Marketers, data brokers and other businesses have been collecting information about consumers’ online preferences since the advent of e-commerce. The growing use of large-scale information management and analytics technologies (also known as “big data”) has enabled organizations to combine ever larger and numerous datasets in their quest to extract meaning from the hoards of customer data they hold. But, this increased power also presents compliance and reputational risks for organizations. The Financial Times predicts that through 2016, 25% of organisations using consumer data will face reputational damage due to inadequate understanding of information trust issues, and 20% of chief information officers in regulated industries will lose their jobs for failing to implement the discipline of information governance successfully. To mitigate risks, organizations deploying profiling techniques, including companies with powerful brands, should carefully review their current data processing practices and align these with established privacy and data protection principles by adopting a “privacy by design” approach.
As more and more decisions about our lives are based on information our banks, grocery stores, pharmacies and online retailers hold about us, finding the right balance between the benefits of big data analytics and the ethical and privacy risks they pose is imperative. Context is key here, as profiling practices adopted by a healthcare provider, for example, may not be appropriate, from a data protection compliance perspective, for an online cosmetics retailer. This further highlights the need for a “privacy by design” approach whereby privacy and data protection compliance is considered and designed into systems holding information right from the start, rather than bolted on afterwards or ignored altogether. Organizations making use of profiling should therefore conduct individual privacy risk assessments to establish the boundaries of their data analytics practices, adopt appropriate security measures in light of any known or reasonably foreseeable risks, and consider carefully the legal implications.
At the end of this process, customers should be presented with comprehensive notice describing the manner in which a company is proposing to combine and analyse their personal information for marketing purposes. Even where such information has been subsequently anonymized, as a matter of good practice, organisations should consider giving some form of notice to their customers.
The importance of embracing a “privacy by design” approach to profiling was most recently re-affirmed in a profiling resolution adopted by international data protection authorities at a privacy conference held in September 2013 in Warsaw, Poland. More specifically, regulators called upon all parties making use of profiling to implement the following six steps:
1) To clearly determine the need and the practical use of a specific profiling operation and to ensure appropriate safeguards, before deploying profiling.
2) To limit, consistent with privacy by design principles, the assumptions and the amount of data collected to the level that is necessary for the intended lawful purpose and to ensure that, where appropriate, the data is sufficiently up to date and accurate for its intended purpose.
3) To ensure that the profiles and the underlying algorithms are subject to continuous validation, in order to allow for the improvement of the results and the reduction of false positive or false negative results.
4) To inform society about profiling operations to the maximum extent possible, including the way profiles are assembled and the purposes for which profiles are used, to ensure that individuals are able to maintain control over their own personal data to the maximum extent possible and appropriate.
5) To ensure, in particular with respect to decisions that have significant legal effects on individuals or that affect benefits or status, that individuals are informed about their right to access and correction and that human intervention is provided where appropriate, especially as the predictive power of profiling due to more effective algorithms increases.
6) To ensure that all profiling operations are subject to appropriate oversight.
As more and more brand owners use consumer profiling and big data continues to grow, the “privacy by design” approach will likely become more and more important — this won’t be the last we hear from the regulators on the approach. CovBrands will be watching this space.