The Privacy Imperative: Go Beyond Compliance to Competitive Advantage Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario IABC Los Angeles 2004 June 9, 2004

Impetus for Change  Growth of Privacy as a Global Issue  EU Directive on Data Protection  Increasing amounts of personal data collected, consolidated, aggregated  Consumer Backlash; heightened consumer expectations

The New Debate: Privacy After 9/11  It’s business as usual: Clear distinction between public safety and business issues – make no mistake NO reduction in consumer expectations Increased value of trusted relationships

Consumer Attitudes  Business is not a beneficiary of the post-9/11 “Trust Mood”  Increased trust in government has not been paralleled by increased trust in business handling of personal information Privacy On and Off the Internet: What Consumers Want Conducted by Harris Interactive, November 2001

Importance of Consumer Trust  In the post-9/11 world: Consumers either as concerned or more concerned about online privacy Concerns focused on the business use of personal information, not new government surveillance powers  If consumers have confidence in a company’s privacy practices, consumers are more likely to: Increase volume of business with company……....91% Increase frequency of business……………….…...90% Harris/Westin Poll, Nov & Feb. 2002

Information Privacy Defined  Information Privacy: Data Protection Freedom of choice; control; informational self-determination Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

The Foundation: Fair Information Practices  Accountability  Identifying Purposes  Consent  Limiting Collection  Limiting Use, Disclosure, Retention  Accuracy  Safeguards  Openness  Individual Access  Challenging Compliance CSA Model Code for the Protection of Personal Information

The Golden Rules: Fair Information Practices  Why are you asking? Collection; purpose specification  How will the information be used? Primary purpose; use limitation  Any secondary uses? Notice and consent; prohibition against unauthorized disclosure  Who will be able to see my information? Restricted access from unauthorized third parties

Fair Information Practices: A Brief History  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data  E.U. Directive on Data Protection  CSA Model Code for the Protection of Personal Information  Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

United States: Safe Harbor Privacy Principles 1.Notice 2.Choice 3.Onward Transfer 4.Security 5.Data Integrity 6.Access 7.Enforcement

The Bottom Line Privacy should be viewed as a business issue, not a compliance issue

The Promise  Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998  Electronic Commerce projected to reach $133 billion by 2004 Wharton Forum on E-Commerce, 1999 Estimates revised downward to reflect lower expectations

Privacy is affecting E-Commerce United States: e-commerce sales were only 1.6% of total sales -- $54.9 billion in U.S. Dept. of Commerce Census Bureau, February 2004 Canada: Online sales were only 0.6% of total revenues -- $13.7 billion in 2002 Statistics Canada, April 2003

Lack of Privacy = Lack of Sales “Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.” Forrester Research, September 2001 “Privacy and security concerns could cost online sellers almost $25 billion by 2006.” Jupiter Research, May 2002

The Business Case  “Our research shows that 80% of our customers would walk away if we mishandled their personal information.” CPO, Royal Bank of Canada, 2003  Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.

It’s all about Trust “Trust is more important than ever online … Price does not rule the Web … Trust does.” Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships

The High Road “When customers DO trust an online vendor, they are much more likely to share personal information. This information then enables the company to form a more intimate relationship with its customers.” Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships

Lack of Trust on the Web “In 70% of instances where Internet users were asked to provide information in order to access an online informational resource, those users did not pursue the resource because they thought their privacy would be compromised.” Narrowline Study, 1997

Trust and Privacy Policies Fully 50% of online users said they would leave a Web site if they were unhappy with a company’s privacy policy. Customer Respect Group, February 2004 survey

Falsifying Information on the Web “42.1% have falsified information at one time or another when asked to register at a Web site.” 10 th WWW User Survey, October 1998

The Low Road “ Absent trust, Web consumers seem to be more than willing to upset the marketing apple cart. They refuse to cooperate: 94% have declined to provide personal information when asked; and they lie through their teeth.” Wired Magazine, May 1998

How The Public Divides on Privacy The “Privacy Dynamic” - BattleDr. Alan Westin for the minds of the pragmatists

Privacy and Customers “The 1:1 enterprise, operating in an interactive environment, relies not just on information about customers, but on information from them.” “It is absolutely imperative for the 1:1 enterprise to take into account the issue of protecting individual customer privacy.” Enterprise One to One: Tools for Competing in the Interactive Age – Don Peppers and Martha Rogers, Ph.D.

Permission-Based Marketing: The Personal Touch  Essential premise: persuade consumers to volunteer their attention  Puts control in the hands of consumers Makes consumers active recipients of marketing information “Permission marketing is just like dating.” Seth Godin

A Privacy-Sensitive Motto for Customer Relations Management  The old way Know everything about your customer.  The new way Know everything that your customers want you to know. CRM or CMR (customer managed relationship)? Assume nothing – always ask!

Privacy and CRM Incorporating Privacy into Marketing and Customer Relationship Management Paper released in May, 2004 The result of novel a novel partnership between the Canadian Marketing Association and the IPC CRM and marketing must include privacy to be fully successful

Develop a Corporate Culture of Privacy Demonstrate that privacy issues affect everything and everyone Persuade and proselytize every division and employee, leave no stone unturned Focus on partnership development, bring value- added Develop a cross-functional team committed to CPOs mandate

Make Privacy a Corporate Priority  An effective privacy program needs to be integrated into the corporate culture  It is essential that privacy protection become a corporate priority throughout all levels of the organization  Senior Management and Board of Directors’ commitment is critical

Privacy Legislation is Proliferating In the 107 th Congress ( )…the House, the Senate, or both approved significant privacy-related provisions in: Bankruptcy reformFarm programs Financial anti-fraudFinancial anti-terrorism Border securityElection reform CybersecuritySmall business Environmental protectionEnergy policy AgricultureTrade policy e-governmentFederal computer systems DNA/sexual assaultInstant criminal background checks Homeland security 13 laws were enacted. The House approved 5 other bills; the Senate, 4. For more information, contact Eric K. Federing, KPMG LLP, Government Affairs, © 2004 KPMG LLP. Presented here with permission

AICPA/CICA Privacy Framework  Privacy Framework Exposure Draft June 3,  Set of Generally Accepted Privacy Principles (GAPP) to which a Chartered Account could provide an independent attestation report  Businesses could provide clients with assurance of compliance with privacy standards (e.g. EU Data Protection Directive, Safe Harbor, PIPEDA, GLB, HIPAA, Australian privacy requirements, etc.)

Final Thought “Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.” Forrester Research, March 5, 2001

How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 80 Bloor Street West, Suite 1700 Toronto, Ontario M5S 2V1 Phone: (416) Web: