eMetrics Summit Boston 2014 - Big Data Marketing - From Über Creepy to Over Compliant

October 30th 2014 eMetrics Summit London

Aurélie Pols @aureliepols

From Über Creepy to Over Compliant Managing your (Digital) Analy:cs Assets

Presented by: Aurélie Pols @AureliePols

Aurélie Pols Chief Visionary Officer & co-‐founder Mind Your Privacy @aureliepols

•  Grew up in the Netherlands, Dutch passport •  French mother tongue •  Most of my friends are bilingual at least •  Have Polish & Russian origins •  Co-‐founded 1st start-‐up in Belgium in 2003 •  Sold it to Digitas LBi (Publicis) UK in 2008 •  Moved to Spain in 2009 •  Created 2 other start-‐ups in Spain in 2012

Mind Your Group, Pu#ng Your Data to Work Mind Your Privacy, Data Science Protected

Yes, a “law firm” but we prefer to say a bunch of Data Scien/sts working with a bunch of Lawyers

Call me a bore, I’ve been listening to the helicopters coming, while humming Wagner’s Ride of the Valkyries


REMEMBER TARGET? Addi:onal scare tac:cs


Meet Beth and Greg

December 19 2013: 40 million credit & debit card accounts breached January 10 2014: personal data of 70 million customers hacked

March 05 2014: Beth Jacobs, Target CIO since 2008, RESIGNS

May 05 2014: Gregg Steinhafel, Target CEO, 35-‐year company veteran, RESIGNS


Target today

February 2014

May 15 2014


How many lawsuits is Target facing?


140 29 from banks & credit unions Totaling $761 million And then I stopped coun:ng


Unsinkable? How many lifeboats will you trade for lives?


How about creepiness vs. analyTcs? Cloud tools fines & warnings

Oi, Brazilian Telco & Phorm

France Telecom & email campaign tool

Presented by: David Hollender @DavidHollender

EVERY TIME YOU USE THE ACRONYM PII

A cat dies


So what is considered PII? Personal InformaTon (based on the definiTon commonly used by most US states)

i Name, such as full name, maiden name, mother‘s maiden name, or alias ii Personal iden:fica:on number, such as social security number (SSN), passport

number, driver‘s license number, account and credit card number

iii Address informa:on, such as street address or email address iv Asset informa:on, such as Internet Protocol (IP) or Media Access Control (MAC) v Telephone numbers, including mobile, business, and personal numbers.

Informa:on iden:fying personally owned property, such as vehicle registra:on number or :tle number and related informa:on

Source: information based on current ongoing analysis (partial results)


If you collect PII… then US & UK EU APEC

Common Law Con:nental Law Con:nental law influenced

Class ac:ons Fines (by DPAs: Data Protec:on Agencies)

Privacy Personal Data Protec:on (PDP) Business focused Ci:zen focused

Patchwork of sector based legislaTons: HIPPA, COPPA, VPPA, …

Over-‐arching EU Direc:ves & Regula:ons

PII: varies per state Risk levels: low, medium, high, extremely high


DATA IS A RISK BECAUSE IT EXISTS Data has become a valuable asset


Where to start?

Compliance? Privacy? Security?

Moving targets


The “Magnum” Plan •  Document your data set-‐up •  Set-‐up a compliance check-‐list: – Applicable legisla:ons to your sector – Territorial scope

•  Evaluate your risk •  Follow-‐up with informa:on security measures (data protec:on)

•  Adopt global & sustainable Privacy best prac:ces


5 ONLINE MARKETING RULES TO RESPECT CONSUMER’S PRIVACY


5 Online MarkeTng rules to respect consumer's privacy 1.  Say what you do and do what you say 2.  Harness your data liability 3.  Foster data frugality & documenta:on

Agile is the ‘mot du jour’

4.  Cherish the human aspect of data protec:on 5.  Dialogue and find common ground


1. Say what you Do & Do what you Say Privacy policies statements: •  Publicly available documents •  Date stamp: less than 1 year old •  Implies processes: – Eg. “we don’t collect data of minors” => COPPA – Dele:on & anonymiza:on – Bankruptcy or M&A data transfers

•  Apributes responsibility: [email protected]


Entreprise goal User goals

Privacy Policy

Requirements

Privacy Mechanisms

Procedures & Processes

Privacy Awareness Training

Quality Assurance

Quality Assurance Feedback


Yelp said that only about 0.02 percent of users who actually completed the registra:on process during the :me period provided an underage birth rate, “and we have good reason to believe that many of them were actually adults.” The company had an average of about 138 million unique visitors in Q2 of 2014. Cost? above 16$/monthly unique … Source: hpp://www.pcworld.com/ar:cle/2684752/yelp-‐seples-‐us-‐uc-‐charges-‐of-‐viola:ng-‐child-‐privacy.html


2. Harness data liability

Across data plavorms & flows – Understand Terms & Condi:ons – Sovereign:es/legal jurisdic:ons: Safe Harbor and Binding Corporate Rules (BCRs) – Access!

Ø  Tool vexng Ø Agency vexng


Responsibility of analyTcs agency? Informa:on Security & Compliance: Follow the Data ü Define the tools ü Grant accesses ü Data collec:on & data lifecycle ü Data sharing & data flows Ø Ouen a weak link


Who has access?

Source: Privacy Green seal, specific audit for analy:cs tools & data agencies


3. Foster data frugality & documentaTon

Old adage: “let’s collect everything, just in case”

New adage: cherry pick the data for which the following must be held true:

1.  Without X data apribute, I cannot do Y legi:mate task and need no less than X to do Y

2.  Addi:onally collec:ng data point Z will not jeopardize my ini:al data collec:on purpose

Agile is the mot du jour, also for data collecTon


Agile ways of working with Purpose and Consent Use meta-‐data to classify data fields and groups to –  Iden:fy data fields containing PII/personal data, (ad) collec:on source, use and disclosure/sharing;

–  Iden:fy data fields/groups and their storage that need consent;

–  Iden:fy data fields that may need correc:on by individuals;

–  Iden:fy data fields that may need de-‐iden:fica:on, anonymiza:on or dele:on.


4. Cherish HR in Data ProtecTon

Human error causes most data breaches


Entreprise goal User goals

Privacy Policy

Requirements

Privacy Mechanisms

Procedures & Processes

Privacy Awareness Training

Quality Assurance

And escalaTon procedures to akribute responsibility Should we do this analysis?


Security (technical)

Data CollecTon

Processes Resources

security


Purpose, Consent & Data Uses

Purpose

Consent

FIPPs

Data for approved

use

From:

Purpose

Consent

FIPPs Data analysis or merging

New business

opportunity

To:


5. Dialogue & common ground Trust and Creepiness: Consent is about a reasonable expectaTon of the use of data There’s a fine line between: –  Feeling charmed –  Feeling invaded

Create win-‐win situa:ons: – Customers give company informa:on – Customers get beper service/value for money


Creepy?

For some. Risk to the business?


SHOULD YOU MEASURE WHEN LOGGED OUT?

Interac:ve discussion


Discussion topics

•  The context: which kind of applica:on? sector?

•  The actors: end client, analy:cs agency/ies, tools

•  The customer expecta:on: mainly focusing on why a customer logs out

•  The risk and poten:al liability •  Minimum requirements to lower risk

THANKS For coming

eMetrics Summit Boston 2014 - Big Data Marketing - From Über Creepy to Over Compliant

Data & Analytics

aureliepols data

aureliepols target

aureliepols unsinkable

passport number

data science

tle number

credit card number

bunch of data sciensts