Communicating Online Advertising Practices to Consumers

Nymity, a global privacy and data protection research services firm and FPF supporter, just published an interview with Jules which provides a nice overview of our activities. You can sign up for Nymity’s free newsletter at www.nymity.com.

PrivacyProf on the SmartGrid

Some of the leading privacy analysis related to the smart grid has been carried out by Rebecca Herrold, a.k.a @PrivacyProf to her Twitter followers.  Her most recent post, an effort to begin to map privacy standards to potential grid privacy concerns, does not disappoint.  We are looking forward to having her on our smart grid privacy panel at the next IAPP Summit. Keep an eye on her site, RealTime IT Compliance, for great privacy updates on the grid and beyond (and of course continue to keep an eye on smartgridprivacy.org, FPF’s central resource site for the grid and privacy).

Cookie Opt-in, Opt-out? How about stepping up?

EU companies are heaving  sighs of relief after obtaining some text changes in the EU telecoms package passed this week in Brussels.  Concerns that the proposed amendments to the ePrivacy Directive would have required cookies used for secondary purposes to be “opt-in” had trade groups scrambling, but elimination of the words “prior” and “after having been provided” seem to provide some basis for broader interpretation.

Here is the new final language as approved:

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

The previous proposed language did address the use of browser settings as a possible way to imply consent.  That language was moved to the less binding and more advisory introduction to the legal language of the law.  Here is how it reads:

“Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.” Read the full text of the bill here.

It is important to understand that this law is operative at the EU level, meaning that it has no direct effect on companies.  Rather, EU countries are now obligated to incorporate the new law into their own national legislation.  How will this play out is unclear.  Many data regulators already maintain that their current national laws require “opt-in” for cookies used to develop behavioral profiles or for other robust uses that they consider to be “personal”.

Rather than declare victory and head off to fight the next stage of this battle in every national jurisdiction, now might be a very good time for EU ad networks, publishers and advertisers to step up efforts to demonstrate innovative ways to provide users with more transparency and control.  If top EU officials consider cookies used for ad related purposes to be “spy cookies”, there is real work to be done to demonstrate that online data can be used in a manner that demonstrates respect for users.  We have learnt a great deal from colleagues at data protection authorities abroad about privacy as a human right and believe the “rights” model is increasingly gaining traction over the historic US “harms” model.  But perhaps some recent progress in the US may be useful as a model for global cookie use.  Companies that develop cookie based profiles are increasingly providing users in the US with access to those profiles, demystifying the process of targeted advertising.  In addition, much of industry has agreed to provide notices on ads or on web pages to indicate behavioral data use.  A number of leading companies, advocates and academics are working with the Future of Privacy Forum to conduct consumer research to understand the best words and symbols that can be used to meaningfully engage users about how their data is being used.  We will be displaying our results at the December 7th FTC “Exploring Privacy” round table event.

Perhaps we can all agree to “opt-in” to stepping up efforts to demonstrate that personalization and privacy can co-exist?

*For those interested in the process, here are the next steps:

FTC "Exploring Privacy" Roundtable Series

Jules Polonetsky will be participating in the FTC’s “Exploring Privacy” Roundtable on Monday, December 7 in Washington, D.C.

Jules will be participating on Panel 2: Consumer Expectations and Disclosures from 11:00-12:15.

Click on this link for more details: http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml

NARUC Defers Smart Grid Resolution

The National Association of Regulatory Utility Commissioners was scheduled to vote on a smart grid privacy resolution at their November meeting in Chicago last week.  However, it appears that the regulators did not adopt the proposed resolution.  Our sources tell us that it was deferred, hopefully to be taken up at the February NARUC meeting.  Since the last NARUC privacy resolution was adopted in July of 2000, and data privacy issues that were barely contemplated are already the subject of intense discussion, we hope they will come back to this before companies are too far down the path to implementation.

Experts: Smart Grid Poses Privacy Risks

Experts: Smart Grid Poses Privacy Risks

Washington Post – Security Fix Blog

By Brian Krebs

Wednesday, November 18, 2009

Technologists already are worried about the security implications of linking nearly all elements of the U.S. power grid to the public Internet. Now, privacy experts are warning that the so-called “smart grid” efforts could usher in a new class of concerns, as utilities begin collecting more granular data about consumers’ daily power consumption.

“The modernization of the grid will increase the level of personal information detail available as well as the instances of collection, use and disclosure of personal information,” warns a report (PDF) jointly released Tuesday by the Ontario Information and Privacy Commissioner and the Future of Privacy Forum (FPF), a think tank made up of chief privacy officers, advocates and academics.

Jules Polonetsky quoted:

“Relatively speaking, [utilities] aren’t big marketing companies with big back end databases ready to handle the tidal wave of data that’s coming,” he said. “But we’re a little worried that without some serious planning now, there’s going to be quite a challenge in a couple of years when people start realizing that maybe should think about developing some solid data retention policies that address what’s going to be done with all of this data.”

Click here to view the full blog post.

You Say It's Your Birthday

One year ago today, FPF opened its doors and promised to work to advance responsible data practices. Our goal was to work with progressive companies, advocates, academics and government leaders to find common ground on solutions that ensured that uses of consumer information provided users with transparency and control.

While FPF has grown in terms of our underwriting support and the depth of our advisory board, we are especially proud of the programs we have established to further our mission. This includes establishment of:

• A research and creative development effort to develop optimal ways to communicate about online advertising and privacy practices.

• A Smart Grid Working Group to help integrate privacy principles into the development of the internet smart power systems.

• A partnership with the George Washington University Law School to promote research and debate on privacy related law and public policy.

In the coming year, FPF will build on these to develop better ways to respect users online choices and to launch a new effort focused on social media and mobile applications. We welcome feedback, comments and criticism. To join or support our efforts, please email [email protected].

SmartPrivacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation

The Future of Privacy Forum, with Ontario Information and Privacy Commissioner Ann Cavoukian, released a white paper today entitled, “SmartPrivacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation.”

Click on the link below to view the paper.

smartprivacy-for-the-smart-grid

SmartPrivacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation

The Future of Privacy Forum, with Ontario Information and Privacy Commissioner Ann Cavoukian, released a white paper today entitled, “SmartPrivacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation.”

The full press release can be viewed here.

An OpEd from Ann Cavoukian and Jules Polonetsky can be seen today’s Toronto Star. Click here to view the entire article.

Please visit www.smartgridprivacy.org for the Future of Privacy Forum’s other smart grid privacy efforts.

Utility Regulators Vote on Smart Grid Privacy Resolution

This week, the National Association of Regulatory Utility Commissioners (NARUC) is holding their annual meeting in Chicago. On Wednesday, the Commissioners will vote on passing a new resolution that will address privacy concerns and the development of the Smart Grid. We applaud the proposed resolution (see pg. 16) which will call for clear notices, consent, opt-in requirements, and “the minimum amount of data necessary…to be collected” for the use of personally-identifiable information in Smart Grid technologies. We are pleased to see that utility regulators are considering privacy issues as Smart Grid development moves forward. We hope that regulators will look to experts in the privacy and technology community, as well as consumer advocates, as they grapple with the data challenges created by the Grid.

Here is the relevant text of the resolution –

“RESOLVED, That NARUC agrees that the new smart meters and accompanying potential and actual uses create the need for utilities to be more transparent and clearly provide notice documenting the types of information items collected, and the purposes for collecting the data, and that NARUC agrees to recommend that its member States will so require; and be it further

RESOLVED, That NARUC will recommend that member States require within the smart grid implementation that a clearly-specified notice must describe the purpose for any collection, use, retention, and sharing of personally identifiable information (PII), and that the consumer will have the choice to provide or to not provide such PII; and be it further

RESOLVED, That NARUC will recommend that member States require that with the smart grid implementation the utilities must give residents a choice about the types of data collected and that utilities must obtain consent from residents before using the collected data for other purposes, and as a requirement before data can be shared with any other entities; and be it further

RESOLVED, That NARUC acknowledges that in the current operation of the electric grid, data taken from meters consists of basic data usage readings required to create bills, but under a smart grid implementation, meters will collect other types of data as well, much of which will be personally identifiable information with associated privacy risks, and that, therefore NARUC further resolves to recommend that only the minimum amount of data necessary for the utility companies to use for energy management and billing should be allowed to be collected; and be it further

RESOLVED, That NARUC agrees that system-wide smart grid deployment should not jeopardize an individual’s privacy as that deployment is used to improve the system’s reliability, reduce overall costs and improve customer service.”