1. www.ipc.on.ca The Privacy Payoff: Build Your Business By Building Customer Trust Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Coast Software Privacy Best Practices Web Seminar Series November 8, 2004

2. www.ipc.on.ca Slide 2 Impetus for Change  Growth of Privacy as a Global Issue  EU Directive on Data Protection  Increasing amounts of personal data collected, consolidated, aggregated  Consumer Backlash; heightened consumer expectations

3. www.ipc.on.ca Slide 3 Importance of Consumer Trust  In the post-9/11 world: Consumers either as concerned or more concerned about online privacy Concerns focused on the business use of personal information, not new government surveillance powers  If consumers have confidence in a company’s privacy practices, consumers are more likely to: Increase volume of business with company……....91% Increase frequency of business……………….…...90% Stop doing business with company if PI misused…83% Harris/Westin Poll, Nov. 2001 & Feb. 2002

4. www.ipc.on.ca Slide 4 Information Privacy Defined  Information Privacy: Data Protection Freedom of choice; control; informational self-determination Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

5. www.ipc.on.ca Slide 5 What Privacy is Not Security  Privacy

6. www.ipc.on.ca Slide 6  Authentication  Data Integrity  Confidentiality  Non-repudiation  Privacy; Data Protection  Fair Information Practices Privacy and Security: The Difference Security: Organizational control of information through information systems

7. www.ipc.on.ca Slide 7 Fair Information Practices: A Brief History  OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data  EU Directive on Data Protection  CSA Model Code for the Protection of Personal Information  Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

8. www.ipc.on.ca Slide 8 Summary of Fair Information Practices  Accountability  Identifying Purposes  Consent  Limiting Collection  Limiting Use, Disclosure, Retention  Accuracy  Safeguards  Openness  Individual Access  Challenging Compliance

9. www.ipc.on.ca Slide 9 Extension of PIPEDA  As of January 1, 2004, the Personal Information Protection and Electronic Documents Act has extended to:  all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations  unless a substantially similar provincial privacy law is in force

10. www.ipc.on.ca Slide 10 Provincial Private-Sector Privacy Laws Québec: Act respecting the protection of personal information in the private sector B.C.: Personal Information Protection Act Alberta: Personal Information Protection Act Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies

11. www.ipc.on.ca Slide 11 Ontario: Health Information Protection Act, 2003 (PHIPA)  Ontario government introduced health privacy bill (Bill 31) on December 17, 2003  Law comes into effect on November 1, 2004  Establishes privacy rules for personal health information that is collected, used or disclosed by health information custodians

12. www.ipc.on.ca Slide 12 The Bottom Line Privacy should be viewed as a business issue, not a compliance issue

13. www.ipc.on.ca Slide 13 The Promise  Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998  Electronic Commerce projected to reach $133 billion by 2004 Wharton Forum on E-Commerce, 1999 Estimates revised downward to reflect lower expectations

14. www.ipc.on.ca Slide 14 Privacy is affecting E-Commerce United States: e-commerce sales were only 1.6% of total sales -- $54.9 billion in 2003 -U.S. Dept. of Commerce Census Bureau, February 2004 Canada: Online sales were only 0.6% of total revenues -- $13.7 billion in 2002 Statistics Canada, April 2003

15. www.ipc.on.ca Slide 15 Lack of Privacy = Lack of Sales “Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.” Forrester Research, September 2001 “Privacy and security concerns could cost online sellers almost $25 billion by 2006.” Jupiter Research, May 2002

16. www.ipc.on.ca Slide 16 The Business Case  “Our research shows that 80% of our customers would walk away if we mishandled their personal information.” CPO, Royal Bank of Canada, 2003  Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.

17. www.ipc.on.ca Slide 17 ISF Highlights Damage done by Privacy Breaches  The Information Security Forum reported that a company’s privacy breaches can cause major damage to brand and reputation: 25% of companies surveyed experienced some adverse publicity due to privacy 1 in 10 had experienced civil litigation, lost business or broken contracts Robust privacy policies and staff training were viewed as keys to avoiding privacy problems The Information Security Forum, July 7, 2004

18. www.ipc.on.ca Slide 18 How The Public Divides on Privacy The “Privacy Dynamic” - BattleDr. Alan Westin for the minds of the pragmatists

19. www.ipc.on.ca Slide 19 It’s all about Trust “Trust is more important than ever online … Price does not rule the Web … Trust does.” Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships

20. www.ipc.on.ca Slide 20 The High Road “When customers DO trust an online vendor, they are much more likely to share personal information. This information then enables the company to form a more intimate relationship with its customers.” Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders Build Lasting Relationships

21. www.ipc.on.ca Slide 21 Lack of Trust on the Web “In 70% of instances where Internet users were asked to provide information in order to access an online informational resource, those users did not pursue the resource because they thought their privacy would be compromised.” Narrowline Study, 1997

22. www.ipc.on.ca Slide 22 Trust and Privacy Policies Fully 50% of online users said they would leave a Web site if they were unhappy with a company’s privacy policy. Customer Respect Group, February 2004 survey

23. www.ipc.on.ca Slide 23 Falsifying Information on the Web “42.1% have falsified information at one time or another when asked to register at a Web site.” 10 th WWW User Survey, October 1998

24. www.ipc.on.ca Slide 24 Make Privacy a Corporate Priority  An effective privacy program needs to be integrated into the corporate culture  It is essential that privacy protection become a corporate priority throughout all levels of the organization  Senior Management and Board of Directors’ commitment is critical

25. www.ipc.on.ca Slide 25 Good Governance & Privacy “Privacy and Boards of Directors: What You Don’t Know Can Hurt You” Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency Privacy among the key issues that Boards of Directors must address Potential risks if Directors ignore privacy Great benefits to be reaped if privacy included in a company’s business plan

26. www.ipc.on.ca Slide 26 Privacy Diagnostic Tool  Simple, plain-language tool (paper and e-versions)  Free & self-administered  CSA model code to examine an organization’s privacy management practices  www.ipc.on.ca/PDT www.ipc.on.ca/PDT

27. www.ipc.on.ca Slide 27 Final Thought “Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.” Forrester Research, March 5, 2001

28. www.ipc.on.ca How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: commissioner@ipc.on.ca