Post on 12-Apr-2017
Pakhuis de Zwijger, Amsterdam2 december 2010 Pakhuis de Zwijger, Amsterdam2 december 2010
Performance Based Advertising en het Privacy DebatHet einde van performance based advertising zoals we dat nu kennen?
Pakhuis de Zwijger, Amsterdam2 december 2010
“Who” 1.0: Behavioral• Registration• Frequency• Retargeting• Contextual
story• Segmentation• Look-a-likes• Predictive
targeting
Pakhuis de Zwijger, Amsterdam2 december 2010
“Who” 2.0: Intent
• Purchase– Funnel
• Research, comparison, price, location
Pakhuis de Zwijger, Amsterdam2 december 2010
“Who” 3.0: Social• Self-image
– What do I say about myself?
• Social Graph (friends)– Who do I “hang around” with?
– Influencers
• Conversations– What do I say?
– When do I speak? (initiate, listen, participate)
• Congregate– Where do I hang out?
Pakhuis de Zwijger, Amsterdam2 december 2010
…and beyond
• Matching– Online to online– Offline to online
• Real-time exchanges– Ad exchange– Data exchanges
Pakhuis de Zwijger, Amsterdam2 december 2010
Why Internet?
• It’s new !• Easy collection and distribution• Concentration of “power”• What goes on the Web, stays on the Web, and, alas everyone’s on the Web
Pakhuis de Zwijger, Amsterdam2 december 2010
Social Media
0.00000068% of facebook users joined "we are quiting facebook"
Pakhuis de Zwijger, Amsterdam2 december 2010
Niets te verbergen ? Dan heb je een heel saai leven.......
Pakhuis de Zwijger, Amsterdam2 december 2010
Drie Zorgen• Hoe wordt persoonlijke informatie gebruikt ?
• Hoe wordt persoonlijke informatie beschermd ?
• Wie is verantwoordelijk ?
Drie Principes• Leg duidelijk uit waar je de informatie voor gebruikt
• Verzamel alleen die informatie die je nodig hebt en gebruik het alleen waar je het voor nodig hebt
• Beveilig het goed en bewaar het slechts zolang je het nodig hebt
Pakhuis de Zwijger, Amsterdam2 december 2010
•Personally Identifiable Information (PII) is generally defined as any information relating to an identified or identifiable natural person. •Examples include (but are not limited to):
Health Information
• Medical records• Health plan beneficiary information• Physical or mental health information• Provided health services or any information collected during the health service
Financial Information / Special Handling PII
• Government identifiers (Social Security Numbers)• Account numbers (bank accounts, credit cards, etc.)• Personal Identification Numbers (PINs) and passwords to financial accounts
Sensitive Information
• Racial or ethnic origin• Religious or philosophical beliefs• Trade-union membership• Health or sexual orientation• Offenses, criminal convictions or security measures• Combinations of certain information (e.g., name and ssn)
Personal Information
• Name• Gender• Date of birth• Home address• Personal telephone number• Personal email address• Biometric identifier• Photograph or video identifiable to an individual• Behavioral information (e.g., in a CRM system)
Pakhuis de Zwijger, Amsterdam2 december 2010
•Personally Embarrassing Information (PEI) is generally defined as any embarrassing information relating to an identified or identifiable natural person. •Examples include (but are not limited to):
Pakhuis de Zwijger, Amsterdam2 december 2010
Personally Identifiable Information?
Pakhuis de Zwijger, Amsterdam2 december 2010
Doubleclick Inc. Privacy Litigation, March 28, 2001
• “ …..Doubleclick's purpose has plainly not been to perpetrate torts on millions of Internet users, but to make
money……”
Pakhuis de Zwijger, Amsterdam2 december 2010
Plaatselijke verschillen
* U.S. *The prevailing concept is that once an
individual provides PII to an organization, the organization becomes the data
owner.Baring any sector-specific privacy
legislation, the organization can determine the use of that information.
* EU*The prevailing concept is that the
individual data subject retains rights in his/her PII.
The organization has the responsibilities of a custodian for protecting that PII and using it only in
accordance with the rights conveyed by the individual.
* APEC *The prevailing concept is accountability.
Organizations must design privacy protections to prevent harm to individuals
from wrongful collection or misuse.The organization is accountable and obligated to exercise due diligence.
Pakhuis de Zwijger, Amsterdam2 december 2010
The prevailing concepts have led to many different laws throughout the world
AustraliaFederal Privacy Amendment BillState Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations
European UnionEU Data Protection Directive and Member States Data Protection Laws
South AfricaElectronic Communications and Transactions Act
US FederalGLBA, HIPAA, COPPA, Do Not Call, Safe Harbor
Hong KongPersonal Data Privacy Ordinance
Canada Federal/ProvincialPIPEDA, FOIPPA, PIPA
JapanPersonal Information Protection Act
ChileLaw for the Protection of Private Life
South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection
IndiaLaw pending currently under discussion
New ZealandPrivacy Act
ArgentinaPersonal Data Protection Law, Confidentiality of Information Law
PhilippinesData Privacy Law proposed by ITECC
TaiwanComputer-Processed Personal Data Protection Law
Numerous State LawsBreach NotificationStates from CA to NY
Pakhuis de Zwijger, Amsterdam2 december 2010
“Trying to control information in the network age…
…is about as successful as pissing into the
wind”
(Keith Henson)
Pakhuis de Zwijger, Amsterdam2 december 201017
Borderless Internet??
Pakhuis de Zwijger, Amsterdam2 december 2010
EU: Wijziging van de Telecommunicatiewet
Meldplicht voor inbreuken in verband met persoonsgegevens en meldplicht voor veiligheidsinbreuken en het verlies van integriteit
Voor het plaatsen van een cookie moet vooraf toestemming aan de eindgebruiker worden gevraagd (opt in).
Pakhuis de Zwijger, Amsterdam2 december 2010
Draft privacy wetgeving door Rep. Rick Boucher
Covered information includes any unique persistent identifier:
• Internet Protocol address• Other unique identifier used to
collect, store, or identify information about a specific individual or a computer
Pakhuis de Zwijger, Amsterdam2 december 2010
Enkele ‘hoogtepunten’• Consent requirements on the collection of data• Delivering privacy notices before the commencement of information collection• Express affirmative opt-in for the transfer of data to Third Parties• Requiring consent when changes are made to policies governing the
prospective collection of information
Pakhuis de Zwijger, Amsterdam2 december 2010
Kalf is nog niet verdronken......
Pakhuis de Zwijger, Amsterdam2 december 2010
......maar afwachten dan?
Pakhuis de Zwijger, Amsterdam2 december 2010
How Companies Have Gotten Into Trouble
• Misrepresenting the purpose for collecting PII• Failure to adequately train personnel on privacy • Disclosing, sharing, or selling PII to third parties contrary to
the organisation’s privacy policy• Exporting PII contrary to the privacy laws of the originating
country• Misrepresenting the security protection of PII
Pakhuis de Zwijger, Amsterdam2 december 2010
Less Aggressive
Aggressive Privacy Initiative
RegulatoryRequirements
BrandImage
Time
Value
Regulations
CompetitiveAdvantage vs. Increased Risk
Privacy as a Strategic Decision
Pakhuis de Zwijger, Amsterdam2 december 2010
MeetLegal
RequirementsLetter of the Law
Spirit of the Law
Digital Dilemmas
Accessibility
Trust in a Digital World
Accuracy Property
Privacy
Pakhuis de Zwijger, Amsterdam2 december 2010
Enhancing trust, as a measure of how much consumers, advertisers and suppliers trust in digital and online services, is becoming a key growth enabler—or inhibitor—for the digital economy• .
Market for Trust in a Digital World2009 Booz Hamilton report ‘Digital Confidence’
Pakhuis de Zwijger, Amsterdam2 december 2010
US Self Regulatory Industry Initiatives
NAI Opt Out Tool
Pakhuis de Zwijger, Amsterdam2 december 2010
An investor’s perspective on targeted advertising
• Does it work?• Who owns the data?• Who can share/trade/match this data?• When does it become personal?• When does it become weird?• How many non-PII data points = PII?• Art vs. Science of targeting• Regulation: Self vs. State
Pakhuis de Zwijger, Amsterdam2 december 2010
Key Take Aways
• Huidige voorstellen voor regelgeving hebben waarschijnlijk geen enorme impact
• Totdat het een keer verschrikkelijk misgaat (een grote misser, of enorm veel kleine)
• Dus, regulate yourselves, before you get regulated !