DPI17_Web_300x250-COPY
CS17_Banner_300x250-COPY
S17_Banner_300x250-COPY

By Jedidiah Bracy, CIPP/US, CIPP/E

What do you get when you put chief privacy officers (CPOs) from two of the world’s largest Big Data businesses in the same room with an outside privacy counsel and privacy academic? Based on just one of the many compelling panels at this year’s IAPP Privacy Academy, you get conversation as robust as some of Seattle’s finest blends.

Big Data and Transparency

Just a month after Acxiom unveiled its much-anticipated “About the Data” web portal for consumers, Jennifer Barrett-Glasgow, CIPP/US, the company’s CPO—and one of the first-ever CPOs—discussed how to responsibly implement an outward-facing portal for consumer data access. It was a big move for Acxiom—really the first of its kind in the data broker industry, which remains under the Federal Trade Commission’s (FTC) microscope.

Most of the organization’s collected data derives from third parties, she said, noting, “We don’t have direct contact with individuals, and we need to be careful with data access.”

The challenge for Acxiom, she said, was identity verification; it needs to be relative to the data a consumer is accessing.

“That’s a subjective decision,” Glasgow pointed out. When considering the verification page, “our tech guys wanted the whole Social Security number (SSN)” from a consumer requesting portal access. “Our focus group said, ‘NO!’ So we compromised,” she said. Instead, consumers wanting to access their data use the last four digits of their SSN.

Glasgow noted that the data Acxiom uses for AboutTheData.com is marketing data, but if the nature of the information is more sensitive, such as health or financial information, identity verification would have been much stricter. “We made (this portal) with the consumer in mind to explain how marketing data is used,” she said.

Why offer consumer access in the first place? It’s not because of consumer demand. InfoLawGroup Partner Boris Segalis, CIPP/US, said companies like Acxiom are offering this type of access because they are under pressure from regulators—particularly the FTC. Segalis argued that it’s not necessarily the consumers who will be engaged with the access tool but investigative journalists and privacy advocates instead.

Recent market research by MasterCard sheds light on the consumer engagement issue. The report found that 20 percent of those surveyed are proactive privacy protectors.

“They are the noisy consumers,” MasterCard Worldwide Global Information Governance & Privacy Officer JoAnne Stonier noted, and not all consumers are alike. MasterCard’s research found that traditional market demographics—age, gender, race—are not strong indicators of privacy preferences.

But marketing data—like much of the information within the Big Data universe—resides in a complex landscape. If consumers get too much data, said Glasgow, they will get fatigued and walk away.

“If you want to show transparency, you need to figure out how to give consumers data that is actionable and relevant to what it’s used for,” she said, adding, “That begins the education process … We intend to expand over time as we find that consumers can understand that.”

Consumer education was on the mind of Stonier as well. She agreed with Glasgow, applauded Acxiom’s data portal and added that educating consumers and clients on the collected data is very important. Though MasterCard does not directly work with consumers—MasterCard almost always connects the merchant to the customer’s bank—“We only see your credit card number, so we don’t see your purchase history,” but added, “That being said, we are a Big Data company. We do validate fraud security, and yes, we do anonymize transactions.”

Anonymization and Re-identification Risk Factors

IAPP VP of Research Omer Tene, the session’s moderator, pressed what he called the anonymization issue. He pointed out the potential risk of re-identification: “How do you deal with this risk factor? What do you call de-identification? What’s the acceptable degree of risk, and should we take your word for it?”

Segalis also urged organizations to really think about why they de-identify data. Financial companies have to worry about the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (FCRA), for instance, but no guidance on de-identification is provided in either statute. “But,” he said, “you should think about what The Wall Street Journal and regulators may think,” noting that EU regulators may believe something is only de-identified if it’s impossible to re-identify the given data set.

And likewise, regulatory mandates—particularly with regard to anonymization standards—vary across the globe. Privacy professionals have to weigh these factors—probability of re-identification, for example—into their decision-making.

“If you hated math,” Stonier warned, “you’re in the wrong career.”

Further, “With Big Data comes Big Security,” Glasgow said. Organizations tend to overlook that as more data is collected. She said companies should always de-identify but also assess how to do so. Glasgow also pointed out the importance of contracts and that companies who share data with third parties should balance technological approaches with binding contracts that are enforceable. Sometimes organizations “focus too much on the technology side of solutions and not on the agreement side of solutions,” Glasgow said.

For those in the trenches, how the data is obtained and protected is paramount. Stonier said pros need to put rules around who accesses certain data and implement a separation of duties. Your IT teams may not like it, but get in there and get your hands dirty. These controls can lead to an environment where the individual record is protected.

And as for de-identification, don’t make it your only defense. Anonymization is but one tool in an arsenal of data protection.

“Regulators had originally heard that de-identification was a magic bullet,” Stonier said. “It’s one thing to have the internal rules for protecting data, but what most Big Data companies are trying to do is look at how populations are trending, economic indicators, security threats, but not the individual person.” And with that, she said, “You can have really good internal controls, but they’re not easy to explain to a customer.”

And those internal controls, Stonier said, are often not understood by regulators.

Glasgow agreed. “I think we do ourselves a disservice when we talk about anonymization as a magic bullet,” she said. Organizations anonymize data internally, get comfortable and implement risk security. Then the business or the data use changes, and organizations don’t go back and reevaluate whether that works for the new use. “Then it becomes a slippery slope,” she said, adding, “There should be a big wall between your internal use, how you share with third parties and how you turn it loose for public access.”

A Section 6 FTC Investigation

Any organization that’s already been subject to a Section 6 investigation by the FTC knows that once the FTC has made contact, there’s not much choice but to comply. Under Section 6, the FTC can investigate entire industries. And as the panelists knew all-too-well, the agency’s most recent investigation involves the data broker industry.

“There’s no limit to what they can request to understand how the industry works,” said Segalis. When an organization receives such a request, it tends to be broad, and it doesn’t necessarily mean the company has done anything wrong. “You can resist it, delay it,” but, Segalis noted, “Anything you say can potentially be used against you.” He also said that many of the questions coming from the FTC to the data broker industry concern whether the industry is violating the FCRA.

Yet, Glasgow also said working with the FTC during a Section 6 investigation can be a chance to educate the agency about your business practices. “The data broker community should not be surprised with this FTC inquiry,” she noted.  

And in light of such an active FTC, both Glasgow and Stonier urged privacy pros to read all of the agency’s consent decrees. “Even if it’s not your industry,” Glasgow said.

“There are examples in those decrees that I encourage you to check out.” Stonier agreed, saying, “Those consent orders are the best case law we have about the government’s thinking.”

Read more by Jedidiah Bracy:
Cato Conference: We Have Problems, Is NSA Biggest One?
Three Steps to Heaven, St. Rita and the Future of the EU Draft Regulation
Data Brokers, Universities Breached; Was Nurse Fired for Privacy Breach or Whistleblowing?
White House Names NSA Review Panel

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»