So, do you know how your business may be using data mining for customer and consumer profiling? Have you talked with your marketing folks about it?
Do you know how the stores you make your purchases from use your information to do customer profiling and other types of data mining? Have you asked them? Chances are the sales staff at the counters and check-outs wouldn’t know, but you could ask the store manager.
This was the topic of the third article in my August issue of IT Compliance in Realtime Journal, “Not All Privacy Issues Involve PII.”
Here’s the second half of that article (download the PDF to get a much nicer version, along with the links):
_____________________________
How Does Your Business Use Customer and Consumer Profiling?
Does your organization use data profiling in any way to make decisions, categorize, or put labels on your customers and consumers? Do you know? Chances are many information security and privacy practitioners are not aware of these types of activities that their marketing areas are actively pursuing or have already implemented. Why? Because if they do not directly involve PII, marketing and sales folks often believe they can do anything with data.
However, the way Web site privacy policies are stated could very well put an organization in noncompliance with their own, legally binding, privacy promises. Not only this, but your organization could be found to be discriminating against customers, consumers, personnel, and potential employees by the way the profiling is executed.
On December 20, 2007 the Federal Trade Commission (FTC) released, “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles.” This article provides guidance about how organizations and profiling. Consider sharing the following points from that document with your organization in general, and with your marketing area in particular:
- If you use information you collect from your Web site for profiling, clearly communicate on your Web site where you collect the information, the specific information items you are collecting, what you will use the information for, and allow your customers to opt-out of having their information used in the ways you indicated.
- Make sure that you are appropriately safeguarding ALL the information you collect from your Web sites from customers and consumers. The FTC will be looking to determine whether you have safeguards that correspond with the sensitivity of the information (not just whether or not it is PII), your organization’s business, and your organization’s risks.
- Retain information collected from consumers for only as long as you really need to retain it for the business reasons you provided when you collected it.
- Before using information for purposes different from those you indicated when you collected it, obtain the express consent of individuals. Note that this would also apply to merger and acquisition situations.
- Collect what could be considered “sensitive” information, such as information about health conditions, sexual orientation, or children’s online activities, for behavioral profiling advertising only if you first obtain express consent from individuals from whom you want to get this information.
- Establish policies and procedures to ensure that consumer tracking information that was collected and stored for behavioral profiling and advertising is not used for potentially harmful purposes. For example, be careful how you use consumer information when making decisions for developing new products and how you contact your customers and consumers about these products.
Download the full document for the details, and incorporate them into your information security and privacy procedures throughout your entire enterprise.
_____________________________
Tags: awareness and training, data mining, Information Security, IT compliance, IT training, PII, policies and procedures, privacy training, risk management, security training