Is More Data Always Better? The Legal Risks

of Data Collection, Storage and Use in

Marketing

Jordan AbbottAcxiom Compliance Counsel

WHO, WHAT, WHY, and HOW?

• Who is collecting the data?• What are they collecting?• Why are they collecting it?• What principles (if any), govern

the collection of data?• Advocates’ attitudes• Court cases• What to do to minimize your risk.

“Over-Collection” of Data

- The Good- The Bad- The Ugly

DATA IS GOLD

Who Collects and uses data for “marketing”?

Start Ups SOHOFortune

500Mid TierSmall Tier

Everybody…

Politicians

EntertainmentGamingFinancial

SvcRetail

TechnologyInsurance

Travel

UniversitiesTelco ManufacturingAutomotiveConsumer

Goods

TelevisionHealth CareLaw Firms

Security Collections Government MORE!

On and Offline

– Name – Name variations– Addresses– Address Histories – Associates– Public Records

• DMV• Criminal & RSO• Voter• Real Property• Licenses• Bankruptcy, Tax Lien, Judgment• Deceased

MORE

– Marketing data?

– Purchase data?

– IP Addresses?

– Peer to Peer Transfers?

– Social Network?

– Geo-Location?

– Click Stream?

– Browsing Behavior?

– MORE ?????

Data Elements “in Play”

Data Elements “in Play”

On and Offline – Anonymous and PII• Contact Data

– Name– Address– Email address– Phone– Cell phone

• Shopping behavior• Viewing Behavior (Digital TV) • Geo-Location (Mobile Device) • Place and Time • Browsing behavior• Click stream• Purchase behavior• Demographics• Sociographics• Life Stage

• Analytics and Segmentation• Spotlights• Footlights• Cookies• Email behavior – click &

open • Social Network Data • # of Networks• # of Friends • Fan Pages• Blog Data• Preference data • Response data

• MORE

WHY….?

….because businesses want to know their customer

and customers want to be delighted, amused and protected

Marketing

Acquisition

Up-sell /Cross-sell

Retention

Marketing

Acquisition

Up-sell /Cross-sell

Retention

Risk

Fraud

Authentication

Verification

Risk

Fraud

Authentication

Verification

IdentityIdentity

SOLVING BUSINESS ISSUES – CREATING CONSUMER VALUE

CUSTOMERS’ LIVES ARE CONSTANTLY CHANGING

Every hour of every day

5,769 people changed jobs

2,748 people moved

509 people were married

244 people got divorced

186 people declared bankruptcy

These people are your customers

Channels Are Multiplying Rapidly

New Types of Data Exploding VolumeEscalating Velocity

OVER-ARCHING CONCERN… CONSUMER ATTITUDES

• Privacy is an emotionally charged issue – Being watched, monitored, taken advantage of

• Consumers feel like they are losing “control”

• Consumers don’t understand our information based economy– Information technology is part of our economic

infrastructure– Benefits are not fully understood by consumers or law

makers– Technology used often confuses consumer

POLICYMAKERS’ ATTITUDES

• “When personal data collected by one organization for a stated purpose is used and traded by another organization for a completely unrelated purpose, individual rights could be seriously threatened.”

•102 Cong.Rec. 36893-4 (1974), quoted in Ash v. United States, 608 F.2d 178, 180 (5th Cir. 1980).

THE NEWS!

“…growing concern on Capitol Hill about the expanding business of tracking consumer behavior online.”

“…the analytical skill of data handlers…is transforming the Internet into a place where people are becoming anonymous in name only.”

“’the wall has been breached’ between what users share under their real identity online and what information they provide under the cover of anonymity.”

“Mr. Markey said he wasn't satisfied that "consumers are able to effectively shield their personal Internet habits and private information from the prying eyes of online data gatherers.”

“Eleven of the nation's largest website operators defended their privacy practices to lawmakers, saying it is impossible for them to monitor all the tracking technologies their sites install on visitors' computers.”

“…vast data gathering…used to discriminate in the services that companies offer customers or government agencies offer citizens.”

“…consumers who surf the Internet unintentionally surrender all kinds of personal information to marketing firms that use invisible tracking technology to monitor online activity”

MORE NEWS!

"Consumers still get the short end of the stick when industry shows that it is incapable, or unwilling, to better articulate what information they are collecting from consumers and why we should trust industry to protect consumers' personal information.”

"It is technically impossible for Yahoo! to be aware of all software or files that may be installed on a user's computer when they visit our site," Anne Toth, Yahoo's vice president of global policy and head of privacy, wrote to U.S. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas).”

“…Stalkers Exploit Cell phone GPS “

“As WiFi Data Collection Revealed, New Investigation Begins”

Surveillance Society...

Collecting even “private” data, little governance, little enforcement…lots of secondary commercialization

Apps

Captures device data points, formulates “fingerprint,” spoofable, not “categorized” as pii…yet used that way

Device Fingerprint

Sits on networks, watches traffic, sniffs out brand and…”listens”

Sniffers and Listeners

Offers even more tracking & collection, utilizes the Cloud

HTML5

Multiplied by time; checking in

Precise GeoLocation

Rides the pipes, capturing and closing the loop on every data point including digital dust and digital exhaust of digital device

Meters

Relies on the Cloud, devices monitor, report back

eHealth & HITECH

Multiply in order of magnitude

The Internet of Things…

You are known and treated in place and time via the cloud

Placefulness

GOOGLE STREET VIEW

- Premise is awesome and beneficial

- Collected personal information from unsecure WiFi networks

- “Probably the single greatest breach in the history of privacy”

- Numerous court cases and enforcement actions around the world

iPHONE LOCATION TRACKING

- Hidden file that stores latitude, longitude, and timestamps

- Post-hoc explanation did not do much to quell controversy

- Lawsuits, Congressional inquiries

COMSCORE ALLEGATIONS

-August 2011-Online tracking-Class action lawsuit-Alleged to have secretly collected SSNs, credit card #s, and passwords

DMA’S GUIDELINES FOR ETHICAL BUSINESS PRACTICES

Article #32 – Personal Data“Marketers should be sensitive to the

issue of consumer privacy and should only collect, combine, rent, sell, exchange, or use marketing data. Marketing data should only be used for marketing purposes.”

COLLECTION LIMITATION PRINCIPLE

“There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject”

IDENTIFYING PURPOSES

• Identify the purpose for which the personal information is collected at, or before, the time of collection• Allows the organization to determine the

information it needs to collect to fulfill those purposes

• When collecting information, there is a tendency to collect more than what is needed “just in case” you need it at a later date

• Unless you have clearly indicated how that information will be used, you should not collect it

• Scrutinize the need for each piece of information you collect.

• If you don’t need it, don’t collect it.

TO DO’S- Have an effective Data Governance Plan

- Assess needs and purposes

- The more you collect, the greater your fiduciary duty

- Don’t keep what you don’t need

-Regularly monitor compliance

-Have an effective Security Incident Response Plan

-Question of “when,” not “if”

- Assess your technical, physical and administrative vulnerabilities

- Address them

-Understand what your obligations are in the event of a breach

- Have it in writing and keep it up to date

Pending Legislation

• HR 611 §303• S. 799 §301

Jordan Abbott

(501) 342-0356

jordan.abbott@acxiom.com

CONTACT INFO