Privacy and Security

4imprint.com

Privacy and security online: What is the corporate impact?

In June 2013, Edward Snowden fueled the debate on privacy and democracy in the digital age. He was called everything from a traitor to a hero when he revealed that the National Security Agency (NSA) has been eavesdropping on private citizens through cell phones, laptops, Facebook, Skype, chat-rooms and more. One of the first documents released by Snowden showed that the NSA was collecting telephone records from millions of customers of Verizon, one of the largest U.S. telecommunications providers.1 The Snowden affair raises a number of questions pertaining to consumer privacy and security rights. NSA officials and other intelligence agencies claim that these activities are constitutional and occur under the umbrella of rigorous congressional and judicial oversight, and that its essential in order to protect the public from terrorist attacks. But civil liberties groups such as the Electronic Frontier Foundation and the American Civil Liberties Union warn that this type of surveillance goes beyond what Congress intended and violates constitutional rights. At the heart of the issue is whether or not Americans have rights when it comes to protecting their personal data. A number of laws and regulations pertaining to this are currently being debated that will likely affect how corporations collect and maintain consumer data. Last year, President Obama introduced the Consumer Privacy Bill of Rights to protect consumer rights online. In the report, the President noted that [never] has privacy been more important than today, in the age of the Internet, the World Wide Web and smartphones.2 The legislation is designed to give consumers a clear understanding of what to expect from companies that handle their personal information and defines basic principles for companies that use personal data, and now many companies wonder what this means and how it will be implemented. In the meantime, the Federal Trade Commission (FTC) continues to enforce the existing regulations designed to protect consumer rights. As of October 2013, the FTC has brought 47 legal actions against organizations that have violated consumers privacy rights, or misled them by failing to maintain security for sensitive consumer information.Most of the cases violated the Federal Trade

1 Powell, Kenton, and Greg Chen. NSA Files Decoded: Edward Snowdens Surveillance Revelations Explained. The Guardian. N.p., n.d. Web. 13 Nov. 2013. <http://www.theguardian.com/world/interactive/2013/nov/01/ snowden-nsa-les-surveillance-revelations-decoded>. 2 Meece, Mickey. President Obamas Consumer Privacy Bill of Rights. Forbes. Forbes Magazine, 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.forbes.com/sites/mickeymeece/2012/02/23/president-obamas-consumer-privacybill-of-rights/>.
2013 4imprint, Inc. All rights reserved

Commission Act Section 5 which bars unfair and deceptive acts and practices in or affecting commerce. In addition to the FTC Act, there are 33 other laws, rules and guides that provide the agency with enforcement authority to protect consumers privacy. Its a lot to take in and can leave many organizations wondering what they should be doing to protect consumer data within the confines of the law. This Blue Paper looks at the landscape of consumer privacy and security, particularly how it applies to U.S. corporations. The paper begins with a synopsis on consumer data and a review of the current landscape of privacy controls in the United States. The paper also highlights the directives from the Federal Trade Commission and the suggested best practices corporations should implement to protect consumer data. The final section explores some of the privacy controls in other countries, and how it may impact U.S. corporations that operate globally. Prepare for a journey into a maze of confusion, because privacy and security online is a moving target, but there are some things your corporation should know to be in compliance and protect consumer data appropriately.

The truth about consumer data

Consumers understand that businesses, governments and other organizations gather data about them online. Theres a general acceptance that you leave a digital footprint anytime you go online to make purchases or simply surf the Web. Personal details about consumers are also online because they are shared willingly through chats or social sites like Facebook, Twitter or LinkedIn. And dont forget there is consumer data available through government agencies that are fully searchable. For example, users can view and search real estate transactions and obtain information on a home and its value. Even things like birth certificates and signature copies can be found online. And it is widely accepted and understood that businesses use consumer information to help complete transactions, remember consumer preferences, deliver personalized content and special offers, as well as save consumers time. Its common for businesses to track website page views and the number of unique visitors to a website, among other things. So, how do Americans feel about privacy online? According to a study from the Pew Internet and American Life Project Data, most Internet users would like to be anonymous online but think it is not possible. The study found that 86 percent of Internet users have taken steps online to remove or mask digital footprints, by

2013 4imprint, Inc. All rights reserved

doing things like clearing cookies or encrypting email.3 Another 55 percent have taken steps to avoid observation by specific people, organizations or the government. Other data shows that Americans use mobile technology more than ever and they are selective when using apps that require personal information. Pew Internet revealed that: 88 percent of U.S. adults own a cell phone; 43 percent download cell phone applications to their phones;  54 percent of app users decided not to install a cell phone app when they discovered how much personal information they would need to share in order to use it; and,  30 percent of app users have uninstalled an app because they learned it was collecting personal information they didnt wish to share.4 Moreover, a representative survey of 792 Internet users found that a number of users say they have experienced problems because others stole their personal information or otherwise took advantage of their visibility online. In particular:  21 percent of Internet users have had an email or social networking account compromised or taken over by someone else without permission; and,  11 percent have had important personal information stolen such as their social security number, credit card or bank account information. According to Lee Rainie, Director of the Pew Research Centers Internet Project [users] clearly want the option of being anonymous online and increasingly worry that this is not possible.5

The Federal Trade Commission and U.S. privacy regulations

At the state level, some legislators have introduced bills that attempt to provide greater privacy controls with mixed results. California, considered the privacy leader, passed measures that allows minors the right to erase social media posts they regret posting. Three other states enacted laws governing inheritance of digital information, like Facebook pages. But still, for the most
3 Rainie, Lee. Pew Research Centers Internet & American Life Project. Anonymity, Privacy, and Security Online. N.p., 5 Sept. 2013. Web. 13 Nov. 2013. <http://pewinternet.org/Reports/2013/Anonymity-online.aspx>. 4 Boyles, Jan Lauren. Privacy and Data Management on Mobile Devices. Privacy and Data Management on Mobile Devices. N.p., 5 Sept. 2012. Web. 15 Nov. 2013. <http://www.pewinternet.org/Reports/2012/MobilePrivacy.aspx>. 5 Rainie, Lee. Pew Research Centers Internet & American Life Project. Anonymity, Privacy, and Security Online. N.p., 5 Sept. 2013. Web. 13 Nov. 2013. <http://pewinternet.org/Reports/2013/Anonymity-online.aspx>.
2013 4imprint, Inc. All rights reserved

part, U.S. consumers are forced to rely on the promises from businesses and local governments that their information will not be sold or given away to other entities. These promises, however, are not legally binding and are often broken without consequence.6 In the United States, a host of loosely defined consumer privacy laws and regulations seek to protect any individual from loss of privacy due to failures or limitations of corporate customer privacy measures. Privacy concerns exist whenever data relating to a person or persons are collected and stored. Much of the privacy protection policies in the United States are dictated by the Electronic Communications Privacy Act, which was passed in 1986, before the Internet was a reality. Today, for the most part, regulations that dictate how companies must maintain and protect consumer information are driven by the Federal Trade Commission. Indeed, protecting consumer privacy is a hot topic, and one that the Federal Trade Commission (FTC) takes seriously. In 2012, Google and the FTC agreed to a $22.5 million settlement, the largest penalty in the agencys history, on charges that Google misrepresented its actions to users of Apples Safari browser.7 Specifically, the FTC charged that Google placed tracking cookies on users computers, in some cases working around the privacy settings within the browser. In the settlement, Google agreed not to misrepresent its privacy policies to consumers. FTC Chairman Jon Leibowitz said that the penalty highlights the agencys commitment to enforcing its orders on privacy. The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order, Leibowitz said.No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place. To reign in some of the debate, in March 2012, The Federal Trade Commission released a report on Protecting Consumer Privacy in an Era of Rapid Change that outlines some best practices for businesses to help protect the privacy of American consumers.8 It outlines methods that give consumers greater control over the collection and use of personal data. The report expands on a directive from December 2010, which proposed a framework for consumer privacy in light of

6 Harris, Maryls. Why Doesnt the State Protect Our Online Privacy? Its Not as Easy as You Think. MinnPost. N.p., 11 Nov. 13. Web. 15 Nov. 2013. <http://www.minnpost.com/politics-policy/2013/11/why-doesn-t-stateprotect-our-online-privacy-it-s-not-easy-you-think?utm_source=MinnPost-RSS>. 7 Tsukayama, Hayley. Google Settles FTC Privacy Case for $22.5 Million, Agencys Largest Penalty. Washington Post. The Washington Post, 10 Aug. 2012. Web. 14 Nov. 2013. <http://www.washingtonpost.com/blogs/posttech/post/google-settles-ftc-privacy-case-for-225-million-agencys-largest-penalty/2012/08/09/e048f6a2-e23611e1-a25e-15067bb31849_blog.html>. 8 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
2013 4imprint, Inc. All rights reserved

new technologies that allow more sophisticated data collection and information sharing. If you dont have time (or inclination) to read the 112 page report, it can be broken down into three basic categories your organization should reevaluate to make sure you are doing the right things. These include privacy by design, simplified consumer choice and transparency.

Practice privacy by design

Privacy by design refers to the development and implementation of a corporate privacy strategy. In the simplest form, it means making consumer privacy a priority at every stage of product development and throughout the delivery of services. The FTC requires that businesses implement practices such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.9 Additionally, the FTC proposes that companies launch comprehensive data management procedures, including designating personnel responsible for employee privacy training and regularly assessing the privacy impact of specific practices, products and services that ensure they can maintain the substantive integrity of their actions to shield privacy.10 (Thats a mouthful!) In simpler terms, privacy by design means that privacy and data protection are embedded throughout the life cycle of technologies, from the early design state to deployment, use and disposal. Its also about making users data private by default and allowing them to determine what information is shared. Microsoft is one company that effectively articulates and implements privacy by design. On the corporate website, privacy by design is described as not only how we build products but also how we operate our services and organize ourselves as an accountable technology leader.11 Microsoft International President Jean-Philippe Courtois detailed Microsofts approach to privacy by design during a speech to the International Association of Privacy Professionals in Paris in November 2010. As he describes, privacy by design is implemented through people, processes, privacy technologies and features, research and outreach. Microsoft also established processes that support rigorous technical development standards and frequently conducts privacy reviews to ensure that privacy and data protections are incorporated into products and services. Microsoft products and
9 United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>. 10  United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>. 11  Microsoft. Privacy by Design. N.p., n.d. Web. 14 Nov. 2013. <http://www.microsoft.com/privacy/bydesign. aspx>.
2013 4imprint, Inc. All rights reserved

services include technologies or features that drive privacy and data protection. In addition, the company is constantly researching new privacy features in computer science and software engineering. Part of the Microsoft strategy incorporates outreach to customers, industry leaders, civil society and governments in order to establish standards and policies that can help people and organizations better manage and protect personal information. Another good example of privacy by design is found in Googles social network, Google+. With Google+, contacts are placed in nonpublic circles and users are asked to designate the circle to share with for every post they make.12 Circles might include friends, colleagues or family, but users are responsible for denoting what circles receive information for every post they make. Apples iPhone incorporated privacy by design methods by adding a purple arrow icon that appears on the screen letting a user know when their location information is being sent to an app. The idea is to make sure users a re aware when sensitive information is shared. At a minimum, companies should review what they are doing in terms of privacy by design. Does your company embed privacy and data protection throughout the lifecycle of every process? Is user data private by default? Reviewing these questions is critical to make sure your corporation adheres to the basic principles of privacy by design. There are a number of online resources that can help you define and implement privacy by design. Consider downloading a document from the Information and Privacy Commissioner on Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices. In addition, the Center for Democracy and Technology Online also has a helpful section on privacy by design that walks companies through basic understanding and implementation.

Enact simplified consumer choice policies

The FTC promotes simplified consumer choice policies, which essentially means being more up-front and direct with consumers about how data will be used. The FTC requires that companies simplify choices when it comes to how consumers interact with a company to guard their own privacy. The FTC states that companies need to offer consumers choices before collecting and using consumer data for practices that are consistent with the context of the transaction or the companys relationship with the consumer. Particularly, the FTC recommends that businesses obtain affirmative, express consent before (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes.13
12  Hill, Kashmir. Why Privacy By Design Is The New Corporate Hotness. Forbes Magazine, 28 July 2011. Web. 14 Nov. 2013. <http://www.forbes.com/sites/kashmirhill/2011/07/28/why-privacy-by-design-is-the-newcorporate-hotness/>. 13  United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>.
2013 4imprint, Inc. All rights reserved

How can you simplify consumer choice? Its really about providing consumer choices in just in time scenarios. Whether the behavior is online, such as the site where an online consumer is providing personal data, or offline, such as requiring the cashier to ask the customer whether he or she would like to receive marketing offers from other companies, its important to present consumers with the ability to make meaningful choices at the point when the consumer is providing data or engaging with the company.Companies should also offer one choice at a time and obtain affirmative express consent before using consumer data. That said, the FTC noted that there are some commonly accepted practices where a company is not required to seek consumer consent. These include the following:  Product and service fulfillment:Websites collectcontact information for shipping requests and credit card information for payment. Internal operations: Hotels and restaurants collect customer satisfaction surveys to improve their customer service.Websites collect information about visits and click-through rates to improve site navigation. Fraud prevention: Offline retailers check drivers licenses when consumers pay by check to monitor against fraud.Online businesses also employ fraud-detection services to prevent fraudulent transactions.  Legal compliance and public purpose:Search engines, mobile applications and pawn shops share their customer data with law enforcement agencies in response to subpoenas. A business reports a consumers delinquent account to a credit bureau. First-party marketing: Online retailers recommend products and services based upon consumers prior purchases on the website. Offline retailers do the same and may, for example, offer frequent purchasers of diapers a coupon for baby formula at the cash register. For now, if your organization is collecting consumer information in the above areas, consent is not required. However, a good faith practice is to inform the consumer how and why information is gathered whenever possible. Of course, its always a best practice to make sure you obtain consent when requiring and offering simplistic and meaningful choices to consumers.

What about Do Not Track as it pertains to consumer choice?

As part of simplified choice principles, the FTC expects companies develop mechanisms that enable consumers to better control tracking of their online activities, a concept referred to as Do Not Track. Under the proposed framework, this consumer control includes providing consumers with a choice
2013 4imprint, Inc. All rights reserved

whether to be tracked across other parties websites (including affiliates websites). Many companies have made strides in this area to assist consumers in controlling what information is accessible and for what purposes, but the FTC encourages continued progress and more complete implementation of consumer control mechanisms. The FTC established a workgroup of several companies to further develop controls that can be adopted universally. The FTC suggests that Do Not Track should be put into effect through legislation or robust self-regulation, but it is not legally binding.The framework states that the most practical method to apply this function would likely involve placing a setting similar to a persistent cookie on a consumers browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. Last year, a standardized Do Not Track feature implemented by some organizations allowed consumers to opt out receiving targeted ads from up to 114 third-party advertisers. A million people used the tool and more than 5 million visited the site for information about online ads.14 Right now, you can select Do Not Track options in Firefox, Internet Explorer and Safari, which send messages to websites that users do not want to be followed online with cookies or other mechanisms. Some companies are being proactive when it comes to adding Do Not Track Features. You can check out FireFox for example, and its defined Do Not Track options online. Twitter is another company that receives high marks for Do Not Track compliance. The company gives users the option to opt out of being tracked and provides easy-to-follow directions on how to do it. Also, Twitter recently fought a court order asking for users data, which demonstrates a commitment to protecting user privacy on a whole.15 Its not a bad idea to check out what other companies are doing with Do Not Track to get some ideas for your own organization. Keep in mind though, the Do Not Track feature is unresolved and there is no consensus on what should be included and how companies should be required to use it. A working group on the issue is affiliated with the World Wide Web Consortium (W3C), the official custodian of Web standards. The collection of ad companies, privacy advocates and outside experts convened to settle the longstanding debate about consumer privacy and determine the future of advertising technology. The working group is stalled on a number of issues,

14  Fung, Brian. The Internets Best Hope for a Do Not Track Standard Is Falling Apart. Heres Why. The Switch: Where Technology and Policy Connect. The Washington Post, 11 Oct. 2013. Web. 15 Nov. 2013. <http://www. washingtonpost.com/blogs/the-switch/wp/2013/10/11/the-internets-best-hope-for-a-do-not-track-standard-isfalling-apart-heres-why/>. 15  Wagstaff, Keith. Grading How Well Companies Are Cooperating with Do Not Track | TIME.com. Time. Time, 12 May 2012. Web. 26 Nov. 2013. <http://techland.time.com/2012/05/21/grading-how-companies-arecooperating-with-do-not-track/>.
2013 4imprint, Inc. All rights reserved

including the obligations advertising companies have with regard to online tracking and what the word tracking even means. The Electronic Frontier Foundation asked for the group to disband, citing lack of agreement and loss of confidence in the process. At issue is the fact that although the opt-out function is meant to guarantee the end of targeted advertising, it doesnt rule out the collection of consumer data. As of October 2013, the future of Do Not Track negotiations is delayed, pending the establishment of Do Not Track guidelines and steps for compliance.

Be transparent with consumer data

Keep it short and simple: Thats the FTCs advice for creating and improving existing transparent data practices. In particular, companies should use privacy notices that are clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.16 Furthermore, companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use. Finally, organizations should prioritize the education of consumers with regard to commercial data privacy practices. The FTC advocated for Congress to enact privacy legislation to give legal enforceability to its recommended practices; in the meantime, the FTC advised that companies should accelerate the pace of self-regulation.17 To-date there is no overarching legislation in place, how transparency is available to consumers is decided by organizations on a case-by-case basis. Some companies are being proactive in providing consumers with full transparency. Take for example, the company Acxiom. The organization recently launched a site called AboutTheData that invites users to enter their names, addresses, and the last four digits of their social security numbers to access a portal that reveals the information the company has gathered on them. This includes age, estimated income, residence, ethnicity, marital status and categories of product purchases, including anything from food to home furnishings that the consumer made via mail order. Its a proactive attempt to give consumers a chance to see what kind of information the company collects combined with the ability to edit and change any data, as well as opt-out from receiving targeted ads.

16  United States. Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change. Federal Trade Commission, Mar. 2012. Web. 15 Nov. 2013. <http://www.ftc.gov/os/2012/03/120326privacyreport.pdf>. 17 Ibid.
2013 4imprint, Inc. All rights reserved

In 2012, Epsilon, another data collection agency, began providing customers with a paper report for a small fee that discloses all the data the company has collected on them. Likewise, BlueKai and Exelate, both companies that collect behavioral data for online ad targeting, are also providing data-transparency systems. The BlueKais registry aims to put consumers in control of their digital footprint by allowing consumers to see what preferences are being logged by other third-party data creators on their computer. As BlueKai states on its home page, its a way to be transparent about what data companies think about your computer. Consumers can control their anonymous profile by managing topics of interest, changing preferences or choosing to opt out of future marketing efforts. Michael Nadeau, the publisher of Data Informed, put together a list of things every company should tell their consumer regarding its data policies and collection.18 According to Nadeau, companies should share the following: exactly what data is being collected, how the data collection technology works, how the data is secured, why the data is collected, how the data is analyzed and reported, who is seeing the data, and how the collected data benefits the consumer. Once your company outlines the answers to these questions, it should be circulated in a way that makes it easy for consumers to find. Providing the answers to simple questions like these helps promote full transparency and often puts consumers at ease regarding your data collection policies.

What about the Consumer Privacy Bill of Rights?

In 2012, the Obama administration proposed the Consumer Privacy Bill of Rights, which is the most comprehensive bill designed to address consumer privacy concerns. Specifically, the bill calls for a multi-stakeholder process to produce enforceable codes of conduct among organizations and agencies that collect consumer data. These guidelines outlined in the bill promote the idea of transparency in all aspects of data use to allow individuals the opportunity to control when and how their personal information is used.

18  Nadeau, Michael. To Win Consumer Trust, You Need Transparent Data Collection Policies - See More At: Http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/#sthash.omc8YzVF. dpuf. Data Informed: Big Data and Analytics in the Enterprise. N.p., 20 Sept. 2013. Web. 17 Nov. 2013. <http://data-informed.com/win-consumer-trust-need-transparent-data-collection-policies/>.
2013 4imprint, Inc. All rights reserved

The Consumer Privacy Bill of Rights proposes the following: Individual control: Consumers have a right to exercise control over what personal information companies collect from them and how they use it. Transparency:Consumers have a right to easily understandable and accessible information about privacy and security practices.  Respect for context:Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Security: Consumers have a right to secure and responsible handling of personal data.  Access and accuracy:Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Focused collection:Consumers have a right to reasonable limits on the personal data that companies collect and retain. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. President Obama challenged companies to begin immediately working with privacy advocates, consumer protection enforcement agencies, and others under the direction of the Commerce Department to develop enforceable codes of conduct. The goal is for Congress to put those agreed-upon guidelines into law. Thus far, the response to the bill has been varied. Some claim that the bill is largely aspirational because it does not create any enforceable obligations. In truth, the framework simply creates suggested guidelines for companies that collect personal data as a primary function of their business operations. There is no legislation officially in place to monitor corporate behaviors, and as the administration recognizes, in the absence of legislation these are only general principles that afford companies discretion in how they implement them.19 As a corporation, you may be asking, whats next? Thats a good question, and one that is not clearly answered. While the bill proposes a list of suggestions and ideas, it is not legally binding. Until more legislation is approved by Congress, the impact of the bill remains to be seen.

19  We Cant Wait: Obama Administration Unveils Blueprint for a Privacy Bill of Rights to Protect Consumers Online. The White House. N.p., 23 Feb. 2012. Web. 14 Nov. 2013. <http://www.whitehouse.gov/the-pressofce/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights>.
2013 4imprint, Inc. All rights reserved

What about privacy and security laws in the rest of the world?
Internet privacy laws across the globe vary from robust, non-existent and ambiguous.China has some of the strongest consumer privacy and security rules in the world. Effective in September 2013, Chinas Ministry of Industry and Information Technology (MIIT) passed strict regulations aimed to protect the personal information of telecommunication and Internet users. Companies are required to post personal information collection polices in their place of business (or online) and may not use personal information without explicit user consent. Organizations must also notify users regarding the collection, purpose, methods and scope of use when collecting personal information. These are considered binding requirements in China and legal action can be taken if a company violates the policy. However, Chinas Internet regulations are not applied to other countries. The European Union (EU) also adopted strict data privacy laws as well. The EUs General Data Protection Regulation (GDPR) is applied to 28-member nations and is planned to take effect in 2016, after a two-year transition period. It harmonizes the current data protection laws in place across all EU member states. Basically, the GDPR establishes a regulatory framework that outlines a number of restrictions designed to protect the privacy of individuals and personal data within the European Union (EU). It also establishes strict limits on the collection and use of personal data, and demands that every EU state creates an independent national body responsible for the protection of these data. Among other things, the measure limits the tracking and profiling activities that allow for targeted advertising and the ability of a consumer to erase personal data information. To ensure compliance, fines can be imposed that range anywhere from .5 percent to two percent of an organizations global sales. Some companies are already taking note of the EU legislation. Google, Microsoft, Apple and Facebook have already modified privacy policies as a result of the mandate. To be compliant with EU regulations, U.S. companies that operate in Europe must address what the EU calls the right to be forgotten. It essentially means that the user owns his or her information and that the user has the right to prevent websites and other online services from keeping it and storing it. In short, it means providing a system that allows users to erase data after it has been collected. U.S. companies will also need to gain explicit consent to share data. Currently in the U.S., everything from financial institutions to social networking sites share user data with partners and advertising firms. According to the EU proposal,
2013 4imprint, Inc. All rights reserved

users should decide if and when a company can share his or her data. That means American companies must become more upfront about exactly what data they are sharing and give users the opportunity to opt out of that sharing without being penalized.

Seize the opportunity: How to manage consumer privacy

Believe it or not, companies can turn the debate on privacy and consumer protection into opportunity. According to authors Catherine Tucker and Avi Goldfarb from MIT Sloan Management Review, by managing consumer privacy proactively you can improve your brand.20 As the authors describe in the article, Why Managing Consumer Privacy Can Be an Opportunity: Companies should view the establishment of a framework of consumer privacy controls as a key marketing and strategic variable that conveys considerable benefits.21 According to the authors, there are three things your company can do right now to demonstrate a commitment to consumer privacy and establish a privacy framework. These include: 1. Develop user-centric privacy controls to give customers control. 2. Avoid multiple intrusions. 3. Prevent human intrusion by using automation wherever possible. Why should you develop user-centric privacy controls? Because it allows consumers to set limits on what aspects of their data the company can access. Research shows that if customers feel in control of their data, they become substantially more responsive to targeted advertising. To develop a user-centric privacy approach consider the following:  Be up front about the types of data you are collecting about your consumers and with whom you are sharing it.  Offer consumers a short menu of options when they register with your website or make a purchase.  Replicate this process to drive registrations by specifying that registered users get more choice on how their data is used.

20  Tucker, Catherine, and Avi Goldfarb. Why Managing Consumer Privacy Can Be an Opportunity. MIT Sloan Management Review RSS. N.p., 19 Mar. 2013. Web. 26 Nov. 2013. <http://sloanreview.mit.edu/article/whymanaging-consumer-privacy-can-be-an-opportunity/>. 21 Ibid.
2013 4imprint, Inc. All rights reserved

By giving consumers power to control their data, it can increase their comfort with how companies use their data to improve their product offerings. The key for companies is to employ consumer-centric controls and to view them as an integral part of managing a positive customer relationship. Another best practice is to avoid multiple intrusions. Ultimately, just because you can intrude on a consumer by either using data or pushing content and pop up ads, it does nothing to obtain customer loyalty. In fact, the combination of multiple intrusive tactics usually backfires. Research shows that customers will accept one targeted intrusion (e.g. pop-up ads) but when its combined with another intrusion (e.g. targeted advertising) it harms the customer perceptions of the company. Below is a list of techniques to consider to avoid multiple intrusions:  When using customer data to target messages, make sure that customers do not feel taken advantage of in other ways.  Ads that target Web-browsing behavior are more effective if they do not intrude on the computer screen.  Ads that pop up or take over a computer screen will be more effective if they do not also target prior Web-browsing behavior.  Automated telephone messages feel more intrusive if they start with a robotized voice addressing the consumer by name. Finally, consider using automation to prevent human intrusion. Consumers are more comfortable when a machine processes their personal data than when a person does. Automated systems search habits, buying patterns and trends, and do not pass judgment on consumer behavior. As a result, consumers find its much easier to forgive an automated system for sending dieting tips instead of an actual person. The idea is to ensure consumers that their privacy, particularly consumer privacy, is valued by your organization. A best practice is to reinforce an informal culture in which privacy is respected and privacy violations are punished internally. Overall, companies have an opportunity to demonstrate to consumers that they care about privacy issues. As noted in the MIT article: Companies [need to] shift from thinking about privacy as a compliance burden to thinking of treating data with courtesy as a fundamental part of the relationship with their customers. Privacy policies should be organized around managing customer data courteously, in accordance with consistent principles that customers feel comfortable with.22

22 Ibid.
2013 4imprint, Inc. All rights reserved

Whats next?
The rapid growth of technology, the Internet and electronic commerce have sparked a debate on privacy and security that will continue to evolve. Privacy issues are at the forefront of government agencies, businesses, politicians and the public. No doubt the debate will continue and more changes will be required. Until then, its a good idea to make sure your company is doing all it can to promote transparency, consumer choice and privacy by design. If you havent already, review your privacy policies and make sure they are in sync with the latest legislative requirements. There are a number of organizations that conduct a privacy audit and a basic Internet search will yield several experts in the area. For example, The American Library Association provides a number of free resources that can help you get started. Theres also a Privacy Toolkit that walks companies through the basics of evaluating your privacy strategy. Whatever you do, its a good idea to do it soon. Privacy and security online is a moving target, but one that demands your attention. If anything, the controls will only get stronger as more legislation is introduced. If you reign in privacy controls now, youll be ready for whatever comes next.

4imprint serves more than 100,000 businesses with innovative promotional items throughout the United States, Canada, United Kingdom and Ireland. Its product offerings include giveaways, business gifts, personalized gifts, embroidered apparel, promotional pens, travel mugs, tote bags, water bottles, Post-it Notes, custom calendars, and many other promotional items. For additional information, log on to www.4imprint.com.

2013 4imprint, Inc. All rights reserved