protection rules”
Page 18
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Article 29 Working Party
• I suggest A29’s Advisory status set to be tested
• Its July 2011 ‘Opinion 15/2011’ sets it on a collision course with Businesses and UK Gov! • whenever consent is required, it must be prior to the data
processing starting
• Consent, based on the lack of individuals' action, for example, through pre-ticked boxes, does not meet the requirements of valid consent under the Directive 95/46/EC.
Page 19
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
US Regulators
• FTC • Do Not Track List
• Opt-out of 3rd party tracking
• US Dept of Commerce • Green Paper
• Baseline federal privacy regulation
o No more patchwork of local & state laws
• Enforcement Dept (within Commerce Dept)
• Patchwork of state & local regulators • E.g. Data breach notification regulations are at the state level
Page 20
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
US Self Regulators
• OTA – Online Trust Alliance
• IAB - Interactive Advertising Bureau
• NAI - Network Advertising Initiative
• DAA - Digital Advertising Alliance
• BBB - Better Business Bureau
• AAAA - American Association of Advertising Agencies
• TRUSTe
Online Trust Alliance - https://otalliance.org/
Page 21
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
THE MARKETERS AND CITIZENS
Are they saying anything?
Page 22
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
EU: The Marketers
• Any big brands set out their stall yet?
Page 23
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
EU: The Citizen
• Emerging qualitative data • Participants were given the
choice to buy a DVD from one of two online stores
• One store consistently required more sensitive personal data than the other
• when prices were identical, participants bought from both shops equally often
Page 24
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
THE TECHNOLOGY RESPONSE
What’s being done?
Page 25
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
US Technology Response
In many ways the organizations leading current US privacy developments are US technology providers
• Do Not Track (DNT) header • Firefox first…
• then Microsoft…
• then Apple…
• then… (we’re looking @ you Google)
Will Norway based Opera also get with this US program?
Page 27
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
US Technology Response
• Open question on what does DNT mean • No tracking whatsoever
o How do you make web apps and services work? (shopping baskets?)
• Anonymous tracking only
o Still breaks many web apps
o Reduces revenue from ad support content
• No 3rd party tracking
o FTC alignment
o Is this what consumer think?
• Apply opt-outs
o How do we explain this one to consumers?
Page 28
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
OUR ADVICE
So what are the implications?
What are our recommendations?
Page 29
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
US Marketers – 5 Steps to Be Prepared
1. Define your Do Not Track program
2. Record DNT header meta-data for audit purposes
3. Get Safe Harbor certified
4. Make sure the partners you share data with are Safe Harbor certified
5. Secure your data
o There is no privacy without security
o Security By Design https://otalliance.org/resources/securitybydesign.html
Page 30
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Consumers – 4 Ways To Protect Your
Data
1. Be mindful of what data you share 2. Share the minimum amount of data 3. Clear your personal information
o Search engine history o Web apps history o Locally stored objects (e.g. cookies)
CC Cleaner
4. Keep your computing systems secure o Anti-virus o Anti-spyware o Download and run applications from trusted sources only
Page 31
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Be Mindful of Security
Source
• Corporate culture
• Long-term commitment
• An marketer’s mind set
• Three fundamental truths: • Your data includes some PII
• You will have a data incident
• Data stewardship is everyone’s
responsibility.
Build Trust
Page 32
© 2011 Marketo, Inc. Marketo Proprietary and Confidential
Top 3 Things marketers can do now
1. Document a realistic plan to achieve compliance
• Write down .. o What technologies do you employ?
o How intrusive are they (Risk assessment)?
o How will you obtain consent?
2. Identify data partners and ‘get on the same page!’ o Incld. The likes of third party lead forensics, up-sell engines,
data appending services etc.
3. Prepare a business plan for centralised ‘consent management’ • Managing ‘over-riding’ consent could become very important in
the world of ‘DNT’
Post-webinar discussion http://bit.ly/MarketoChat
Webinar slides and discussion highlights http://linkd.in/marketo-group
#Marketo