Ten Emerging Privacy Challenges for Marketing Research & How to Navigate Them by Howard Fienberg and Stuart Pardau #ISC2015 #MRX

MRALive blogged from the 2015 MRA Insights & Strategies Conference, June 3-5, 2015 in San Diego. Any errors or bad jokes are my own.

  • This is not legal advice 🙂  [and along those lines, please assume my notes are completely wrong. do the research properly and that doesn’t mean perusing this blog post.]
  • There are federal and state laws, then more laws segmented by the vertical, and by modality of how you collect information
  • a data breach can cost millions, if one data breach is $200, then thousands or millions of breaches is huge money
  • be transparent about what you do and don’t do, accurately describe what you do
  • data security breaches
  • playstation, sony cyber attack, target, home depot, anthem all lost millions of records; most states have data breach notification laws, when a breach occurs, you must report it
  • states have different definitions of PII, different time frames, safe harbour for encryption so advisable to encrypt, build your policy for the most restrictive policy
  • must have a conspicuous descriptive privacy policy
  • Do Not Track requests – you need to specify whether you honour these request though you aren’t required to honour them [wow, did not know that]
  • Eraser Law – minors have a right to be forgotten, if you know they are minors or your site appeals to minors it applies to you
  • 2 beacons and mobile tracking
  • tracking in around between brick and mortor without cash register receipts
  • where is data going and where is it being shared, can you opt out, how identifiable is the data
  • are consumers notified when they’re being tracked, if you don’t like it you can turn off your device [that makes me uncomfortable – IIII have to change my device as opposed to you buggering off?]
  • Nomi tracking – say what you do and do what you say, they didn’t let people opt out because people didn’t know they were being tracked
  • emerging area with great potential but must be very careful
  • Spokeo case – firm does deep web crawls and aggregates it into reports, you can look up yourself or your friends
  • must it be concrete harm to bring forward a case? if information is wrong and you can’t prove it, do you have a case; this case could open floodgates. in this case, the information seemed to be better than reality. [better is in the eye of the beholder]
  • international data transfer – if you focus on US domestic you’re generally ok, but if one project is outside, then it matters
  • if you work with EU, make sure you know the data principles; you can self-certify but then you must adhere to those principles, must renew it every year; requirements for regular privacy assessments; need a privacy officer if you have 250 or more employees
  • MR is a data broker, FTC won’t rule our MR
  • policy makers are concerned with brokering data for marketing purposes, and verification of respondents
  • need option to be able to delete all the information they have about you, this is because we are sometimes lumped in with creepy businesses
  • Internet of things – hypothetical security risks right now, unauthorized use of PII, attacks on systems, personal safety
  • focus on privacy by design, select providers carefully, control access and monitor constantly
  • how do you deliver notifications on a device with no readout
  • American community survey – gets response rates around 95%, because government survey and because its mandatory, but mandatory upsets people, voluntary would cut repsonse rates to 50% and we wouldn’t get data from about 40% of the country
  • BYOD – bring your own device
  • employees can access sensitive company data on their own device – HR, health, financial, trade secrets, client lists, confidential information, or, employees use company devices at home
  • if its your own device, you can control it or lock it, otherwise you have no control
  • still must notify if data is breached even though its not your device
  • Employers could say you’re not allowed to use your own device but this is not realistic, its better to have a policy
  • Policy – onboarding documentation, agreements to keep data secure, remote data deletion and limits on apps, data retention, termination process, be clear on who pays for what
  • Federal Trade Commission – deceptive and unfair trade practices, polices data privacy and data security
  • LabMD/Wyndham hotels cases – failed to institute reasonable and appropriate security measures, case is under appeal and suspect FTC will be allowed to police data privacy
%d bloggers like this: