Notes Version: Is More Data Always Better The Legal Risks of Data Collection, Storage and Use in Marketing
1. 9/30/2011
Is More Data Always
Better? The Legal Risks
of Data Collection,
Storage and Use in
Marketing
Jordan Abbott
Acxiom Compliance Counsel
WHO, WHAT, WHY, and HOW?
• Who is collecting the data?
• What are they collecting?
• Why are they collecting it?
• What principles (if any),
govern the collection of data?
• Advocates’ attitudes
• Court cases
• What to do to minimize your
risk.
1
3. 9/30/2011
Who Collects and uses data for
“marketing”?
Everybody…
Fortune
Start Ups SOHO Small Tier Mid Tier
500
Financial
Retail Gaming Entertainment Travel
Svc
Insurance Technology Law Firms Health Care Television
Consumer
Goods Automotive Telco Manufacturing Universities
Politicians
Security Collections Government
MORE!
Data Elements “in Play”
On and Offline
– Marketing data?
– Name
– Name variations – Purchase data?
– Addresses – IP Addresses?
– Address Histories
– Peer to Peer Transfers?
– Associates
– Public Records – Social Network?
• DMV – Geo‐Location?
• Criminal & RSO
– Click Stream?
• Voter
• Real Property – Browsing Behavior?
• Licenses – MORE ?????
• Bankruptcy, Tax Lien, Judgment
• Deceased
MORE
Data Elements “in Play”
On and Offline – Anonymous and PII
• Contact Data
• Analytics and Segmentation
– Name
• Spotlights
– Address
• Footlights
– Email address
• Cookies
– Phone
• Email behavior – click &
– Cell phone
open
• Shopping behavior
• Social Network Data
• Viewing Behavior (Digital TV)
• # of Networks
• Geo‐Location (Mobile Device)
• # of Friends
• Place and Time
• Fan Pages
• Browsing behavior
• Blog Data
• Click stream
• Preference data
• Purchase behavior
• Response data
• Demographics
• Sociographics • MORE
• Life Stage
3
4. 9/30/2011
WHY….?
….because
businesses want
to know their
customer
and customers
want to be
delighted,
amused and
protected
SOLVING BUSINESS ISSUES –
CREATING CONSUMER VALUE
Marketing Risk
Acquisition
Identity Fraud
Up-sell /Cross-sell
Authentication
Retention
Verification
CUSTOMERS’ LIVES ARE CONSTANTLY
CHANGING
Every hour of every day
5,769 people changed jobs
2,748 people moved
509 people were married
244 people got divorced
186 people declared bankruptcy
These people are your customers
4
5. 9/30/2011
Channels Are Multiplying Rapidly
New Types of Data
Exploding Volume
Escalating Velocity
OVER-ARCHING CONCERN…
CONSUMER ATTITUDES
• Privacy is an emotionally charged issue
– Being watched, monitored, taken advantage of
• Consumers feel like they are losing “control”
• Consumers don’t understand our information based
economy
– Information technology is part of our economic
infrastructure
– Benefits are not fully understood by consumers or law
makers
– Technology used often confuses consumer
POLICYMAKERS’ ATTITUDES
• “When personal data collected by
one organization for a stated
purpose is used and traded by
another organization for a
completely unrelated purpose,
individual rights could be seriously
threatened.”
•
102 Cong.Rec. 36893-4 (1974),
quoted in Ash v. United States, 608
F.2d 178, 180 (5th Cir. 1980).
5
6. 9/30/2011
THE NEWS!
“…vast data gathering…used to discriminate in the services that
companies offer customers or government agencies offer citizens.”
“Eleven of the nation's largest
“…growing concern on Capitol Hill about the
expanding business of tracking consumer behavior website operators defended their
online.” privacy practices to lawmakers,
saying it is impossible for them to
monitor all the tracking technologies
“’the wall has been breached’ between their
what users share under their real identity
online and what information they provide sites install on visitors' computers.”
under the cover of anonymity.”
“…the analytical skill of data
“Mr. Markey said he wasn't satisfied that handlers…is transforming the
"consumers are able to effectively shield Internet into a place where people
their personal Internet habits and private are becoming anonymous in name
information from the prying eyes of online only.”
data gatherers.”
MORE NEWS!
“…consumers who surf the Internet “…Stalkers Exploit Cell phone GPS “
unintentionally surrender all kinds of
personal information to marketing
firms that use invisible tracking
technology to monitor online activity” “As WiFi Data Collection Revealed,
New Investigation Begins”
"Consumers still get the short end of the stick when industry shows that it is
incapable, or unwilling, to better articulate what information they are collecting
from consumers and why we should trust industry to protect consumers'
personal information.”
"It is technically impossible for Yahoo! to be
aware of all software or files that may be installed
on a user's computer when they visit our site,"
Anne Toth, Yahoo's vice president of global policy
and head of privacy, wrote to U.S. Reps. Edward
Markey (D‐Mass.) and Joe Barton (R‐Texas).”
Apps
Collecting even “private”
data, little governance,
Placefulness
little enforcement…lots of Device Fingerprint
secondary
You are known and commercialization Captures device data
points, formulates
treated in place and “fingerprint,” spoofable,
time via the cloud not “categorized” as
pii…yet used that way
The Internet of Things…
Multiply in order of
magnitude
Surveillance Precise GeoLocation
Multiplied by time;
checking in
eHealth & HITECH
Society... HTML5
Relies on the Cloud,
devices monitor, report Offers even more
back tracking & collection,
utilizes the Cloud
Meters Sniffers and Listeners
Rides the pipes, capturing
and closing the loop on Sits on networks,
every data point including watches traffic, sniffs out
digital dust and digital
exhaust of digital device brand and…”listens”
6
7. 9/30/2011
GOOGLE STREET VIEW
- Premise is awesome and
beneficial
- Collected personal information
from unsecure WiFi networks
- “Probably the single greatest
breach in the history of
privacy”
- Numerous court cases and
enforcement actions around
the world
iPHONE LOCATION TRACKING
- Hidden file that stores
latitude, longitude, and
timestamps
- Post-hoc explanation did
not do much to quell
controversy
- Lawsuits, Congressional
inquiries
COMSCORE ALLEGATIONS
-August 2011
-Online tracking
-Class action lawsuit
-Alleged to have secretly collected
SSNs, credit card #s, and
passwords
7
8. 9/30/2011
DMA’S GUIDELINES
FOR ETHICAL BUSINESS PRACTICES
Article #32 – Personal Data
“Marketers should be sensitive to
the issue of consumer privacy and
should only collect, combine, rent,
sell, exchange, or use marketing
data. Marketing data should only
be used for marketing purposes.”
COLLECTION LIMITATION PRINCIPLE
“There should be limits to the
collection of personal data and
any such data should be
obtained by lawful and fair
means and, where appropriate,
with the knowledge or consent
of the data subject”
IDENTIFYING PURPOSES
• Identify the purpose for which the personal
information is collected at, or before, the time of
collection
• Allows the organization to determine the
information it needs to collect to fulfill those
purposes
• When collecting information, there is a tendency
to collect more than what is needed “just in
case” you need it at a later date
• Unless you have clearly indicated how that
information will be used, you should not collect
it
• Scrutinize the need for each piece of information
you collect.
• If you don’t need it, don’t collect it.
8
9. 9/30/2011
TO DO’S
- Have an effective Data Governance Plan
- Assess needs and purposes
- The more you collect, the greater your fiduciary
duty
- Don’t keep what you don’t need
-Regularly monitor compliance
-Have an effective Security Incident Response Plan
-Question of “when,” not “if”
- Assess your technical, physical and
administrative vulnerabilities
- Address them
-Understand what your obligations are in the event
of a breach
- Have it in writing and keep it up to date
Pending Legislation
• HR 611 §303
• S. 799 §301
CONTACT INFO
Jordan Abbott
(501) 342-0356
jordan.abbott@acxiom.com
9