Upload
4imprint
View
217
Download
0
Embed Size (px)
Citation preview
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
1/164imprint.com
Pr ivacy and Secur i ty
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
2/16 2013 4imprint, Inc. All rights reserved
Privacy and security onl ine:
What is the corporate impact?
In June 2013, Edward Snowden fueled the debate on privacy and democracy
in the digital age. He was called everything from a traitor to a hero when he
revealed that the National Security Agency (NSA) has been eavesdropping on
private citizens through cell phones, laptops, Facebook, Skype, chat-rooms andmore. One of the first documents released by Snowden showed that the NSA was
collecting telephone records from millions of customers of Verizon, one of the
largest U.S. telecommunications providers.1
The Snowden affair raises a number of questions pertaining to consumer privacy
and security rights. NSA officials and other intelligence agencies claim that
these activities are constitutional and occur under the umbrella of rigorous
congressional and judicial oversight, and that its essential in order to protect
the public from terrorist attacks. But civil liberties groups such as the ElectronicFrontier Foundationand the American Civil Liberties Unionwarn that this type
of surveillance goes beyond what Congress intended and violates constitutional
rights. At the heart of the issue is whether or not Americans have rights when
it comes to protecting their personal data. A number of laws and regulations
pertaining to this are currently being debated that will likely affect how
corporations collect and maintain consumer data.
Last year, President Obama introduced the Consumer Privacy Bill of Rightsto
protect consumer rights online. In the report, the President noted that [never]has privacy been more important than today, in the age of the Internet, the
World Wide Web and smartphones.2The legislation is designed to give
consumers a clear understanding of what to expect from companies that handle
their personal information and defines basic principles for companies that use
personal data, and now many companies wonder what this means and how it will
be implemented.
In the meantime, the Federal Trade Commission (FTC) continues to enforce the
existing regulations designed to protect consumer rights. As of October 2013,the FTC has brought 47 legal actions against organizations that have violated
consumers privacy rights, or misled them by failing to maintain security for
sensitive consumer information. Most of the cases violated the Federal Trade
1 Powell, Kenton, and Greg Chen. NSA Files Decoded: Edward Snowdens Surveillance Revelations Explained.The Guardian. N.p., n.d. Web. 13 Nov. 2013. .2 Meece, Mickey. President Obamas Consumer Privacy Bill of Rights. Forbes. Forbes Magazine, 23 Feb. 2012.
Web. 14 Nov. 2013. .
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
3/16 2013 4imprint, Inc. All rights reserved
Commission Act Section 5which bars unfair and deceptive acts and practices in or
affecting commerce. In addition to the FTC Act, there are 33 other laws, rules and
guidesthat provide the agency with enforcement authority to protect consumers
privacy. Its a lot to take in and can leave many organizations wondering what
they should be doing to protect consumer data within the confines of the law.
This Blue Paperlooks at the landscape of consumer privacy and security,
particularly how it applies to U.S. corporations. The paper begins with a synopsis
on consumer data and a review of the current landscape of privacy controls in
the United States. The paper also highlights the directives from the Federal Trade
Commission and the suggested best practices corporations should implement to
protect consumer data. The final section explores some of the privacy controls in
other countries, and how it may impact U.S. corporations that operate globally.
Prepare for a journey into a maze of confusion, because privacy and security
online is a moving target, but there are some things your corporation should
know to be in compliance and protect consumer data appropriately.
The truth about consumer data
Consumers understand that businesses, governments and other organizations
gather data about them online. Theres a general acceptance that you leave
a digital footprint anytime you go online to make purchases or simply surf
the Web. Personal details about consumers are also online because they
are shared willingly through chats or social sites like Facebook, Twitter
or LinkedIn
. And dont forget there is consumer data available throughgovernment agencies that are fully searchable. For example, users can view
and search real estate transactions and obtain information on a home and
its value. Even things like birth certificates and signature copies can be
found online.
And it is widely accepted and understood that businesses use consumer
information to help complete transactions, remember consumer preferences,
deliver personalized content and special offers, as well as save consumers time.
Its common for businesses to track website page views and the number of uniquevisitors to a website, among other things.
So, how do Americans feel about privacy online? According to a study from the
Pew Internet and American Life Project Data, most Internet users would like to
be anonymous online but think it is not possible. The study found that 86 percent
of Internet users have taken steps online to remove or mask digital footprints, by
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
4/16 2013 4imprint, Inc. All rights reserved
doing things like clearing cookies or encrypting email.3Another 55 percent
have taken steps to avoid observation by specific people, organizations or
the government.
Other data shows that Americans use mobile technology more than ever and they
are selective when using apps that require personal information. Pew Internet
revealed that:
88 percent of U.S. adults own a cell phone;
43 percent download cell phone applications to their phones;
54 percent of app users decided not to install a cell phone app when
they discovered how much personal information they would need to
share in order to use it; and,
30 percent of app users have uninstalled an app because they learned
it was collecting personal information they didnt wish to share.4
Moreover, a representative survey of 792 Internet users found that a number of
users say they have experienced problems because others stole their personal
information or otherwise took advantage of their visibility online. In particular:
21 percent of Internet users have had an email or social networking account
compromised or taken over by someone else without permission; and,
11 percent have had important personal information stolen such as their
social security number, credit card or bank account information.
According to Lee Rainie, Director of the Pew Research Centers Internet Project
[users] clearly want the option of being anonymous online and increasingly
worry that this is not possible.5
The Fede ral Trade Comm ission and
U.S. pr ivacy regulat ions
At the state level, some legislators have introduced bills that attempt to
provide greater privacy controls with mixed results. California, considered theprivacy leader, passed measures that allows minors the right to erase social
media posts they regret posting. Three other states enacted laws governing
inheritance of digital information, like Facebook pages. But still, for the most
3 Rainie, Lee. Pew Research Centers Internet & American Life Project. Anonymity, Privacy, and Security Online.N.p., 5 Sept. 2013. Web. 13 Nov. 2013. .
4 Boyles, Jan Lauren. Privacy and Data Management on Mobile Devices. Privacy and Data Management onMobile Devices. N.p., 5 Sept. 2012. Web. 15 Nov. 2013. .
5 Rainie, Lee. Pew Research Centers Internet & American Life Project. Anonymity, Privacy, and Security Online.N.p., 5 Sept. 2013. Web. 13 Nov. 2013. .
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
5/16 2013 4imprint, Inc. All rights reserved
part, U.S. consumers are forced to rely on the promises from businesses and
local governments that their information will not be sold or given away to other
entities. These promises, however, are not legally binding and are often broken
without consequence.6
In the United States, a host of loosely defined consumer privacy laws and
regulations seek to protect any individual from loss of privacy due to failures
or limitations of corporate customer privacy measures. Privacy concerns exist
whenever data relating to a person or persons are collected and stored. Much
of the privacy protection policies in the United States are dictated by the
Electronic Communications Privacy Act, which was passed in 1986, before the
Internet was a reality. Today, for the most part, regulations that dictate how
companies must maintain and protect consumer information are driven by
the Federal Trade Commission.
Indeed, protecting consumer privacy is a hot topic, and one that the Federal
Trade Commission (FTC) takes seriously. In 2012, Googleand the FTC agreed
to a $22.5 million settlement, the largest penalty in the agencys history, on
charges that Google misrepresented its actions to users of Apples Safari
browser.7Specifically, the FTC charged that Google placed tracking cookies on
users computers, in some cases working around the privacy settings within
the browser. In the settlement, Google agreed not to misrepresent its privacy
policies to consumers. FTC Chairman Jon Leibowitz said that the penalty
highlights the agencys commitment to enforcing its orders on privacy. The
record-setting penalty in this matter sends a clear message to all companies
under an FTC privacy order, Leibowitz said. No matter how big or small, all
companies must abide by FTC orders against them and keep their privacy promises
to consumers, or they will end up paying many times what it would have cost to
comply in the first place.
To reign in some of the debate, in March 2012, The Federal Trade Commission
released a report on Protecting Consumer Privacy in an Era of Rapid Change that
outlines some best practices for businesses to help protect the privacy of American
consumers.8It outlines methods that give consumers greater control over the
collection and use of personal data. The report expands on a directive from
December 2010, which proposed a framework for consumer privacy in light of
6 Harris, Maryls. Why Doesnt the State Protect Our Online Privacy? Its Not as Easy as You Think. MinnPost.N.p., 11 Nov. 13. Web. 15 Nov. 2013. .7 Tsukayama, Hayley. Google Settles FTC Privacy Case for $22.5 Million, Agencys Largest Penalty. Washington
Post. The Washington Post, 10 Aug. 2012. Web. 14 Nov. 2013. .
8 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. FederalTrade Commission, Mar. 2012. Web. 15 Nov. 2013. .
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
6/16
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
7/16 2013 4imprint, Inc. All rights reserved
services include technologies or features that drive privacy and data protection. In
addition, the company is constantly researching new privacy features in computer
science and software engineering. Part of the Microsoft strategy incorporates
outreach to customers, industry leaders, civil society and governments in order
to establish standards and policies that can help people and organizations better
manage and protect personal information.
Another good example of privacy by design is found in Googles social network,
Google+. With Google+, contacts are placed in nonpublic circles and users
are asked to designate the circle to share with for every post they make.12
Circles might include friends, colleagues or family, but users are responsible for
denoting what circles receive information for every post they make. Apples
iPhoneincorporated privacy by design methods by adding a purple arrow icon
that appears on the screen letting a user know when their location information
is being sent to an app. The idea is to make sure users a re aware when sensitive
information is shared.
At a minimum, companies should review what they are doing in terms of privacy
by design. Does your company embed privacy and data protection throughout
the lifecycle of every process? Is user data private by default? Reviewing these
questions is critical to make sure your corporation adheres to the basic principles
of privacy by design. There are a number of online resources that can help you
define and implement privacy by design. Consider downloading a document from
the Information and Privacy Commissioneron Operationalizing Privacy by Design:
A Guide to Implementing Strong Privacy Practices. In addition, the Center for
Democracy and Technology Onlinealso has a helpful section on privacy by designthat walks companies through basic understanding and implementation.
Enact s impl i f ied consumer choice pol ic ies
The FTC promotes simplified consumer choice policies, which essentially
means being more up-front and direct with consumers about how data will
be used. The FTC requires that companies simplify choices when it comes to
how consumers interact with a company to guard their own privacy. The FTC
states that companies need to offer consumers choices before collecting andusing consumer data for practices that are consistent with the context of the
transaction or the companys relationship with the consumer. Particularly, the
FTC recommends that businesses obtain affirmative, express consent before (1)
using consumer data in a materially different manner than claimed when the data
was collected; or (2) collecting sensitive data for certain purposes.13
12 Hill, Kashmir. Why Privacy By Design Is The New Corporate Hotness. Forbes Magazine, 28 July 2011.Web. 14 Nov. 2013. .
13 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal
Trade Commission, Mar. 2012. Web. 15 Nov. 2013. .
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
8/16
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
9/16 2013 4imprint, Inc. All rights reserved
whether to be tracked across other parties websites (including affiliates
websites). Many companies have made strides in this area to assist consumers in
controlling what information is accessible and for what purposes, but the FTC
encourages continued progress and more complete implementation of consumer
control mechanisms. The FTC established a workgroup of several companies to
further develop controls that can be adopted universally.
The FTC suggests that Do Not Track should be put into effect through legislation
or robust self-regulation, but it is not legally binding. The framework states that
the most practical method to apply this function would likely involve placing a
setting similar to a persistent cookie on a consumers browser and conveying that
setting to sites that the browser visits, to signal whether or not the consumer
wants to be tracked or receive targeted advertisements. Last year, a standardized
Do Not Track feature implemented by some organizations allowed consumers to
opt out receiving targeted ads from up to 114 third-party advertisers. A million
people used the tool and more than 5 million visited the site for information
about online ads.14
Right now, you can select Do Not Track options in Firefox, Internet Explorer
and Safari, which send messages to websites that users do not want to be
followed online with cookies or other mechanisms. Some companies are being
proactive when it comes to adding Do Not Track Features. You can check out
FireFoxfor example, and its defined Do Not Track optionsonline. Twitteris
another company that receives high marks for Do Not Track compliance. The
company gives users the option to opt out of being tracked and provides
easy-to-follow directionson how to do it. Also, Twitter recently fought a court
order asking for users data, which demonstrates a commitment to protecting user
privacy on a whole.15Its not a bad idea to check out what other companies are
doing with Do Not Track to get some ideas for your own organization.
Keep in mind though, the Do Not Track feature is unresolved and there is no
consensus on what should be included and how companies should be required
to use it. A working group on the issue is affiliated with the World Wide Web
Consortium (W3C),the official custodian of Web standards. The collection of
ad companies, privacy advocates and outside experts convened to settle the
longstanding debate about consumer privacy and determine the future of
advertising technology. The working group is stalled on a number of issues,
14 Fung, Brian. The Internets Best Hope for a Do Not Track Standard Is Falling Apart. Heres Why. The Switch:Where Technology and Policy Connect. The Washington Post, 11 Oct. 2013. Web. 15 Nov. 2013. .
15 Wagstaff, Keith. Grading How Well Companies Are Cooperating with Do Not Track | TIME.com. Time.Time, 12 May 2012. Web. 26 Nov. 2013. .
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
10/16 2013 4imprint, Inc. All rights reserved
including the obligations advertising companies have with regard to online
tracking and what the word tracking even means. The Electronic Frontier
Foundation asked for the group to disband, citing lack of agreement and loss of
confidence in the process. At issue is the fact that although the opt-out function
is meant to guarantee the end of targeted advertising, it doesnt rule out the
collection of consumer data. As of October 2013, the future of Do Not Track
negotiations is delayed, pending the establishment of Do Not Track guidelines
and steps for compliance.
Be transparent with consumer data
Keep it short and simple: Thats the FTCs advice for creating and improving
existing transparent data practices. In particular, companies should use privacy
notices that are clearer, shorter, and more standardized to enable better
comprehension and comparison of privacy practices.16Furthermore, companies
should provide reasonable access to the consumer data they maintain; the extentof access should be proportionate to the sensitivity of the data and the nature of
its use. Finally, organizations should prioritize the education of consumers with
regard to commercial data privacy practices.
The FTC advocated for Congress to enact privacy legislation to give legal
enforceability to its recommended practices; in the meantime, the FTC advised
that companies should accelerate the pace of self-regulation.17To-date there is
no overarching legislation in place, how transparency is available to consumers is
decided by organizations on a case-by-case basis.
Some companies are being proactive in providing consumers with full
transparency. Take for example, the company Acxiom. The organization
recently launched a site called AboutTheDatathat invites users to enter
their names, addresses, and the last four digits of their social security
numbers to access a portal that reveals the information the company
has gathered on them. This includes age, estimated income, residence,
ethnicity, marital status and categories of product purchases, including
anything from food to home furnishings that the consumer made viamail order. Its a proactive attempt to give consumers a chance to see
what kind of information the company collects combined with the
ability to edit and change any data, as well as opt-out from receiving
targeted ads.
16 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. FederalTrade Commission, Mar. 2012. Web. 15 Nov. 2013. .
17 Ibid.
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
11/16 2013 4imprint, Inc. All rights reserved
In 2012, Epsilon, another data collection agency, began providing customers
with a paper report for a small fee that discloses all the data the company has
collected on them. Likewise, BlueKai and Exelate, both companies that collect
behavioral data for online ad targeting, are also providing data-transparency
systems. The BlueKais registryaims to put consumers in control of their digital
footprint by allowing consumers to see what preferences are being logged by
other third-party data creators on their computer. As BlueKai states on its home
page, its a way to be transparent about what data companies think about your
computer. Consumers can control their anonymous profile by managing topics of
interest, changing preferences or choosing to opt out of future marketing efforts.
Michael Nadeau, the publisher of Data Informed, put together a list of things
every company should tell their consumer regarding its data policies and
collection.18According to Nadeau, companies should share the following:
exactly what data is being collected, how the data collection technology works,
how the data is secured,
why the data is collected,
how the data is analyzed and reported,
who is seeing the data, and
how the collected data benefits the consumer.
Once your company outlines the answers to these questions, it should be
circulated in a way that makes it easy for consumers to find. Providing the
answers to simple questions like these helps promote full transparency and often
puts consumers at ease regarding your data collection policies.
What about the Consumer Pr ivacy Bi l l of Rights?
In 2012, the Obama administration proposed the Consumer Privacy Bill of
Rights, which is the most comprehensive bill designed to address consumer
privacy concerns. Specifically, the bill calls for a multi-stakeholder process to
produce enforceable codes of conduct among organizations and agencies that
collect consumer data. These guidelines outlined in the bill promote the idea of
transparency in all aspects of data use to allow individuals the opportunity to
control when and how their personal information is used.
18 Nadeau, Michael. To Win Consumer Trust, You Need Transparent Data Collection Policies - See More At:Http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/#sthash.omc8YzVF.dpuf. Data Informed: Big Data and Analytics in the Enterprise. N.p., 20 Sept. 2013. Web. 17 Nov. 2013..
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
12/16 2013 4imprint, Inc. All rights reserved
The Consumer Privacy Bill of Rights proposes the following:
Individual control: Consumers have a right to exercise control over what
personal information companies collect from them and how they use it.
Transparency:Consumers have a right to easily understandable and
accessible information about privacy and security practices.
Respect for context:Consumers have a right to expect that companies will
collect, use, and disclose personal data in ways that are consistent with the
context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of
personal data.
Access and accuracy: Consumers have a right to access and correct
personal data in usable formats, in a manner that is appropriate to the
sensitivity of the data and the risk of adverse consequences to consumers
if the data is inaccurate.
Focused collection:Consumers have a right to reasonable limits on the
personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by
companies with appropriate measures in place to assure they adhere to the
Consumer Privacy Bill of Rights.
President Obama challenged companies to begin immediately working with
privacy advocates, consumer protection enforcement agencies, and others under
the direction of the Commerce Department to develop enforceable codes of
conduct. The goal is for Congress to put those agreed-upon guidelines into law.
Thus far, the response to the bill has been varied. Some claim that the bill is
largely aspirational because it does not create any enforceable obligations.
In truth, the framework simply creates suggested guidelines for companies
that collect personal data as a primary function of their business operations.
There is no legislation officially in place to monitor corporate behaviors, and
as the administration recognizes, in the absence of legislation these are only
general principles that afford companies discretion in how
they implement them.19As a corporation, you may be asking,
whats next? Thats a good question, and one that is not clearly
answered. While the bill proposes a list of suggestions and ideas,
it is not legally binding. Until more legislation is approved by
Congress, the impact of the bill remains to be seen.
19 We Cant Wait: Obama Administration Unveils Blueprint for a Privacy Bill of Rights to Protect ConsumersOnline. The White House. N.p., 23 Feb. 2012. Web. 14 Nov. 2013. .
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
13/16 2013 4imprint, Inc. All rights reserved
What about pr ivacy and security laws in
the rest of the wor ld?
Internet privacy laws across the globe vary from robust, non-existent and
ambiguous. China has some of the strongest consumer privacy and security
rules in the world. Effective in September 2013, Chinas Ministry of Industry and
Information Technology (MIIT) passed strict regulations aimed to protect thepersonal information of telecommunication and Internet users. Companies are
required to post personal information collection polices in their place of business
(or online) and may not use personal information without explicit user consent.
Organizations must also notify users regarding the collection, purpose, methods
and scope of use when collecting personal information. These are considered
binding requirements in China and legal action can be taken if a company
violates the policy. However, Chinas Internet regulations are not applied to
other countries.
The European Union (EU) also adopted strict data privacy laws as well. The
EUs General Data Protection Regulation(GDPR) is applied to 28-member
nations and is planned to take effect in 2016, after a two-year transition period.
It harmonizes the current data protection laws in place across all EU member
states. Basically, the GDPR establishes a regulatory framework that outlines a
number of restrictions designed to protect the privacy of individuals and personal
data within the European Union (EU). It also establishes strict limits on the
collection and use of personal data, and demands that every EU state creates an
independent national body responsible for the protection of these data. Amongother things, the measure limits the tracking and profiling activities that allow
for targeted advertising and the ability of a consumer to erase personal data
information. To ensure compliance, fines can be imposed that range anywhere
from .5 percent to two percent of an organizations global sales.
Some companies are already taking note of the EU legislation. Google,
Microsoft, Apple and Facebook have already modified privacy policies as a
result of the mandate. To be compliant with EU regulations, U.S. companies
that operate in Europe must address what the EU calls the right to beforgotten. It essentially means that the user owns his or her information and
that the user has the right to prevent websites and other online services from
keeping it and storing it. In short, it means providing a system that allows users
to erase data after it has been collected.
U.S. companies will also need to gain explicit consent to share data. Currently in
the U.S., everything from financial institutions to social networking sites share
user data with partners and advertising firms. According to the EU proposal,
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
14/16 2013 4imprint, Inc. All rights reserved
users should decide if and when a company can share his or her data. That means
American companies must become more upfront about exactly what data they
are sharing and give users the opportunity to opt out of that sharing without
being penalized.
Seize the opportunity: How to manage
consumer pr ivacyBelieve it or not, companies can turn the debate on privacy and consumer
protection into opportunity. According to authors Catherine Tucker and Avi
Goldfarb from MIT Sloan Management Review, by managing consumer privacy
proactively you can improve your brand.20As the authors describe in the article,
Why Managing Consumer Privacy Can Be an Opportunity: Companies should
view the establishment of a framework of consumer privacy controls as a key
marketing and strategic variable that conveys considerable benefits.21
According to the authors, there are three things your company can do right
now to demonstrate a commitment to consumer privacy and establish a privacy
framework. These include:
1. Develop user-centric privacy controls to give customers control.
2. Avoid multiple intrusions.
3. Prevent human intrusion by using automation wherever possible.
Why should you develop user-centric privacy controls? Because it allows
consumers to set limits on what aspects of their data the company can access.
Research shows that if customers feel in control of their data, they become
substantially more responsive to targeted advertising. To develop a user-centric
privacy approach consider the following:
Be up front about the types of data you are collecting about your consumers
and with whom you are sharing it.
Offer consumers a short menu of options when they register with your
website or make a purchase.
Replicate this process to drive registrations by specifying that registered
users get more choice on how their data is used.
20 Tucker, Catherine, and Avi Goldfarb. Why Managing Consumer Privacy Can Be an Opportunity. MIT SloanManagement Review RSS. N.p., 19 Mar. 2013. Web. 26 Nov. 2013. .
21 Ibid.
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
15/16 2013 4imprint, Inc. All rights reserved
By giving consumers power to control their data, it can increase their comfort
with how companies use their data to improve their product offerings. The key
for companies is to employ consumer-centric controls and to view them as an
integral part of managing a positive customer relationship.
Another best practice is to avoid multiple intrusions. Ultimately, just because
you can intrude on a consumer by either using data or pushing content and pop
up ads, it does nothing to obtain customer loyalty. In fact, the combination of
multiple intrusive tactics usually backfires. Research shows that customers will
accept one targeted intrusion (e.g. pop-up ads) but when its combined with
another intrusion (e.g. targeted advertising) it harms the customer perceptions of
the company. Below is a list of techniques to consider to avoid multiple intrusions:
When using customer data to target messages, make sure that customers do
not feel taken advantage of in other ways.
Ads that target Web-browsing behavior are more effective if they do notintrude on the computer screen.
Ads that pop up or take over a computer screen will be more effective if
they do not also target prior Web-browsing behavior.
Automated telephone messages feel more intrusive if they start with a
robotized voice addressing the consumer by name.
Finally, consider using automation to prevent human intrusion. Consumers
are more comfortable when a machine processes their personal data than when
a person does. Automated systems search habits, buying patterns and trends,
and do not pass judgment on consumer behavior. As a result, consumers find its
much easier to forgive an automated system for sending dieting tips instead of
an actual person. The idea is to ensure consumers that their privacy, particularly
consumer privacy, is valued by your organization. A best practice is to reinforce
an informal culture in which privacy is respected and privacy violations are
punished internally.
Overall, companies have an opportunity to demonstrate to consumers that they
care about privacy issues. As noted in the MIT article: Companies [need to] shift
from thinking about privacy as a compliance burden to thinking of treating data
with courtesy as a fundamental part of the relationship with their customers.
Privacy policies should be organized around managing customer data courteously,
in accordance with consistent principles that customers feel comfortable with.22
22 Ibid.
8/13/2019 1P-23-1213 Privacy and Security Blue Paper
16/16
4imprint serves more than 100,000 businesses with innovative promotional itemsthroughout the United States,
Canada, United Kingdom and Ireland. Its product offerings include giveaways, business gifts, personalized gifts,
embroidered apparel, promotional pens, travel mugs, tote bags, water bottles, Post-it Notes, custom calendars,
and many other promotional items. For additional information, log on to www.4imprint.com.
Whats n ext?
The rapid growth of technology, the Internet and electronic commerce have
sparked a debate on privacy and security that will continue to evolve. Privacy
issues are at the forefront of government agencies, businesses, politicians and the
public. No doubt the debate will continue and more changes will be required.
Until then, its a good idea to make sure your company is doing all it can topromote transparency, consumer choice and privacy by design. If you havent
already, review your privacy policies and make sure they are in sync with the latest
legislative requirements. There are a number of organizations that conduct a
privacy audit and a basic Internet search will yield several experts in the area. For
example, The American Library Association provides a number of free resources
that can help you get started. Theres also a Privacy Toolkitthat walks companies
through the basics of evaluating your privacy strategy.
Whatever you do, its a good idea to do it soon. Privacy and security online is amoving target, but one that demands your attention. If anything, the controls
will only get stronger as more legislation is introduced. If you reign in privacy
controls now, youll be ready for whatever comes next.