A Privacy Primer

A Privacy Primer

Russ Mathews

Enterprise Risk Services

March 6, 2001

2

A Privacy Primer

Agenda

• Introduction

• General Privacy Issues

• Definition of Privacy

• Consumer Concerns

• Business Trends

• Business Considerations

• Regulatory Environment

• Technological Challenges

• Summary of General Privacy Issues

3

A Privacy Primer

General Privacy Issues



• Business Trends





4

A Privacy Primer

Definition of Privacy

Information Privacy refers to the right of individuals to determine when, how, and to what extent “personally identifiable information” will be shared with others, and it has broad implications for the collection, storage and dissemination of consumer information by companies.

Personally identifiable information is defined, in general, as any information relating to an identified or identifiable individual.

Depending on regulatory and national requirements, Privacy Initiatives and Principles may address:

• Company responsibility for ownership of personal information collected

• Providing notice of how personal information will be used

• Limiting data collection to specific business objectives

• Time limits on retention and storage of personal data

• Consumer options for how personal information is used

• Responsibility for the accuracy, integrity and security of consumer data

5

A Privacy Primer




• Business Trends





6

A Privacy Primer

Consumer Concerns

1999 Lou Harris-IBM Consumer Privacy Survey. 94% of Americans think personal information is vulnerable to misuse. And 78% claim they have refused to provide requested data to a business because they believe it is too personal.

Wall Street Journal poll conducted in the Fall 1999. Americans were asked what they feared most in the new millennium. Privacy came out on top (29%), substantially higher than terrorism, global warming, and overpopulation (no higher than 23%).

Media Focus

Heightened Awareness

Public Perception

7

A Privacy Primer

General Concerns

Simple Irritation – Information bombardment

Feelings of Violation – Tracking what you read and watch Fear of Harm – Misuse of information

Nightmarish Conspiracies – Government and Big Business (e.g., Orwellian vision of the future)

8

A Privacy Primer

Increasing Privacy Encroachment

9

A Privacy Primer

Feelings Of Loss of Control

July 21, 2000. 39 States Object To Sale Of Toysmart’s Customer List. Toysmart, which filed for bankruptcy in June, is one of several e-commerce companies that either have sold or are trying to sell customer information, such as home addresses, phone numbers, transaction histories and family profiles.

. . . .

Who owns personal data?

10

A Privacy Primer




• Business Trends





11

A Privacy Primer

Business Trends

What has led to the current emphasis of collecting and using personally identifiable information?

As always, to sell more!

12

A Privacy Primer

Business Trends

How can you sell more and what does that have to do with privacy?

1) One-to-one marketing

Goal of all marketers

2) Rise of the Internet

Global

New channel for buying and selling

3) Increased computational power and speed

Moore’s Law

Speed and power required to process terabytes of information

13

A Privacy Primer

Business Trends

One-to-One Marketing?

• Analytics: helps organizations to understand the consumers.

• E-marketing: helps organizations define the structure for reaching their consumers.

• Personalization: helps organizations provide one-to-one marketing of products and services to their consumers and customers.

14

A Privacy Primer

Business Trends

Analytics?

• helps organizations to understand the consumers.

• Raw data is useless to marketers.

• Transform raw data into useful information.

• Count heads, create reports, monitor web traffic, identify bottlenecks.

• Create segments of customers based on behavior patterns.

15

A Privacy Primer

Business Trends

E-marketing?

• helps organizations define the structure for reaching their consumers.

• Uses the results from the analytics phase.

• Helps to create marketing campaigns.

• Can incorporate marketing results into a comprehensive plan to identify what to sell and when to sell.

16

A Privacy Primer

Business Trends

Personalization?

• helps organizations provide one-to-one marketing of products and services to their consumers and customers.

• Provides unique shopping experience to each user.

• Rules-based customization.

• Neural networks “learn” from experience.

• Collaborative filtering uses statistical analysis.

17

A Privacy Primer

Business Trends

The Goal:

Organizations want to achieve one-to-one marketing.

The Method:

Organizations are collecting and using personally identifiable information to expand the capabilities of their data warehousing and data mining efforts.

The Problem:

There exists a very fine line between personalization and privacy invasion.

18

A Privacy Primer

Business Trends

Personalization or Privacy Invasion?

19

A Privacy Primer

Litigation

August 15, 2000, Toys R Us Inc. [NYSE:TOY] has stopped using the services of Coremetrics.com, a market data collection company that figured in lawsuits alleging ...

August 14, 2000 -- Coremetrics uses technology such as Web bugs and cookies--or tiny digital identifying tags that track visitors' whereabouts online--to compile information about online shoppers. For example, its technology can record when a consumer adds a product to his or her shopping cart then takes it out. With this information, online stores could potentially send an email to the consumer offering a discount on the product he or she decided against.

Using JavaScript, Coremetrics can also extract personally identifiable information such as names, addresses and phone numbers from online forms filled out during the checkout process.

Website Statement Concerning CoreMetrics For a short period of time, we had a trial arrangement with a service called CoreMetrics to assist us in evaluating information about how visitors use our site. This trial arrangement is no longer in effect. As part of this service, cookies may have been placed on the computer systems of certain visitors to our site. Because we no longer are using CoreMetrics' services, future visitors to our site will not have CoreMetrics cookies placed on their systems.

SAN DIEGO, Aug 2, 2000 (BUSINESS WIRE) -- Milberg Weiss today announced that a class action was filed on July 28, 2000 on behalf of all persons who have visited either www.toysrus.com or www.babiesrus.com and have had their private online Web browsing activities and their confidential information covertly monitored, intercepted and/or transmitted to third parties by Toys R Us (NYSE:TOY) (the "Class").

20

A Privacy Primer

LitigationFinancial Institutions:

• U.S. Bancorp.

• Allegedly sold credit card information to MemberWorks

• Chase Manhattan Bank

• Allegedly provided information to non-financial direct marketers about its credit card and mortgage customers

• Charter Pacific Bank

• Allegedly sold credit card data base to pornographic website

21

A Privacy Primer




• Business Trends





22

A Privacy Primer

Business ConsiderationsStuck between a rock and a hard place…

Rock -

• Regulations, consumer groups, class action law firms and regulatory agencies are litigating or considering litigation to curtail business use of private data.

Hard Place -

• In order to compete effectively in today’s market, businesses need to become better at gaining and retaining customers.

23

A Privacy Primer

Business Considerations

• Privacy Is A Multi-dimensional challenge

• Technology Issues Are Complex

• What Level Of Data “Stewardship” Does Your Customer Base Demand?

Senior Management Legal Compliance Information

Technology

Marketing Human Resources Risk Management Financial Reporting

Cookies Applets

Databases Banner ads

Other rocks and hard places…

24

A Privacy Primer


Business Issues Driving Privacy

Initiatives

Regulatory Requirements

Customer Sensitivity

Extended Enterprise

Competition

Brand Image

Globalization

25

A Privacy Primer


How to handle the rock and hard place issue - Create an effective privacy initiative using the following steps:

• Retaining a Chief Privacy Officer (CPO)

• Creating a task group to evaluate and propose a comprehensive privacy initiative for the entire organization (headed by the CPO)

• Restructuring technology and business practices for privacy compliance

• Educating and training for privacy awareness

• Evaluating applications, products, services and third parties for privacy compliance on a periodic basis

26

A Privacy Primer


Rise of the Chief Privacy Officer (CPO)

“The rise in CPOs stem from one of two reasons: damage control and prevention.”

Damage Control

• RealNetworks

• Doubleclick

Prevention

• Microsoft

• American Express

• Citigroup

• Prudential Insurance

27

A Privacy Primer


• Organize and coordinate Privacy Task Force or Committee

• Commission or conduct privacy risk assessment and inventory of privacy risks

• Track privacy environment and provide reports

• Monitor privacy law and regulations compliance

• Develop privacy policies and procedures

• Do privacy review of new products and new Net developments

• Support employee privacy training

• Interact with consumer groups and regulators

• Provide contact point for consumers

• Manage privacy dispute resolution

• Speak for the company and prepare executives for legislative/agency testimony

• Conduct regular/annual privacy audits

• Report to top management

Duties of the Chief Privacy Officer

28

A Privacy Primer


What are the costs of not having a comprehensive privacy initiative?

• Loss of brand image

• Loss of revenue

• Loss of share price

• Cost of litigation and class action suits

• Cost of penalties for non-compliance

• Damage to public trust

• Damage to employee morale

29

A Privacy Primer




• Business Trends





30

A Privacy Primer

Regulatory Concerns

Web Sites

Partners/Affiliates/Subsidiaries

Other Third PartiesAd Networks

1) What kinds of notice should Web sites be required to provide before they collect information? Should limits be imposed on what can be collected and how long it can be kept ?

2) Should consumers have a right to opt out or opt in before Web sites channel ad networks’ cookies to their machines ?

3) What kind of sharing takes place with a Web sites’ business partners-which are considered “third parties” ?

4) Should Web sites be required to have opt-in or opt-out policies on third-party data sharing ?

Offline Transactions

6) What access should consumers have to their information

Source: Forrester May 2000

31

A Privacy Primer

Disjointed US Market Approach • Deceptive Trade Practices

FTC Enforcement

• Health Care

HIPAA Privacy & Security Standards

• EU Safe Harbor Principles

Unknown acceptance

• Financial & Insurance Industry

Gramm-Leach-Bliley Act (implementation 7/2001)

NAIC Model Law

• The Children’s Online Privacy Protection Act

• Proposed Consumer Legislation In Congress and Multiple States

32

A Privacy Primer

Proliferation of Privacy RegulationsFTC, HIPAA, NAIC, GLB, Safe Harbor Principle, COPPA

UK Data Protection Act

Personal Information Protection and Electronics Document Act

Privacy Ordinance

Guidelines for the Protection of Computer Processed Personal Data

Federal Privacy Amendment Bill

E-Commerce Code for the Protection of Personal Information

Following EU Data Protection Directive

• Information crossing multiple borders

• Complex third party relationships (providers, buying exchanges, alliances)

• Increased use of web-based applications and systems

• Restrictive regulatory environment being adopted across regions

33

A Privacy Primer

Increasing Regulatory Tension

• European Union findings show that United States does not provide adequate protection for Personally Identifiable Data

• Multiple regulatory agencies promulgating various rules for the same statute (e.g., GLB Act and SEC Banking and FTC rules)

• State Legislatures enacting conflicting laws (e.g., must give customer opt-in rights v. opt-out rights)

34

A Privacy Primer

Gramm-Leach-Bliley ActFinancial Services Modernization Act of 1999

Condensed Timeline:

November 12, 1999 – GLB signed into law

May 2000 – several Federal agencies published their final rules (OTS, FDIC, FTC)

June/July 2000 – final rules published

November 13, 2000 – GLB privacy regulations enacted

July 1, 2001 – mandatory compliance deadline

35

A Privacy Primer

Gramm-Leach-Bliley ActScope of Coverage:

• Financial Institutions: any institution significantly engaged in financial activities

• Non-Public Personal Information: personally identifiable financial information provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer, or otherwise obtained by the financial institution.

• Consumer vs. Customer:

– Consumer: an individual who obtains a financial product or service for personal, family or household purposes

• Occasional or isolated contact (e.g., ATM cash)

– Customer: has an established relationship (e.g., depositor, borrower, or insurance policyholder

36

A Privacy Primer

Gramm-Leach-Bliley ActStatutory Requirements:

• Clearly and conspicuously give a privacy notice to each consumer customer, at least once each year, of the institution’s policies for collecting and sharing nonpublic personal information

– A mere consumer need not receive a privacy notice, unless the financial institution intends to disclose that individual’s nonpublic personal information to nonaffiliated third parties

• Afford consumers choice (e.g., the right to “opt-out” of disclosures to non-affiliated third parties), subject to certain exceptions

– Opt-out does not apply with respect to affiliate disclosure

• Cannot disclose account access information (e.g., account numbers) to third party marketers

• Abide by regulatory standards to protect the security and confidentiality of consumer non-public personal information

37

A Privacy Primer

Gramm-Leach-Bliley ActNotice: Initial and Annual:

• Categories of NPI collected

• Categories of NPI disclosed to others

• Categories of entities to whom NPI is disclosed

• Disclosure practices with regard to former customers

• NPI disclosed under joint marketing/agency exceptions

• Gramm-Leach-Bliley opt-out right

• FCRA opt-out right: applies to “secondary” information that a customer may volunteer in certain applications to a financial institution (e.g., an income statement). Does not apply to “experience” information.

• Security and confidentiality practices and procedures

• Disclosures covered by general exceptions (need only say that “certain other disclosures are made ‘as permitted by law’”)

38

A Privacy Primer

Gramm-Leach-Bliley ActOpt-Out: A financial institution may not disclose NPI to a

“nonaffiliated” third party unless:

• The financial institution clearly and conspicuously discloses to the consumer that such information may be disclosed to the third party;

• The consumer is given the opportunity to direct that the information not be disclosed to the third party; and

• The consumer is given an explanation of how to exercise that right.

The opt-out right must be easy to exercise and reasonable:

• A reply form with check-off boxes and a return address

• It is unreasonable to require the consumer to write a letter

39

A Privacy Primer

Gramm-Leach-Bliley ActNPI Sharing Exceptions:

• Necessary to process a transaction requested or authorized by the customer

• Necessary to effect, administer or enforce transaction

• Made with the consent of the consumer

• Made to protect against fraud

• Made to a consumer reporting agency

• Made in connection with the merger or sale of a financial institution

• Made to comply with a regulatory investigation

• Made to auditors

• Service Provider/Joint Marketing

– A third party provides services on behalf of financial institution

– Two financial institutions jointly market a product or service

Re-Use/Disclosure Restrictions Apply

40

A Privacy Primer

Gramm-Leach-Bliley ActTiming Issues:

• July 1, 2001 Date Misleading

• Nonaffiliated Third Party Sharing:

– Must provide consumers with approximately 30 days to make “opt-out” choice

– Financial institution requires reasonable amount of time to collect and implement opt-out choices made by consumers

– Must implement no later than end-April 2001

Regulators Overseeing Preparedness:

• Office of Thrift Supervision Privacy Preparedness Check-Up

• Office of Comptroller of Currency Advisory Notice

41

A Privacy Primer

COPPAChildren’s Online Privacy Protection Act of 1998

The final ruling of the Act went into effect on April 21, 2000.

• Applies to organizations or individuals who operate a commercial Web site or an online service directed to children under the age of 13 that collects personal information from children, AND to those who operate a general audience Web site, if they have actual knowledge that they collect personal information from children;

• Requires a link to the institution's privacy notice on the home page and at each area where it collects personal information from children;

• The notice itself must be clearly written and understandable and should not include unrelated or confusing materials;

• Parental consent must be obtained before a child's personal information is collected, used or disclosed;

• A new notice must be furnished if there are material changes in the collection, use or disclosure practices.

42

A Privacy Primer

Federal Health Privacy Regulations (“HIPAA”)

Health Insurance Portability and Accountability Act

Finalized December 20, 2000

What entities are regulated:

Health Plan Providers, Health Care Clearinghouses, Certain Health Care Providers

What information is covered:

Protected Health Information: In general, information related to physical or mental health, the provision of health care, or the payment of health care

43

A Privacy Primer


Key provisions include:

•Access - People have the right to see and copy their own medical records. Most states do not currently grant people such broad access.

•Limits on Disclosure - The regulation greatly restricts access to health information. Of note: for disclosures relating to treatment, payment and health care operations, providers must obtain patient consent.

•Employers - Employers are barred from receiving "protected health information" except for specific functions related to providing and paying for health care. Employers must establish a firewall between the health care division and employees who make decisions about employment.

44

A Privacy Primer


Key provisions continued:

•Law Enforcement - Health care providers and plans are prohibited from releasing patient data to federal, state, or local law enforcement without some form of legal process, including a warrant, court order or administrative subpoena.

•Research - All research, whether publicly or privately funded, must be overseen by either an Institutional Review Board (IRB) or Privacy Board if the researcher seeks a waiver of informed consent.

•Penalties - Health care providers, health plans, and clearinghouses are subject to civil and criminal penalties (up to $250,000/year and 10 years in jail) for violating the law. HIPAA constrained the Secretary from including a private right of action for individuals to sue for violations of the law.

45

A Privacy Primer

EU Data Protection DirectiveCross-Border Flow Of Personally Identifiable

Information

EU Data Protection Principles

• Adequate, relevant and not excessive

• Fairly and lawfully processed

• Processed for limited purposes

• Accurate and Secure

• Not kept longer than necessary

• Not transferred to countries without adequate protection

• Processed in accordance with the data subject's rights

European Union finding that United States does not provide an adequate level of data protection for PII

46

A Privacy Primer

Safe Harbor PrinciplesPrinciples establish an “adequate” level of data protection for non-financial United States companies

• Notice - Organizations must inform individuals how collected information will be used

• Choice - Individuals must be given an opportunity to chose to provide information if it is disclosed to a third party or used for purposes incompatible with the original purposes

• Upstream transfer - Organizations must ensure that third parties receiving data also follow Safe Harbor principles

• Security/Data Integrity - Reasonable precautions must be taken to protect personal information from loss, misuse and unauthorized access, disclosure, misuse and alteration

• Access - Individuals must have access to information collected about them. Organizations should take reasonable steps to ensure that data is collected for the intended use, accurate, complete and current

• Enforcement - Organizations must provide effective means for ensuring compliance with Safe Harbor principles and consequences for non-compliance

47

A Privacy Primer

Consequences of Non-Adoption of Safe Harbor

• Must adhere to privacy standards as interpreted in each EU member state (as opposed to one standard)

• Subject to actions brought by each EU member state where directive is violated, and possible shutdown of cross border data flows and assessment of damages

• Negative publicity and possible loss of market share in EU member states

• However, certification without complete adoption of Safe Harbor Principles can subject a company to regulatory action in the United States and in the EU.

48

A Privacy Primer




• Business Trends





49

A Privacy Primer

Technological Challenges

• Written procedures often fail to accurately reflect actual systems capabilities and practices.

• Information may be stored incorrectly and shared with third parties.

• Organizations may not have inventoried personally identifiable information, and may not understand data flows through systems and processes.

• Web sites are easily able to record and track individual identity and associated activities on the Internet.

• Current technology infrastructure may be unable to incorporate policies and controls to comply with notice, choice and security requirements.

• Information systems are rarely integrated and unable to capture the total customer relationship throughout an enterprise.

• Business and legal departments may be unfamiliar with the capabilities of their enterprise technology and its implementation.

50

A Privacy Primer

InternetBrowser Web Site X

InternetBrowser DoubleClick Server

InternetBrowser Web Site Y DoubleClickServer

DoubleClick Server

DoubleClick created profiles of individuals using the World Wide Web by placing a cookie with a unique identification number on user’s browsers.

When a browser went to a member web site which contained an invisible DoubleClick graphic, a request is sent to the DoubleClick Server which assigns the user’s browser a cookie containing a unique identification number

From that time forward whenever the user connects to any Web site that subscribes to the DoubleClick System, their browser returns the identification number to the DoubleClick server, allowing the server to recognize her.

Over a period of time DoubleClick compiles a list of which member sites the user has visited and revisited and a profile of the user's tastes and interest.

This information is used to compile valuable feedback for its member Web sites, such as providing them with audience profiles

“Were going to do a Smith & Wesson on DoubleClick”

- Michigan State Attorney General

51

A Privacy Primer

InternetBrowser RealNetworks

Use RealJukebox

InternetReal Jukebox RealNetworksServer

RealNetworks Server

In 1999, RealNetworks faced several class-action lawsuits alleging the violation of privacy of its customers by using software that would track not only individual users but also what music they played and listened to using the RealJukebox.

RealNetworks Director of Systems Marketing, Peter Zaballos, said that the features were "built out by an aggressive development team that was not yet married to business policies."

“To put the matter another way, while the public voices of the company [RealNetworks] are proclaiming their adherence to strict privacy standards, their technical staff are putting forth software that violates those standards.”, Tom Maddox.

Real Jukebox

Play music Download music

GUIDMusic

GUIDMusic

Other Servers

52

A Privacy Primer

Initiatives on the WebPrivacy initiatives in the marketplace

• Private Payments

• Private E-mail

• Web Analytic Tools

Endorsements/Privacy Seal Programs

• Truste

• BBB Online

• WebTrust

• P3P

• Content Management Providers

• Privacy Tools

53

A Privacy Primer

Technology DefinitionsTransmission Control Protocol/Internet Protocol (TCP/IP) - A protocol developed for the Department of Defense that has become the de facto communications standard of the Internet.

HyperText Transfer Protocol (HTTP) - The protocol most often used to transfer information from World Wide Web servers to browsers, which is why Web addresses begin with http://.

Globally Unique Identifier (GUID) - A number assigned to a user to track application access and use. Specifically, a number embedded in Microsoft's Windows 98 operating system which could be used to track a user's network usage and other activities. The number, attached to software and even documents created by the user, made it possible to track applications that were used and documents that were created throughout a network.

Personal Identifiable Information (PII) - Any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. (EU Data Protection Act)

54

A Privacy Primer

Technology DefinitionsHyperText Markup Language (HTML) - The language used to create World Wide Web pages, with hyperlinks and markup for text formatting

Common Gateway Interface (CGI) - A way of interfacing computer programs with HTTP or Web servers, so that a server can offer interactive sites instead of just static text and images.

Perl - A general-purpose programming language which has become the language of choice for World Wide Web development, text processing, Internet services, and every other task requiring portable and easily-developed solutions.

JavaScript - A cross-platform WWW scripting language from Netscape Communications, very popular because it is simple, easy to learn, and can be included in a HTML file.

Public-Key Encryption - A way of encrypting messages in which each user has a public key and a private key.Messages are sent encrypted with the receiver's public key; the receiver decrypts them using the private key.

Public-Key Infrastructure (PKI) - provides the people, policies, processes and technology for managing the various public keys that are used to provide network security and confidentiality though encryption and digital signatures.

55

A Privacy Primer




• Business Trends





56

A Privacy Primer

Competitive Advantage vs. Increased Risk

• Regulations form a baseline requirement for compliance.

• Brand image is susceptible to breaches in customer privacy.

• A proactive approach to privacy makes a statement about the importance of the customer’s trust.

• Therefore, companies have the opportunity to create a differential advantage through sound privacy policies and practices.

• However, a more aggressive approach may subject the company to heightened scrutiny and increased risk.

• Systems, products and services must accurately reflect privacy policy

Less Aggressive

Aggressive Privacy Initiative

RegulatoryRequirements

BrandImage

Time

Value

Regulations

CompetitiveAdvantage vs. Increased Risk

57

A Privacy Primer

Lessons Learned

• Failure To Understand Customer Concerns And Perceptions

– E.g., Sharing of information with third parties vs. solicitation

• Failure To Plan For Multi-Regulatory Environment

– Little rationalization of various regulations (e.g., EU Data Protection Directive, GLB, HIPAA)

• Focus On Privacy Policy And Notice, Without Detailed Understanding Of Whether Systems Are In Compliance

– Leads to regulatory non-compliance and charges of deceptive practices

– Often business and legal components of business unfamiliar with system capabilities

• Few Companies Have Adequately Inventoried The Personally Identifiable Information Collected And Understand Where, When And How It Is Shared With Third Parties (Or Its Affiliates)

58

A Privacy Primer

Lessons Learned• Technology “Fixes” Are Not Designed For The Long-Term Environment

– Minimal thought to the design and implementation of customer choice databases, or mechanisms for reviewing compliance

– Infrastructure may be inadequate or unable to incorporate privacy policy and regulations

– Failure to implement across enterprise (silo approach to privacy)

• Management Unaware Of Privacy Risks Associated With Web-Environment

– E.g., Toys R Us and Coremetrics Litigation (no intent to violate privacy policy, but charged with deceptive practices)

– Easy to track identity and activities of customers over web

• Failure To Maximize Privacy Work

– After inventory of personally identifiable information and data flows, opportunity to develop systems and methodologies for maximizing customer data mining within privacy policy framework

– Little exploitation of leadership within the extended enterprise (e.g., assisting partners implement successful privacy programs in order to further cement relationship)

59

A Privacy Primer

Lessons Learned• Failure To Analyze Products And Services Sold To Marketplace

For Privacy Compliance

– Not simply an internal system issue

– Complex regulatory problems for products and services sold globally

– During development process procedures and controls need to be developed to include privacy considerations

• Failure To Recognize Impact On Mergers And Acquisitions

– Can consumer information be shared between entities

– What is the cost of ensuring the new or combined entity is compliant

– Does the acquisition or merger subject entity to new regulatory environment

Trust Is An Asset

60

A Privacy Primer

Summary

• Questions??

• Useful websites

www.privacyheadquarters.com (pop quiz on GLB)

www.privacyfoundation.org

www.privacy.org

www.privacytimes.com

www.epic.org

www.pandab.org

Documents

A Privacy Primer