Tips for In-House Counsel
April 17, 2012
Waging a Privacy War In The Global Marketplace: How Are Targeted Advertising Business Models At Risk?
Trillions of bits of data are being transmitted all over the world every second. Sequences of ones and zeros transmitted over fiber, cable and through the ethers keep our marketplace humming, innovative and competitive. Over the past 20 years, we have arguably seen the most exponential increase of global productivity because of the Internet, producing trillions of dollars in new wealth and shifting the epicenters on the new world economy. Amidst all of this, we have seen the birth of enterprises seeking to harness the power of this data to produce radically disruptive business models and delivering a more efficient and valuable offering to the marketplace. The world has changed - in case you hadn’t noticed.
Any business that doesn’t appreciate the science of aggregating, managing, curating and monetizing data, particularly personal data of customers and potential customers, runs the risk of losing their competitive advantage. People, like all living creatures, are driven by habitual behaviors that are biologically linked to their survival. Statistical analysis of habitual personalized data shows companies how to anticipate consumer habits with staggering accuracy so that they can pinpoint exactly what offerings to make and when, in order to dramatically increase conversion rates and profitability. This lowers opportunity cost and creates efficiencies that were never before possible. This new technological capability offers the holy grail to the 21st century business that knows how to exploit it. But with such opportunity comes tremendous responsibility and risk of abuse. This phenomenon has alarmed government regulators, consumer activist groups and the plaintiff’s bar because the rules are still murky and the technology keeps evolving.
Since the mid-1990’s, with the exception of protecting certain categories of data such as financial (Gramm-Leach Bliley Financial Services Modernization Act)1 , medical (Health Insurance Portability and Protection Act of 1996)2 , and personal information of children (Children’s Online Privacy Protection Act of 1998)3 , U.S. consumer privacy protection and FTC enforcement agencies had adopted a laissez faire attitude to the collection, aggregation, use and dissemination of consumer data. While California’s Online Privacy protection Act of 1996 attempted to require posted privacy policies from any operator of a commercial website targeted at California consumers, lawmakers refrained from imposing affirmative standards for data management and broad-sweeping privacy policies were the norm.
This environment created an ecosystem for data aggregation and employed thousands of bright statisticians to write predictive algorithms so that advertisers would know how a consumer would act even before they did. While our counterparts in Europe had a different philosophy regarding consumer privacy and the right of the individual to remain anonymous, under Directive 95/46/EC, U.S. lawmakers never quite held the same perspective.
With the iniquitousness of technology in mobile computing and social networking over the past few years however, the historical philosophy in the U.S. has shifted as the intrusions on personal privacy have escalated and the regulatory schematic has failed to address the increasing sensitivity to preserving personal liberties. As such, the recent events listed below, demonstrate how both the U.S. and Europe are migrating towards a higher regulatory climate with increased accountability for advertisers and technology providers that depend on targeted advertising models:
• The Federal Trade Commission signed consent decrees last year with Google and Facebook based upon allegations that each violated their respective privacy policies and misrepresented to consumers about how their information would be used and shared. Recent developments include accusations by the FTC that Google violated its consent decree by allegedly bypassing the Apple Safari browser’s privacy settings.
• The FTC issued Consumer Privacy Recommendations for Congress, specifically addressing restrictions on data brokers and recommendations for “Do Not Track” legislation.
• A class action lawsuit was filed under Texas anti-wiretapping laws against Apple, Path, Beluga, Yelp, LinkedIn, Foursquare and EA alleging that their downloadable apps extract peoples’ address books from their mobile devices without the consumer’s consent or knowledge.
• Kamela Harris, California’s attorney general, signed an agreement with Apple, Microsoft, RIM and Google, charging them to require mobile app publishers to adopt privacy policies at the point of download in order to comply with California’s Online Privacy Protection Act of 2003.4
• Google’s recent consolidation to its privacy policies across all its services have been publicly criticized by European regulators as a violation of Directive 95/46/EC.
• European lawmakers have passed new uniform regulations that impose the additional obligations of the consumer’s right to be forgotten and required authorization to share different categories of information with different categories of third parties. Penalties for violation include fines of up to 2% of global sales for mishandling or losing personal data.
As a result of this shift, any company that collects, stores, shares, exploits and/or sells personal information pertaining to consumers through electronic means (e.g., online, mobile) will need to design a plan for implementing a compliant information aggregation and management strategy.
Below is the methodology we have designed for clients, particularly ones handling sensitive data, in order that they may reconcile with the global patchwork of privacy regulations:
1. The Information Management Audit
2. The Data Process Flow Map
3. Third Party Obligation Management and Tracking
While an organization may be able to effectively implement internal procedures and process controls, managing the data once it flows outside the organization is a very difficult undertaking. A company must adopt external procedures and legal obligations with third parties with whom it shares sensitive data, to ensure that the integrity of such protected data throughout the entire data management chain. This would require the preparation of contracts, the implementation of technology to support opt-out decisions made by consumers, and the undertaking of data retention and security policies by the third party recipients that correlate to those of the organization.
4. Security Protocol Implementation
The fourth area of concern deals mostly with IT departments and governs the storage and transmission of sensitive personal data. While most U.S. laws only require a higher level of security encryption related to specific categories of data (e.g. financial data and health records), EU privacy laws impose a higher burden related to personally identifiable information that would warrant uniform treatment from a security perspective. Ensuring that the technological capabilities are in place as well as security safeguards against employees and hackers stealing data, must be a critical part of the strategy.
5. Determining Retention Policies
While most regulators would require an organization to adopt a short data retention period, from a business perspective, this would inhibit the value of using a comprehensive database for targeting specific products and services to different consumers based upon historical behavioral patterns. While aggregated data is valuable for advertisers to track the profiles of their customers, targeted marketing derived from predictive behavioral patterns have the highest levels of conversion. This is what makes companies like Google and Facebook so valuable in terms of market capitalization and drives such significant revenues to their coffers. As such, while the EU may impose data retention policies that have a short lifespan, fortunately, U.S. policymakers have not gone to the extreme of imposing similar requirements for general consumer data. Nonetheless, there may be implications as it relates to EU Safe Harbor, but that issue is yet unresolved.
6. Annual Auditing, Tracking and Certification
We recommend that organizations conduct annual audits of their own internal practices, to ensure compliance with updated regulatory requirements and third party information management and, if required under EU Safe Harbor, annual certification . This annual audit should be conducted by a committee consisting of internal stakeholders and external experts in order to ensure that the privacy policies, practices and use of technologies are current and compliant.
Subscribe to Tips for In-House Counsel
It's FREE and only takes seconds
About the Author
1 Pub. L. 106-102; 15 U.S.C. § 6801 et seq.
2 Pub. L. 104-191, 110 Stat 1936
3 15 U.S.C. § 6501 et seq.
4 California Business & Professions Code § 22575- 22579