TRUE asked Cindy Braddon, the head of McGraw Hill Financial’s government affairs operation in Washington D.C., to consider the subject of how global privacy concerns in an age of big data might ultimately be tackled.
Q: What should people’s expectations be when it comes to online privacy? What is fair to demand?
Cindy Braddon: I believe there is a societal contradiction in terms of expectations. On one hand, individuals want customized content and analytics at the speed of a click. They also want their personal information to be protected and, in some cases, kept off limits entirely.
Individuals may post personal information online for sharing with their friends or even in more public spaces, but might be unpleasantly surprised and concerned if they received marketing promotions based on those postings. That’s the behavioral contradiction: We want the convenience and connectivity of being online, but we want to maintain our privacy. Now, if a site provides notice that publicly shared information could be used for commercial purposes and gives a choice as to whether this was okay or not, then consumers would know what to expect. It’s a matter of transparency, clarity and trust.
That is why knowledge and choice are critical when it comes to online privacy. Companies all need to help in that, particularly by educating customers and employees.
In the U.S., we generally allow companies “one bite at the apple” – contacting prospects as long as we honor any opt-out requests.
Q: Do you believe regulation is necessary to guard people’s online privacy?
Braddon: As a general matter, I believe that self-regulation, implemented in conjunction with key stakeholders, can be an effective strategy for protecting customer privacy. That, in fact, is already happening. Practically all companies globally now have privacy policies and internal processes to regulate data collection, usage and customer choice. These let consumers know how and what personal data is being collected and used, and allow them to opt out of the marketing process. At McGraw Hill Financial, we back up self-regulatory guidelines and existing legal requirements with employee training, annual compliance reports to executives and customers, and thorough corporate audit procedures. Other companies undertake similar privacy activities.
McGraw Hill, like many companies, also belongs to a number of trade associations, many of which maintain privacy guidelines with which members must comply. It is simply not in any company’s best interest to not regulate itself in privacy matters.
But there is a fundamental basis for why self-regulation can be effective: Most businesses want to do the right thing. They want to protect their customers because if they don’t they risk losing them and threaten their own growth in the marketplace. When we protect privacy, we are protecting our brands and we are protecting the trust our customers have in us. Companies, therefore, have self-interest to do a good job.
There also is a question of practicality. Self-regulation is more flexible than legal regulations, which can be overly restrictive and prescriptive. It ensures privacy protection at the same time as it encourages innovation and future growth.
That said, companies are already living with regulations and laws, and many new ones are under consideration. Although in the U.S. no general, across-the-board federal privacy law exists, there are industry or practice specific laws, including Gramm Leach Bliley protecting financial information; HIPPA for health information; CAN SPAM covering commercial e-mail; COPPA for children’s information; and state breach notification regulations, to name just a handful. The Federal Trade Commission (FTC) aggressively takes legal action under Section 5 of the FTC Act if it believes companies are engaging in unfair or deceptive practices, which can involve online privacy. So, the U.S. government already has a “big stick” with which to take action. State law enforcement agencies take actions as well.
Outside of the U.S., the European Union’s Data Protection Framework is currently under review, as well as an already implemented “Cookie Directive” that compels companies to get permission before implementing cookies. There are also pending laws from the Asia-Pacific Economic Cooperation forum (APEC) as well.
Q: Are the EU and U.S. approaching online privacy from the same perspective?
Braddon: I believe that while the U.S. and EU share overall objectives, they are in fact coming at this with different points of view. The main difference between the two approaches regarding online privacy is that in the U.S., we generally allow companies “one bite at the apple” – contacting prospects as long as we honor any opt-out requests. In the EU, many countries do not allow prospects to be contacted without their prior consent.
Additionally, because the EU considers the U.S. to have “inadequate” data protection, any data transfers from EU countries to the U.S. must be covered either by data protection agreements or by participation in the U.S. Safe Harbor Program managed by the Department of Commerce. Now that the EU is reviewing its Data Protection Framework, and in light of the revelations about the NSA surveillance programs, European officials are also revisiting whether the Safe Harbor Program is still “adequate.”
Q: Given the global scale of the Internet, what happens when national regulations and policies diverge as they do with the U.S. and EU?
Braddon: It is very challenging to global businesses to have different rules in various countries. In many EU countries, as noted earlier, a business cannot send commercial e-mail to prospects without their opt-in consent, while other countries allow the business to do so, as long as an “unsubscribe” link is included. Many of the APEC countries are now developing or updating data protection laws, often adopting the EU positions. When policies diverge, the more prudent course is to follow the stricter rule. Ultimately, that may mean that whatever the EU adopts will become practice globally which would be unfortunate.
There is no doubt that with so many varying country-specific privacy rules, not to mention different laws among the states in our own country, that privacy divergence is one of the biggest challenges companies face.
Q: Are there regulations being contemplated that you feel would inhibit the growth of big data?
Braddon: When we talk about big data, we are essentially talking about anonymized data and data in aggregate form, where individual personal information is not observable and cannot be connected with the person. Some privacy advocates and policymakers are pushing for regulation because of negative uses of such anonymous big data, In many of these cases, pushback makes sense, but regulation can be overzealous by not allowing big data analysis that could assist in a number of areas benefitting society, including education, health or even the various markets we serve. For instance, data analysis enables business leaders to more quickly make well-informed decisions. Resulting management improvements add value and better serve our customers by providing messages that are truly relevant in channels where customer want to receive them. Any analysis of big data regulation would need to be studied from a number of perspectives.
We are concerned about regulatory proposals, such as the current revision being considered to the EU Data Protection Framework, which would inhibit both the growth of big data and business. These revisions include getting explicit opt-in consent for “profiling,” and a “right to be forgotten.” Not allowing analysis of customer data and having to somehow “erase” information would greatly interfere with big data development. There have been over 3,000 amendments to the framework, already, so it’s fair to say that the final form of the new rules remains unclear.
Q: Which regulatory approaches to online privacy do you feel would work best?
Braddon: Regulatory proposals that would work best allow for notice to customers about information collection and use, and choice, as is currently the case in the U.S. Naysayers claim the “notice and choice” regime is outdated and regulations should mandate prior consent, but we do not agree with that. It would be harmful in terms of growth, for instance, by significantly limiting pools of data and, at the same time, would not prove any more effective for customers or remove any of the perceived harm. Another troublesome element of both proposals in the U.S. and EU, is that very few of them differentiate between “business-to-consumer” and “business-to-business” practices, which are so different and demand separate approaches.
Homepage photo credit: US/EU flags, PhotoAlto/Milena Boniek