Presentation is loading. Please wait.

Presentation is loading. Please wait.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Privacy Self-Regulation and the Privacy Profession.

Published byLewis Carroll Modified over 9 years ago

Similar presentations

Presentation on theme: "C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Privacy Self-Regulation and the Privacy Profession."— Presentation transcript:

1 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 1 Privacy Policy, Law and Technology Privacy Self-Regulation and the Privacy Profession September 16, 2008

2 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 2 Privacy self-regulation  Since 1995, the US FTC has pressured companies to “self regulate” in the privacy area  Self regulation may be completely voluntary or mandatory (or somewhere in between)  Self-regulatory programs and initiatives –Seals –CPOs –Privacy policies –P3P –Industry guidelines

3 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 3 Voluntary privacy guidelines  Direct Marketing Association Privacy Promise http://www.the- dma.org/privacy/privacy_promise.pdf http://www.the- dma.org/privacy/privacy_promise.pdf  Network Advertising Initiative Principles http://www.networkadvertising.org/ http://www.networkadvertising.org/  CTIA Location-based privacy guidelines http://files.ctia.org/pdf/filings/ctia042401.pdf http://files.ctia.org/pdf/filings/ctia042401.pdf  Generally Accepted Privacy Principals http://infotech.aicpa.org/Resources/Privacy/G enerally+Accepted+Privacy+Principles/ http://infotech.aicpa.org/Resources/Privacy/G enerally+Accepted+Privacy+Principles/

4 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 4

5 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 5 Chief privacy officers  Companies are increasingly appointing CPOs to have a central point of contact for privacy concerns  Role of CPO varies in each company –Draft privacy policy –Respond to customer concerns –Educate employees about company privacy policy –Review new products and services for compliance with privacy policy –Develop new initiatives to keep company out front on privacy issue –Monitor pending privacy legislation

6 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 6 Seal programs  TRUSTe – http://www.truste.orghttp://www.truste.org  BBBOnline – http://www.bbbonline.orghttp://www.bbbonline.org –No longer issuing privacy seals  CPA WebTrust – http://www.cpawebtrust.org/http://www.cpawebtrust.org/  Japanese Privacy Mark http://privacymark.org/ http://privacymark.org/

7 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 7 Seal program problems  Certify only compliance with stated policy –Limited ability to detect non-compliance  Minimal privacy requirements  Don’t address privacy issues that go beyond the web site  Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes

8 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 8 Privacy policies  Policies let consumers know about site’s privacy practices  Consumers can then decide whether or not practices are acceptable, when to opt- in or opt-out, and who to do business with  The presence of privacy policies increases consumer trust What are some problems with privacy policies?

9 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 9 Privacy policy problems  BUT policies are often –difficult to understand –hard to find –take a long time to read –change without notice

10 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 10 Difficult to read and understand  Privacy policies typically require college-level reading skills to understand  Privacy policies often include legalese and obfuscated language –Typical policies have > 20 hedging claims: “may, might, perhaps, in/at our discretion, except as, on a limited basis, we reserve the right to, including but not limited to” –Example: Nonetheless, except as separately permitted by other provisions of this Privacy Policy, these companies are allowed to gather, receive, and use your information only for the purposes described in this paragraph or to facilitate compliance with laws. Pollach, I. 2007. What's wrong with online privacy policies?. Commun. ACM 50, 9 (Sep. 2007), 103-108. DOI= http://doi.acm.org/10.1145/1284621.1284627

11 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 11 Privacy policy components  Identification of site, scope, contact info  Types of information collected –Including information about cookies  How information is used  Conditions under which information might be shared  Information about opt-in/opt- out  Information about access  Information about data retention policies  Information about seal programs  Security assurances  Children’s privacy There is lots of information to convey -- but policy should be brief and easy-to-read too! What is opt-in? What is opt-out?

12 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 12 Short Notices  Project organized by Hunton & Williams law firm –Create short version (short notice) of a human-readable privacy notice for both web sites and paper handouts –Sometimes called a “layered notice” as short version would advise people to refer to long notice for more detail –Now being called “highlights notice” –Focus on reducing privacy policy to at most 7 boxes –Standardized format but only limited standardization of language –Proponents believe highlights format may eventually be mandated by law  Alternative proposals from privacy advocates focus on check boxes  Interest Internationally –http://www.privacyconference2003.org/resolution.asp  Interest in the US for financial privacy notices –http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf

13 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 13 Privacy Notice Highlights Template Acme Company Privacy Notice Highlights For more information about our privacy policy, write to: Consumer Department Acme Company 11 Main Street Anywhere, NY 10100 Or go to the privacy statement on our website at acme.com. We collect information directly from you and maintain information on your activity with us, including your visits to our website. We obtain information, such as your credit report and demographic and lifestyle information, from other information providers. PERSONAL INFORMATION We use information about you to manage your account and offer you other products and services we think may interest you. We share information about you with our sister companies to offer you products and services. We share information about you with other companies, like insurance companies, to offer you a wider array of jointly-offered products and services. We share information about you with other companies so they can offer you their products and services. USES You may opt out of receiving promotional information from us and our sharing your contact information with other companies. To exercise your choices, call (800) 123-1234 or click on “choice” at ACME.com. YOUR CHOICES You may request information on your billing and payment activities. IMPORTANT INFORMATION HOW TO REACH US This statement applies to Acme Company and several members of the Acme family of companies. SCOPE NY142510v1 5/28/2002 Dated: May 28, 2002 Template prepared by the Notices Project, a program ofthe Center for Information Policy Leadership at Hunton &Williams © 2002 Center for Information Policy Leadership

14 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 14

15 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 15

16 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 16

17 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 17 Checkbox proposal WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES. Collection: YESNO We collect personal information directly from you   We collect information about you from other sources:   We use cookies on our website   We use web bugs or other invisible collection methods   We install monitoring programs on your computer   Uses: We use information about you to:With YourWithout Your ConsentConsent Send you advertising mail   Send you electronic mail   Call you on the telephone   Sharing: We allow others to use your information to:With YourWithout YourConsent Maintain shared databases about you   Send you advertising mail   Send you electronic mail   Call you on the telephoneN/AN/A Access: You can see and correct {ALL, SOME, NONE} of the information we have about you. Choices: You can opt-out of receiving fromUsAffiliatesThird Parties Advertising mail   Electronic mail   Telemarketing  N/A Retention: We keep your personal data for:{Six Months Three Years Forever} Change:We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE} Source: Robert Gellman, July 3, 2003

18 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 18

19 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 19

20 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 20

21 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 21 Summer 2007 CMU privacy policy study  Tested 4 policy formats and 3 policy lengths  All formats derived from same real privacy policy, with information identifying company removed –Natural language format Typical length and reading level, but minimal obfuscated language –Layered notice format Standard “highlights notice” with six boxes –Two experimental formats automatically derived from computer- readable P3P policy Present brief view and require clicking to get more detailed info  864 participants, each assigned to read one policy online –Asked 8 questions about understanding and trust of policy –Asked to find 6 specific pieces of information in policy Ongoing work by Aleecia McDonald, Rob Reeder, Patrick Kelley

22 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 22 Finding information with natural language policies  People could accurately answer questions where they could find answer by scanning or key word –Does Acme use cookies? (98%)  People had trouble with questions that required more reading comprehension –Does this policy allow Acme to put you on an email marketing list? (71%) –Does this policy allow Acme to share your email address with a marketing company that might put you on their email marketing list? (52%)

23 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 23 Preliminary findings  Even well-written policies are not well-liked and difficult for consumers to use  Layered notices (in their current format) don’t appear to help much  People perceive long policies as slightly more trustworthy, but find information faster in short policies  Experimental formats are not immediately intuitive –Not obvious how to get detailed information, where to find info in P3P hierarchy –Based on these findings, we plan further refinements and experiments

24 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 24 Towards a privacy “nutrition label”  Standardized format –People learn where to look for answers to their questions –Facilitates side-by-side policy comparisons  Standardized language –People learn what the terminology means  Brief –People can get their questions answered quickly  Linked to extended view –People can drill down and get more details if needed

25 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 25 Challenges  People are not familiar with privacy terminology  Context matters –Not enough to know only type of data collected and how data is used –Need to know which data are used for what purposes as companies use some data for some purposes and other data for other purposes  Privacy policies are complex  People don’t understand privacy implications

26 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 26

27 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 27 Preliminary ideas

28 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 28

29 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 29 Cost to read privacy policies  Annual time to read online privacy policies –p* R * n = 9.3 billion hours or 7 minutes/person/day –10% of time people spend online p is the population of Internet users R is the average national reading rate for this type of material n is the average number of unique sites an Internet user visits  Annual time to skim online privacy policies –p * S * n = 5.6 billion hours S is the average time to skim a policy.  Annual cost of reading online privacy policies –$136.5 Billion or $613/person based on assumptions about value of work and leisure time Ongoing work by Aleecia McDonald

30 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 30 Is industry self-regulation working?  What are the arguments for and against privacy self-regulation?  What are the arguments for and against privacy laws?

31 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 31 IAPP  International Association of Privacy Professionals  http://www.privacyassociation.org/ http://www.privacyassociation.org/

32 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/ 32 Privacy organizations (and organizations that work on privacy issues as part of their larger mission)  http://www.aclu.org/ http://www.aclu.org/  http://www.cdt.org/ http://www.cdt.org/  http://www.cpsr.org/ http://www.cpsr.org/  http://www.eff.org/ http://www.eff.org/  http://www.epic.org/ http://www.epic.org/  http://www.healthprivacy.org/ http://www.healthprivacy.org/  http://www.privacyinternational.org/ http://www.privacyinternational.org/  http://www.privacyrights.org/ http://www.privacyrights.org/

Download ppt "C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Privacy Self-Regulation and the Privacy Profession."

Similar presentations

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
Colorado Secretary of State e-FILING COLORADO ADMINISTRATIVE RULES CODE OF COLORADO REGULATIONS ONLINE PORTAL FOR e-FILING AND RULE ACCESS Colorado Secretary.

Colorado Secretary of State e-FILING COLORADO ADMINISTRATIVE RULES CODE OF COLORADO REGULATIONS ONLINE PORTAL FOR e-FILING AND RULE ACCESS Colorado Secretary.
6.5 Compare Surveys, Experiments, and Observational Studies p. 414 How do you accurately represent a population? What is an experimental study? What is.

6.5 Compare Surveys, Experiments, and Observational Studies p. 414 How do you accurately represent a population? What is an experimental study? What is.
Accessibility Awareness Training for Customer Service Representatives © 2014, T-Base Communications Inc. Welcome to Accessibility Awareness Training for.

Accessibility Awareness Training for Customer Service Representatives © 2014, T-Base Communications Inc. Welcome to Accessibility Awareness Training for.
Organizing Your Argument The Argumentative Essay.

Organizing Your Argument The Argumentative Essay.
CHAPTER 4 E-ENVIRONMENT

CHAPTER 4 E-ENVIRONMENT
Consumer Privacy and Information Access Professor Matt Thatcher.

Consumer Privacy and Information Access Professor Matt Thatcher.
C YBER S ECURITY FOR E DUCATIONAL L EADERS : A G UIDE TO U NDERSTANDING AND I MPLEMENTING T ECHNOLOGY P OLICIES Chapter 10 Privacy Policy © Routledge Richard.

C YBER S ECURITY FOR E DUCATIONAL L EADERS : A G UIDE TO U NDERSTANDING AND I MPLEMENTING T ECHNOLOGY P OLICIES Chapter 10 Privacy Policy © Routledge Richard.
The Internet industry’s privacy seal program Silicon Valley Web Guild.

The Internet industry’s privacy seal program Silicon Valley Web Guild.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Self-Regulation.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Self-Regulation.
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Internet Privacy Policies Presented by: Paul Frenken President, COLAIP.

Internet Privacy Policies Presented by: Paul Frenken President, COLAIP.
1 The End Of The Privacy Policy As We Know It Fran Maier President TRUSTe.

1 The End Of The Privacy Policy As We Know It Fran Maier President TRUSTe.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Introduction to Privacy January.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Introduction to Privacy January.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Introduction to Privacy January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Introduction to Privacy January.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
© 2008. Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.

© Oklahoma State Department of Education. All rights reserved. 1 Beware! Consumer Fraud Standard 9. 1 Fraud and Identity Theft.
Principles of Marketing

Principles of Marketing
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Introduction to Privacy.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Introduction to Privacy.

Similar presentations

Ads by Google