skip to main content

Progressive Privacy Policies (the “P” in RSVP)

AcxiomFebruary 27, 2014

In today’s blog, I would like to comment on the final principle in RSVP, the Progressive Policies principle. This particular principle has become more and more important as the gap widens between what are recognized acceptable information collection and use practices and what is required by law.  U.S. laws are falling further and further behind the capabilities that new technologies offer.  This puts much greater pressure on industry to self-regulate and develop codes of conduct that take into account the risks that these new innovations create for individuals.

We have seen a number of recent legislative initiatives to try to close a few of these gaps.  In the wake of recent security breaches at prominent retailers, several data breach notification bills have been introduced in Congress by Senators Leahy, Rockefeller and Carper and we expect one from Congressman Lee Terry to be introduced soon.  There seems to be growing agreement that now is the time for a federal breach notification law.  The states are even starting to endorse a federal solution, which is progress over a preference for the plethora of state breach notification laws.  US Attorney General Eric Holder recently called on Congress to require stronger rules around transparency of data breaches both with law enforcement and with consumers.

President Obama’s new big data Council of Advisors on Science and Technology [PCAST], led by counselor John Podesta, has launched a comprehensive review of the growing use of big data analytics and the impact on privacy.  According to a January 23 post on the White House blog by Podesta, they are on a fast track to reach out to privacy experts, technologists and business in the next 90 days to examine “how challenges inherent in big data are being confronted by both the public and private sectors, whether we can forge international norms on how to manage this data, and how we can continue to promote the free flow of information in ways that are consistent with both privacy and security.”

“[The report will] identify technological changes to watch, determine whether those technological changes are addressed by the US’s current policy framework, and highlight where further government action, funding, research, and consideration may be required,” Podesta said. “We expect this work to serve as the foundation for a robust and forward-looking plan of action.”

While the primary focus of these activities will be on intelligence practices, we can expect there to be outcomes that affect the private sector.  We will keep you posted on developments as they occur.

While all this analysis is going on by the government, the private sector would be amiss if they did not take this opportunity to do their own soul searching about what it can do to help close the gap.  For marketers, we can look to our trade associations that already offer guidance to understand what is already expected of a marketer or an advertiser, and we should urge these groups to provide even more guidance.

The Direct Marketing Association has had a robust set of ethical marketing practices for many years and aggressively enforces them, working with the FTC in instances where companies won’t voluntarily comply.   The Digital Advertising Alliance, whose members include the DMA and other prominent marketing trade associations [4As, AAF, ANA, BBB, IAB and NAI] has also published a series of online and mobile guidelines that can be found at http://www.aboutads.info/.  These include:

  • Self-Regulatory Principles for Online Behavioral Advertising (OBA) which provide consumer-friendly standards for OBA across the Internet.
  • Self-Regulatory Principles for Multi-Site Data (MSD) which augment the Self-Regulatory Principles for OBA by covering the prospective collection of Web site data beyond that collected for OBA purposes.
  • Application of Self-Regulatory Principles to the Mobile Environment which explains how the existing Self-Regulatory Principles for OBA and MSD (collectively, the “Self-Regulatory Principles”) apply to certain types of data in the mobile Web site and App environment. This guidance responds to the fact that both first parties and third parties operate across a variety of channels, including mobile, although current implementation may vary based on the technological demands of different channels.

Companies using multi-channel marketing are advised to familiarize themselves with the self-regulatory guidelines.  While voluntary at this time, these guidelines will likely be the basis for any future legislative action.  Compliance provides the greatest opportunity to not have to change your business practices when laws are eventually passed.

One final comment based on a recent trip to Asia – a number of countries in Asia are closely watching the US for guidance in the digital space.  They are following the guidance the FTC publishes in their whitepapers as well as self-regulation.

We will comment on international privacy issues in future blogs.

Other key issues to watch include:

  • The FTC report on their investigation into data brokers is still expected soon.
  • Stay tuned for updates on PCAST.