Like other privacy nerds all over the land, I’ve been anxiously awaiting the results of the Federal Communications Commission’s vote on some stringent new privacy rules for internet service providers (ISPs). Last week, we got news that the vote passed, and now it’s time to start taking stock of what this means for digital advertisers, publishers, and the US privacy landscape overall. Here’s what you need to know:
The opt-in requirement represents a sea change in US privacy management. Until now, the US approach to data collection has largely been opt-OUT oriented. The FCC ruling changes that. The commission is requiring broadband internet access service (BIAS) providers – that is, mobile carriers and ISPs – to gain explicit opt-IN before making their personal data available for ad targeting. It’s important to note that de-identified data and “non-sensitive” data don’t fall under the opt-in requirement. These data can continue to be shared as it is today, and can be used for the providers own business and marketing purposes without the consent requirement.
Speaking of “sensitive” data… there’s a lot more of it to consider now. Historically, sensitive personal data has been limited to financial data, health data, data about minors, and a few other categories. The new rules broaden the definition significantly to include data that’s become the lifeblood of online advertising:
To help security and risk professionals navigate the complex landscape of privacy laws around the world, Forrester created a data privacy heat map that highlights the data protection guidelines and practices for 54 different countries. Earlier today, we published the 2016 version to the tool, as well as a free version with access to only the U.K. and U.S. ratings. We have updated the map every year since it’s initial publication in order to keep pace with the constantly-evolving landscape of global data privacy laws.
As we roll out the 2016 update and reflect back on the past 5 years of annual assessments, three high-level trends emerge:
Countries continue moving toward the EU standard for data protection. New legislation outside of the EU often follows the EU’s lead by adopting provisions similar to those in the existing Directive 95/46/EC regulation. The slow global convergence toward the requirements outlined in the regulation continued through 2016. For example, Argentina and Japan strengthened pre-existing policies, while Nigeria passed its first comprehensive cybercrime legislation. Japan also established an independent regulatory body (“Privacy Protection Commission”) that oversees privacy issues—a requirement of both the current Directive and the superseding European General Data Protection Regulation (GDPR).
Yesterday’s decision by UK citizens to leave the European Union (“Brexit”) brings about short-term uncertainties and unintended consequences that will make it harder for UK businesses to keep customers and attract talent. While times of high-market volatility can tempt firms to panic and cut spending on customer-focused initiatives, now is the time to drive innovation in order to win, serve, and retain customers.
As decisions over the next several years are determined by legislators and driven by compliance, UK companies will be challenged to operate as customer-obsessed firms. Forrester believes that the UK’s decision will have five major implications, including:
Digital and customer-facing talent will migrate out of the UK. Concerns about immigration laws (i.e., who will have the right to stay) will both drive footloose talent to look for jobs abroad and dissuade others from coming. And CIOs will find it even more difficult to recruit already-scarce developers and engineers to build customer-facing systems.
Product and delivery innovation will slow. Companies will now have to spend more time and effort to deliver products across borders and less time innovating on new customer-focused solutions.
Back in 2013, we conducted a study to figure out how the “summer of Snowden” was affecting consumer opinion on privacy. A year later, we combined that data with a current pulse of consumer sentiment, and found that mainstream attitude signaled imminent behavior change.
Fast forward another year: Today, US presidential candidates are talking about privacy and personal data protection during the pre-primary season. We have recently witnessed three more major data breaches affecting millions of Americans. The adblocking debate is at fever pitch, while Internet giants make privacy a point of differentiation. So, we ran our study a third time, and incorporated behavioral tracking data into the methodology.
Our findings? Consumers are more willing than ever to 1) walk away from your business if you fail to protect their data and privacy; 2) adopt technologies like tracker-blockers and VPNs to limit their exposure to data misuse; and 3) extend their protective actions to the physical realm. And, Forrester’s Consumer Technographics® data shows that this story pertains to millennials and their older counterparts alike:
Back in 2013, my colleague Anjali Lai and I wondered how the "summer of Snowden" was affecting consumer attitudes about privacy. So, we fielded a survey and ran some qualitative analysis in our ConsumerVoices Market Research Online Community. A year later, we used that historical data, combined with Consumer Technographics and social listening data to see how perception and behavior were changing. It was a fascinating study.
Fast forward another year: it's now pre-pre-primary season in the US, and candidates are talking about privacy and personal data protection. There have been three more major data breaches affecting millions of Americans. The adblocking debate is at fever pitch, while Internet giants make privacy a point of differentiation. Obviously, we decide to run our study a third time. And this time, we incorporate (opted-in, permission-based) data from our Consumer Technographics Behavioral Study.
Our findings? Consumers are more willing than ever to 1) walk away from your business if you fail to protect their data and privacy; 2) adopt technologies like tracker-blockers and VPNs to limit their exposure to data misuse; and 3) extend their protective actions to the physical realm.
And the real kicker is that, if you're one of the marketers who's been counting on Millennials who "don't care" about their online privacy, you're going to be waiting a long time.
The big public cloud providers, most of which are still from the United States, sometimes have a hard time finding ways to balance their legal obligations at home with the quite different sensitivities they encounter amongst their new international customers. For a long time, the toolkit has been pretty consistent: site data centres as close to the customer as possible, vehemently support political efforts to harmonize laws, and ocassionally be seen to stand up to the worst execesses of Government over-reach.
(Source: Flickr user Luigi Rosa. Image licensed under Creative Commons Attribution License)
Microsoft's announcements in Germany today appear, on the surface, to follow that model pretty closely. But there's a twist that's potentially very important as we move forward.
First, the standard bit. Microsoft, yesterday, announced new data centres will be operational in the UK next year, joining existing European facilities in Dublin and Amsterdam. Big competitor Amazon did much the same last week, announcing that a new UK data centre will be online in the UK by "2016 or 2017." Given the vague timescales, it might be easy to assume that Amazon was trying to steal a little of Microsoft's thunder with a half-baked pre-announcement. And then, today, Microsoft announced two new data centres in Germany. Amazon already has a facility there, of course.
When evaluating the top 10 critical success factors that will determine who wins and loses in the Age of the Customer in 2016, it comes as no surprise that privacy is one of them. In fact, privacy considerations and strategy augments all of the 10 critical factors to drive business success in the next 12 months.
So, what does this mean for businesses moving forward?
Businesses are moving toward personalization, which means they’ll increasingly collect personal data to get a better idea of what their customers want and need. In the age of the customer, defined by Forrester as a 20-year business cycle when successful enterprises will reinvent themselves as digital businesses in order to serve their increasingly powerful customers, protecting customer data is a critical aspect of fostering trust and building long-lasting relationships.
Regardless of location, all countries should have this goal in mind, but privacy regulations vary from country to country and often conflict with each other. For global organizations, navigating these laws can be daunting. To help businesses tackle this challenge, Forrester published its 2015 Data Privacy Heat Map. Originally created in 2010, the tool leverages in-depth analyses of the data privacy-related laws and cultures of 54 countries around the world, helping security leaders and decision-makers better design their own approaches to privacy and data protection.
Yesterday morning, many of us in the United States awoke to some troubling news: the European Court of Justice (ECJ) had ruled that the Safe Harbor agreement is no longer valid. Security & risk (S&R) and data management folks kicked into high gear. Customer insights and digital marketing teams...? Well, the news slipped past mostly unnoticed. That's a mistake.
Let's start with a primer on Safe Harbor. If you're a multinational company doing business in Europe, Safe Harbor is the agreement under which you've been allowed to bring European customers' data back into your servers in the US for purposes of targeting, analytics, campaign management, etc. If you work with a US-based database MSP, digital or CRM agency to manage customer data, they've likely been relying on the same agreement. It's a nearly 20-year old agreement that was put in place to bridge the gap between Europe's strict data protection laws and America's relative dearth of them.
Now, that agreement has been deemed invalid, which means that every company serving European customers needs to reexamine its data practices. Of course, this is primarily the purview of our technology management peers. But customer insights professionals need to partner closely with them on two fronts:
Speak up about your third-party data sharing practices. This includes sharing between business partners (for example, passing customer data to a firm that administers your loyalty program or manages warranties), sharing CRM data with digital marketing vendors, and even using third-party tracker on your website that collect IP addresses. Any third party data sharing could come under scrutiny from the European Data Protection Authority, so you'll want to have a consent-based model for collecting and sharing that data soon.
Forrester’s Security & Risk Analyst Spotlight - Chris Sherman
The title hasn’t yet been put to client vote, but Chris Sherman may be the renaissance man of Forrester’s S&R team. As an analyst, Chris advises clients on data security across all endpoints, giving him a broad perspective on current security trends. His experience as a neuroscience researcher at Massachusetts General Hospital also gives him insight into the particular challenges that Forrester’s clients in the healthcare industry face. Lastly, when he hasn’t been writing about endpoint security strategy or studying neural synapse firings, Chris flies Cessna 172’s around New England. Listen to this week’s podcast to learn about recent themes in Chris’s client inquiries as well as the troubles facing a particular endpoint security technology.