Your data, your rights: Safeguarding your privacy in a connected world

In a most timely release Viviane Reding, Vice-President of the European Commission & EU Justice Commissioner has posted her speech from today’s “The Review of the EU Data Protection Framework.”

In it, Reding sets out the EU Charter of Fundamental Rights and how this pertains to personal data, being built upon four pillars;

1. The right to be forgotten,
2. Transparency,
3. Privacy by default,
4. Protection regardless of data location.

I won’t go over each, aside from being faily self explanatory the full text can be viewed here.

Given my last post on the whole cookies issue it is the fourth tenet I will quote;

It means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries’ service providers controlling our citizens’ data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.

For example, a US-based social network company that has millions of active users in Europe needs to comply with EU rules. To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.

Other than some local concern over the ICO’s willingness to pursue US based organisations enough said methinks.

Afterthought: Of  course there are full on discussions in the US today over the “do not track” issue which is very very closely aligned.  Surely a transatlantic push back on abuse of privacy must get the message across.

Jumping the EU Ship for Cookies, Really?

Cookie Cutters

I consciously decided to not post on last weeks “suprise news” that after several years of consultatation the EU has gone ahead and published it’s directive on browser cookies.

Firstly there are plenty of great bits of analysis written by those far more eloquent than me.  Secondly I really don’t care that much about the guts of the directive, that’s not to say I am not for what it is trying to achieve – consumer protection is a good thing, rather that I have long voiced concerns over the approach and think there are better approaches available. Thirdly as I firmly believe ALL businesses operating in or with the EEA and using/sourcing personal data online should have long been aware of the likely impact.

But apparently companies weren’t aware and the online bitching and scaremongering raged for a good day or two until the usual ADHD crowd had their attention grabbed either by SXSW or the far more important happenings in Japan.

What did suprise, but probably shouldn’t have, me was the number of high profile tech journalists and data centric online businesses that chose to use their platforms to complain long after the stable doors had been bolted.

Thinking of Jumping Ship?

Of all those comments one of the most poignient for me came from an old school pal Nick Halstead over at Tweetmeme / Datasift; companies which are both built and are relient upon personal data.  In a widely picked up Tweet Nick said,

“This is the sort of crap that makes me want to move business to the US.”

It was a genuine reaction to a perceived threat to his business albeit, I suspect, one based more on emotion than rational dissection of the facts.  And why not?  After all from an uninformed standpoint the directive summaries certainly do seem to be potentially unworkable (more from a Usability Experience perspective than a technical one) and seemingly restrictive of current business practises.

The thing is the reaction of moving to the US really isn’t going to help anything.  Back in July 1999 the Belgian courts set precident in a ruling against Yahoo! for refusing to hand over user data to Belgian law enforcement authorities under Belgian law.  The court found that by making it’s services available to Belgian residents (combined with what it believed to be the use of Mail in connection with criminal purposes within Belgium) was sufficient to find that Yahoo! Inc. has a commercial presence in Belgium. Therefore, Yahoo! was subject to Belgian laws.

The obvious outcome being that no matter where you base your business, no matter where you claim to have jurisdictation based in your Terms & Conditions the Belgian authorities have a higher level of claim.

Today in the European Parliament during the review of the EU Data Protection Framework, Commissioner Reding took things a step further in stating that EU DP rules shall apply

“whatever the jurisdiction of the service provider”

and that,

“US based social network service companies need to comply with EU DP rules.”

So to Nick’s subsequent Tweet

“you think the EU will try and make it apply globally? not a chance”

the response was and still is, the EU don’t need to apply it gloabally but if you want to trade in/with the EU hell yes. Basically the Belgian ruling has been given legs and in essence if you make your services available to EU residents you need to comply.  Moving a company to the US makes not a jot of difference, the EU will prosecute empower member states to prosecute for breach.

The only escape will be to give up on EU business, and let’s be honest no one is going to do that now are they?

“Putting a Price on Data” or “Do Marketing People Get It?”

Here is my rapidly put together (and therefore apologies for it not necessarily being totally thought through) response to Ian Hitt’s post over on Reputation Online about “Putting a Price on Data.”

Many marketing professionals think that client data is something they own, have a right to or an ability to sell. Most data professionals will know they’re wrong.  Good data is indeed a corporate “asset” and if utilised appropriately have a high monetary value but…

The thing about client data is that most people in the marketing profession just don’t really understand “data” – sure they can get all righteous about lifeblood, insight and segmentation but actually data itself is not that simple; data is not a database.

Let’s break it “client data” down and see if we can’t get some clarity.

“Client” who’s client?

cli·ent  n.

1. The party for which professional services are rendered, as by an attorney.

2. A customer or patron: clients of the hotel.

3. A person using the services of a social services agency.

4. One that depends on the protection of another.

So from a marketing database perspective there are two clients; the first being the paying customer of the agency (ala point 1) and arguably the data subject, the end user about which data is collected (ala point 4).

It doesn’t take a rocket scientist (or a data professional) to work out that actually when marketing companies talk about a “client database” what they are actually referring to is the later; a database of stuff about any number of individual people, often collected overtime under various pretences and situations.

In this context the client (albeit often unwittingly) is an individual for whom they rely upon the protection of data about them by the database “owner” – or data controller.

“Data” who’s data?

da·ta  pl.n. (used with a sing. or pl. verb)

1. Factual information, especially information organised for analysis or used to reason or make decisions.

2. Computer Science Numerical or other information represented in a form suitable for processing by computer.

3. Values derived from scientific experiments.

4. Plural of datum.

The key part here is point 1; data is factual information organised for analysis or decision making and is surely the cornerstone of marketing?

And so to my thoughts on Ian’s post.

A business does not “optimise the value of its database” it seeks to gain value from the quality of the analysis of the data held within that database.

Looking at a couple of Ian’s individual points;

“Volume is important but data quality is paramount. Every record has a value and the whole list needs to be viewed as part of the corporate asset.”

Quality of data is indeed paramount but the very traditional process of acquiring, storing and analysing personal data undertaken by the marketing industry is counter-productive to achieving high levels of data quality.   Why?  As an example think of some of the simplest personal data held by marketing databases; contact information.  My email address, telephone number, even my physical address are not concrete – they change in time.  It doesn’t matter how rigid one’s checking for a valid postcode or email address may be when gathering personal data is, if the data you are gathering naturally decays then you’ve failed.

Several marketing insight groups are starting to see the light here.  Why pay to acquire and store stuff that is by its very nature junk.  Far better to ask for the information as and when needed, never to store it (for anything more than easing end-user experience) and to just accept that 100% cleansed data is a myth – it can’t be done.

As for being a “corporate asset” well not really.  Firstly as with the example above, it is patently a liability to pay cold hard cash to gather, store, analyse upon and market to data that is incorrect.  Secondly a corporate doesn’t “own” the data per se.  I won’t get in to the philosophical arguments over whether data is in fact even “ownable” here but the asset lies not in the data but rather the relationship with the data subject and their willingness to maintain that relationship.

“Customer relevance is key, and marketers need to understand consumers in order to appropriately segment them and track their behaviour over time, so that they receive market information which is relevant to them.”

There is, in my opinion, value in trying to understand consumers over time – especially where the level of financial risk (normally through long product lead-times) is high.  However this is becoming harder and harder to do.  Aside from regulatory restriction the simple fact is that consumers are spreading their attention more thinly across an ever increasing number of online and offline properties.  To capture a picture of that consumer through any single database is likely to become less and less accurate.

Loyalty schemes are a good example of this failing.  Not your local coffee shop and their paper based card but the big ones, the Nectar cards of the industry.  To the consumer they offer a perception of value exchange based on their loyalty to certain brands, in reality they are price discriminators trying to force consumer choice into any single outlet within a vertical market – that’s why you only ever get a single supermarket, garage chain or clothing outlet per scheme.

But the reality of life is that average consumers don’t just use a single supermarket.  Take me for example.  I use our local Co-Op on a day to day basis, but they don’t sell a particular brand of cereal that #1 son likes, so we do a weekly shop in Waitrose or Sainsbury.  Of course if we are over the river in Thurrock we might pop in to the Tesco superstore or if at Bluewater we might hit up the local ASDA.  We are kind of loyal to Co-Op but situation matters.

So our share-of-wallet spending in Sainsbury (on the Nectar scheme) is not actually representative of our food spend.

And the same goes for any insight gathering activity.

The “simple” answer actually lies in flipping the model to where the consumer requests stuff from the marketing agency.  It’s a wonderful utopian idea, but one which I’m sufficiently pragmatic to accept is unlikely – at least anytime soon.

For me the mid-term solution lays in a third party providing aggregation for consumer behaviour at the bequest and under the control of the data subject, the consumer themselves.

This intermediary, a broker, would offer a service where the consumer can easily record, augment and share their data with businesses they want to.

This doesn’t mean the end of marketing insight – but it would spell the end of marketing databases.  The playing field would be levelled with marketing agencies competing on their ability to analyse the data to which they are given privileged access rather than who can build the biggest database.

“Emails and resulting data should be collected as a matter of course. There are numerous opportunities to collect emails from customers and it’s surprising how many companies don’t prioritise this activity. Emails should always be as personal as possible. It doesn’t take much effort to have one-to-one communications with thousands, or even millions of customers.”

The enlightened have long since realised that email based marketing really isn’t the way forward.  Sure if you send out a million emails for £1 and get a handful of responses it seems like great R.O.I – but honestly I don’t want to get into this, you all know there are better, smarter, more elegant solutions out there.

“Ensure compliancy.  It sounds obvious but ensuring your email collection policy is compliant with data law is even more important when you remember that the ICO has the power to fine you up to £500,000.”

For anyone that knows me, or even hears me speak on this issue, I apologise you already know what’s coming.

Why is it that whilst many CEOs “think that client data arrives on its own, costs nothing to source and has little or no value” that many Marketing Professional’s think that data compliance is;

• only worthy of a fourth place mention in a list of deriving value from data,
• a purely legal issue,
• and in the event of failure only going to cost £500,000?

Compliancy is at a minimum two part.  Sure remaining within the legal framework set out by the ICO matters – A LOT.  But don’t forget that actually any business holding personal data in the EU is also beholden to the higher and more punitive powers of the EU.

The second part to compliancy is the real sting though, and the one which is often (as here) forgotten.  Breaching data protection legislation may result in fines or restriction BUT it will most assuredly have a greater effect on a business’ reputation.

Consumer trust in businesses holding personal data is already under great scrutiny, breaching that trust could very well cost an awful lot more than £500,000.  Just ask Phorm.