Big Data and Privacy: The Legal Landscape Affecting Corporate Research by Shannon Harmon, JHC #CRC2014 #MRX
- our lives are a series of data points
- more opportunity vulnerability and the potential for greater abuse
- smaller entity might purchase data from 3rd party
- who owns the data, who has the right to access the data, what steps are taken to keep it secure
- goal of any regulation is to protect personally identifiable information form breach and misuse
- you can identify people with very little information so keep in mind a lot of information is PII
- Notice and consent: need to provide notice of how the data will be used, and then obtain consent – this is the core of the law related to privacy, you need to make sure the right practices were followed to do this
- Where do we look for oversight? Right now, state attorney general, FTC, FCC, FDA
- Fair information practice principle – only collect what you need to collect and only retain it for as long as is necessary to fulfill the specified purpose
- FIPP – data quality and integrity – organizations should ensure that the PII is accurate, relevant, timely and complete and this is difficult if you’ve purchased the data, supplier should have a structure in place to ensure this
- Consumer privacy protection bill of rights – google search this – things corporations should do to protect privacy, this area will become increasingly more regulated so think ahead
- Fair Credit Reporting Act – example of what big data protection framework should look like, right to review your credit report and make sure it’s accurate and get it fixed if it’s not correct, this is where we’re headed, your digital dossier is being collected and you don’t know how decisions about you are being made, you can’t contest your big data points… right now
- special considerations for health data – apple has stated that any app developers cannot use any of the health data for advertising, or data-mining except to help an individual manage their health or for medical research. but is apple responsible for developer compliance? what if a data broker got the data from someone who wasn’t supposed to have it in the first place?
- considerations for researchers
- where is the data being obtained, what are the sources
- what practices are being used to obtain it and what is your confidence in your aggregator
- how is the data being trained to arrive at conclusions? what algorithms? what human manipulation?
- think about the vendor/subcontractor relationship, is the contractor independent? a substandard contractor impacts you
- we need
- use restrictions – can’t use big data to discriminate on age, race, etc
- oversight – protect against unregulated digital dossiers
- KNOW YOUR INFORMATION SOURCE
- be intimately knowledgeable about your company’s data gathering practices – informed consent, opt-out, internal user access controls
- be ready to evolve as the law is only beginning to be developed in this area
- The Oscars of Marketing Research: Peanut Labs’ Chief Research Officer wins ESOMAR’s Excellence Award for the Best Paper
- Why do people like marketing research surveys?
- In which I rant about showing data in presentations #MRX #CRC2014
- How marketing researchers can start being more ethical right now #MRX
- Discover the Science of Fascination by Sally Hogshead, Fascinate, Inc. #CRC2014 #MRX
Today, I was pleased and, more correctly, honoured to appear before a Senate Committee to speak with Kara Mitchelmore, the CEO of the MRIA, regarding Senate Bill S-4, the Digital Privacy Act. The official opinion will shortly be available but for those of you who can’t wait, here is the basic gist of it. Any inaccuracies here are my own. 1) Breach notifications should be mandatory, and the Privacy Commissioner should be the unbiased third party that determines what is a real risk of significant harm to an individual. 2) The MRIA supports the provisions in the bill which add clarity to what is valid consent. The committee may be interested in our code of conduct which contains a section on the ethical issues in dealing with children and young people. 3) The MRIA is pleased that PIPEDA will be amended to allow the transfer of personal information from an organization to a prospective purchaser or business partner (think mergers and acquisitions). 4) The MRIA does not support allowing organizations to share personal information of individuals to other organizations without consent. It should follow due process such as through a court order.
5) The MRIA would like to close a loophole which allowed organizations to share personal information without consent to an investigative body or government institution. It should follow due process such as through a court order. After we spoke, Michael Geist, a law professor at the University of Ottawa, made numerous excellent points (Michael’s website). Some of his comments are included here (any errors or misrepresentations are my own).
- desire for a lower standard of what constitutes a breach (i.e., it doesn’t need to be a real risk of significant harm, it can be less than that)
- increased reporting of breaches both major and minor, as well as breaches to unauthorized persons that may not have caused ‘harm’
- the expansion of warrantless disclosure must be removed
- order making powers are necessary
- public reporting of the number of disclosures without a warrant should be made on a quarterly basis and individuals should be notified within a certain period
- What is Vue magazine? #MRX (lovestats.wordpress.com)
- Canada’s Digital Privacy Act lets companies share customers’ personal info, privacy critics warn (blogs.vancouversun.com)
- Can Canada’s Likely New Privacy Commissioner Be Trusted to Watch the Watchers? (motherboard.vice.com)
- Why has the Canadian government given up on protecting our privacy? (thestar.com)
- Peanut Labs Ask-Me-Anything with special guest Jim Bryson (web.peanutlabs.com)
- Peanut Labs Ask-Me-Anything with special guest Tamara Barber (web.peanutlabs.com)
Don’t get me wrong. I know why they do it. Company’s want to make sure that when someone visits their website, the site is as relevant as possible. They want to ensure that what you see on their website is what you’ll see in the store. But, things have gone just a bit too far for me. For instance, Home Depot won’t even let me look at their website unless I tell them my zip code. Are they not aware that zip codes are PII (personally identifiable information)? They don’t even give you an option to see a generic site. Your only option is to lie, something I’m completely against given I am an expert in survey data quality. So basically, when I shop around, I don’t end up buying at Home Depot.
Here’s another example. Cheerios won’t let me look at their site unless I tell them my age and how old my children are. Sure, I could just choose one of the four sites that I think would be most interesting, but dang it, I just want to see their website. Where’s the generic site for people who want to maintain some sense of privacy, the site where people know their demos aren’t being tracked? Nowhere that I see.
Segmentation is a great tool. It lets you understand people better and provide better services. But please, don’t segment me out of your store. Unless you don’t want my money.