Lessons from 3 Organizations That Made 3 Privacy Mistakes

Thursday, May 22, 2014

Rebecca Herold

65be44ae7088566069cc3bef454174a7

Even with the number of privacy breaches increasing, and with numbers of privacy sanctions coming from the FTC and other regulatory agencies and courts snowballing for companies doing irresponsible things with personal information, putting growing numbers of individuals at risk of identity fraud as well as physical safety risks, companies are still asking for way too much unnecessary and sensitive personal information purely for their marketing purposes.

And too many online media outlets, often reporting on or promoting these marketing efforts, are perpetuating these very bad privacy practices. Then, so they will not upset their advertisers, they actually are deleting comments that point out how bad those marketing and data collection practices are.  I recently just experienced such a situation with ABC News, Dairy Queen, and the Pierson Grant marketing agency and blogged about it here.  The post was shared throughout numerous social media sites, and one commenter on one of these posts indicated that Ringling Brothers Circus also ask for copies of birth certificates in return for free tickets on Mother’s Day.

Marketers, and the companies they work for, stop unnecessarily collecting this sensitive personal information!! You are not only putting the associated individuals at risk, but there are many other ways you can verify ages that do not involve collecting this sensitive personal information!!! C’mon, marketers; you are paid to be creative…think about other privacy-friendly ways to accomplish your task!!!

It is really interesting to see all the articles written about the NSA, Google and other organizations for their privacy invasive surveillance and tracking activities (generally all legitimate points), and then see marketers gleefully collecting huge amounts of personal information needlessly, and who knows how they are protecting it (or if they are protecting it at all), without anyone calling them and the associated organization out for these overwhelmingly bad privacy practices. If they are not held accountable now, you can expect that they will be in the near future as the public becomes more aware of these bad business practices. Those publishing reports about them need to notice such privacy problems and not publish the portions asking for sensitive personal information. To do nothing, and simply post articles about such promotions, only precipitates the privacy problem. If such publishing outlets are not part of the privacy solution, they become part of the privacy problem.

There are three parties with privacy responsibilities in this particular Mother’s Day promotion situation, and they each made mistakes.  There are important lessons all organizations of all sizes can learn from this situation.

NOTE: I contacted each of these three multiple times asking about why did such a marketing promotion, and why my comments warning readers of the privacy risks were deleted.  I never got a reply from Dairy Queen or Pierson Grant, but I did from ABC News, which I describe below.

1. Marketing Company: Don’t Collect Sensitive Personal Information for Marketing Purposes

In most situations, you do not need to collect sensitive personal information solely for marketing purposes. Certainly there is no reason to ask for copies of birth certificates, driver’s license numbers, credit cards, and other documents with sensitive information, to be sent through clear text email messages. Indeed, there is no reason to ask for them at all!

In this particular case there were better alternatives that the Pierson Grant marketing agency could have done to verify a baby was born on Mother’s Day. Especially considering that the people getting a free cake in return had to go to the Dairy Queen store to pick them up. Here are a few of them.

  1. The promotion could have simply said to take the birth certificate to the store, show it to the cashier, and then get the free cake.
  2. Or better yet, the marketers could have asked to have a copy of the birth announcement from the newspaper sent in return for a free cake certificate. An actual birth certificate is not necessary, and parents should be encouraged to protect these sensitive physical documents and not take them to an ice-cream shop.
  3. Or, also better than option A, the marketers could have asked parents to show the birth announcement the sent to family and friends following the birth of their child. While not everyone sends out birth announcements, many still do (I’ve gotten several in the past year) and this is a good alternative.

And there are several other options. This short list should, however, demonstrate the point.

Lessons for marketers:

  • Never collect sensitive personal information for marketing purposes.
  • Do not ask individuals to send sensitive personal information via clear text emails.
  • The less personal information you collect, the less information you are responsible for protecting, and therefore you will have less privacy and security risk and associated liability.
  • Don’t continue bad privacy practices after you know they are bad!

 

2. Company Hiring the Marketing Company: Make Sure Your Marketers Are Not Risking Privacy on Your Behalf

When a company contracts another organization to do any type of activity for them that involves personal information, and certainly marketing campaigns almost always do, the company doing the contracting needs to perform their due diligence. Any organization hiring a marketer needs to carefully review their plans for how they will execute their marketing activities, and determine the privacy risks involved.  Such risks can be revealed by doing a privacy impact assessment (PIA) on the plans. Such a PIA can be done fairly quickly. Then, and only then, after all privacy risks have been identified and any revealed risks mitigated, should the okay be given to go forward with the marketing activities.

In this case Dairy Queen should have known what Pierson Grant was planning to do to verify identity of children. If they did know this was the plan, then they failed to consider the privacy impacts of such a bad idea. If they only considered whether or not doing such a practice was legal, and then decided to go ahead with it because there are no laws explicitly prohibiting such transmission of clear text birth certificates through the Internet, then they need to start considering privacy beyond just the context of laws. Laws are largely reactionary. Only a smart percentage of privacy risks are mitigated by existing legal restrictions. Dairy Queen, and all types of organizations, need to expand their thinking beyond laws to also consider the risks to personal information based upon how they will be collected, used, shared and stored. This requires more than a legal opinion.

Remember, your organization generally is ultimately responsible for the privacy problems that are created by the marketing companies you hire.

Lessons for businesses:

  • Complete a privacy impact assessment (PIA) of any planned marketing activity that involves the collection of personal information prior to launch.
  • Never allow a marketer to collect sensitive personal information for marketing purposes.
  • Offer alternatives for high-privacy risk data collection activities.
  • Provide a notice, which includes a link to your posted website privacy policy, to individuals from whom personal information is collected for marketing purposes.
  • Don’t continue bad privacy practices after you know they are bad!

3. Company Publishing Marketing Campaign: Don’t Allow Bad Privacy Practices; You Become Part of the Problem

Considering all the news stories ABC News has done, including one I watched just this past Sunday it seemed they were simply giving lip service to the problems they are writing and reporting about.  After sending several communications to various different folks at ABC News, and also Disney (their parent company) I was happy to finally get a reply from ABC News and see on May 20 that not only did they remove the Dairy Queen announcement, but they also finally allowed my last comment about it to be published.  

News outlets become a significant part of the privacy problem when they allow stories promoting bad privacy practices to be printed. They become even more of the problem when they refuse to allow readers to express legitimate concerns, and to warn readers of the privacy dangers. Even though there may not be any laws requiring news and publishing outlets to recognize and not print articles that put the privacy of their readers at risk.

Lessons for news and media outlets:

  • Know what your reporters and websites are actually publishing that relates to personal information and privacy issues.
  • Don’t publish articles, blogs and other reports that are asking your readers to do actions that will put their personal information…or that of their children…at risk.
  • Don’t ignore legitimate privacy concerns posted on your website and/or sent to your privacy officer, site administrator, etc.
  • Don’t continue bad privacy practices after you know they are bad!

 

Bottom line for all businesses of all sizes…

Existing privacy laws address only a fraction of the privacy risks that exist, and new risks are emerging all the time. Don’t put your customers, and innocent children’s, privacy at risk by doing things that may be legal, but still a very bad privacy action.  Know the right questions to ask before being a player in any marketing campaign.

  • DON’T simply just ask your lawyer if what you want to do is legal. As this situation demonstrates, just because it’s legal does not mean that it is a good idea from a privacy perspective.
  • DO perform a privacy impact assessment (PIA) and consider all the privacy risks involved, including those many privacy risks that fall outside of any laws or other types of legal requirements.
  • DON’T continue bad privacy practices after you know they are bad!

This was cross-posted from the Privacy Professor blog. 

4460
Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.