1
MANAGING PRIVACY & MAXIMIZING DATA IN AFFILIATE MARKETING
Gary Kibel
Partner
Davis & Gilbert LLP
212.468.4918
2
PRIVACY & SECURITY IN AMERICA
“Any society that would give up a little liberty to gain a
little security will deserve neither and lose both.” Benjamin Franklin, Founding Father
“You have zero privacy anyway. Get over it!”
Scott McNealy, CEO Sun Microsystems
3
1. Understand where the data is coming from
2. Understand who owns the data
3. Understand how to legally use the data
4. Know when to ask questions
5. Don’t be deceptive!
KEY PRESENTATION TAKEAWAYS
4
CONSUMER EXPECTATIONS
5
http://www.ftc.gov/reports/privacy3/fairinfo.shtm Notice Choice Access Security Enforcement
It’s all about transparency & consumer expectations
FTC Fair Information Practice Principles
6
CONSUMER-FACING PRIVACY POLICIES
7
8
PRIVACY POLICIES ENFORCEABILE
Greer v. 1-800 Flowers.Com Inc. (Texas – 2007)
Facts Privacy Policy violation Internal Controls
9
INDUSTRY – SPECIFIC PRIVACY LAWS
10
11
CHILDRENS ONLINE PRIVACY PROTECTION ACT “COPPA”
All website operators who intend to reach children under the age of 13 or have actual knowledge (regardless of the age group targeted by their website) that children under the age of 13 visit their website must: Post a privacy policy Obtain “verifiable parental consent” Advise parent/legal guardian that they can review the
child's personal information Establish and maintain reasonable security
procedures
13
SOCIAL NETWORKING SITES – COPPA VIOLATIONS
Maintained a blogging and social networking service Collected, used, and disclosed personal information
from children under the age of 13 without first notifying parents and obtaining their consent
Age verification system was: (1) suggestive and (2) faulty
1.7 million accounts created by children under the age of 13
Result = $1,000,000 fine
14
DATA SECURITY & STATE SECURITY BREACH NOTIFICATION LAWS
15
SECURITY BREACHES
ChoicePoint Bank of America CardSystems Department of Veteran Affairs TJ Maxx BJs
16
STATE SECURITY BREACH STATE NOTIFICATION LAWS
California SB 1386 (2003)
Now 44 states have security breach notification laws
Most generally apply to unencrypted personal information of consumers
17
STATE OF NEVADA
Effective October 1, 2008
“A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission.”
18
COMMONWEALTH OF MASSACHUSETTS
Effective January 1, 2010
“Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program…”
19
FEDERAL TRADE COMMISSION GUIDANCE
A sound data security plan is built on 5 key principles:
1. Take stock. Know what personal information you have in your files and on your computers.
2. Scale down. Keep only what you need for your business.
3. Lock it. Protect the information that you keep.
4. Pitch it. Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.
20
EMERGING TECHNOLOGIES
21
22
23
BEHAVIORAL ADVERTISING
Federal Trade Commission – December 20, 2007Online Behavioral Advertising – Moving the Discussion Forward to Possible Self-Regulatory Principles
Transparency and consumer control Reasonable security, and limited data retention, for
consumer data Affirmative express consent for material changes to
existing privacy promises Affirmative express consent to (or prohibition against)
using sensitive data for behavioral advertising
24
Federal Trade Commission (Staff Report) – February 2009 Generally maintained the 4 principles Excluded “first party” behavioral advertising and
contextual advertising from the principles Distinction between PII and non-PII is no longer
determinative Data retention = only as long as necessary Be creative for non-web site disclosures Did not resolve the opt-in v. opt-out debate Did not further define “sensitive data”
BEHAVIORAL ADVERTISING
25
BEHAVIORAL ADVERTISING
AAAA/ANA/DMA/IAB – July 2009 7 principles: Education; Transparency; Consumer
Control; Data Security; Material Changes; Sensitive Data; Accountability
Basically, FTC + tagging ads + industry enforcement
26
PARTIES IN THE BEHAVIORAL MARKETING ECOSYSTEM
Advertisers
Ad Agencies
Publishers
ISPs
End Users Content DeliveryNetworks
Ad Networks
Ad Servers
27
28
DON’T BE DECEPTIVE IN CREATING DATA
New York AG v. Lifestyle Lift (July 2009)
Employees published positive reviews on message boards
Employees did not identify themselves as Lifestyle Lift employees
$300,000 fine
29
DON’T BE DECEPTIVE IN CREATING DATA
Twitter Hashtag Spam
European furniture maker “#MOUSAVI Join the database for free to win a £1,000
gift card” Bad PR
30
SOCIAL NETWORKING DATA
31
1. Understand where the data is coming from
2. Understand who owns the data
3. Understand how to legally use the data
4. Know when to ask questions
5. Don’t be deceptive!
KEY PRESENTATION TAKEAWAYS
32
MANAGING PRIVACY & MAXIMIZING DATA IN AFFILIATE MARKETING
Gary Kibel
Partner
Davis & Gilbert LLP
212.468.4918
Alan ChapellJD, CIPPChapell & [email protected]
Top Related