Welcome back to our Mobile Industry Exposed Interview series! Data privacy and data security are becoming a high priority for the mobile marketing ecosystem. To get a better understanding of how it is changing the industry and what challenges lie ahead for advertisers, we spoke with Saira Nayak, Chief Privacy Officer (CPO) at TUNE. Among other things, we discussed the difference between US and European privacy laws and the need for companies to gain the trust of end users through education and simplified disclosures.
Saira is Chief Privacy Officer at TUNE, leading the company's external outreach on privacy and data protection matters, and ensuring TUNE's compliance with global privacy requirements.Saira, a San Francisco native, has over 15 years of legal experience in antitrust, intellectual property, privacy and data security matters. Before TUNE, she was Director of Policy at TRUSTe, where she defined the company’s external policy platform, and advised on TRUSTe’s privacy management solutions. Prior to TRUSTe, Saira worked in-house at the Microsoft Corporation, where she counseled product groups on compliance with Microsoft’s antitrust consent decree with the US government, as well as privacy and data security issues.Saira formerly served as Antitrust Counsel for the National Association of Attorneys General (“NAAG”) and worked with state Attorneys General and their staff on a number of antitrust and consumer protection investigations. She also practiced at Dickstein Shapiro (Washington, DC), where she counseled clients such as HBO, Pfizer, and the Recording Industry Association of America.
Q: You joined Tune in September 2014 as Chief Privacy Officer. What has been your mission since then? Which challenges lie ahead?
Since I joined TUNE, my focus has been on working with our Product teams to integrate privacy and data requirements, while also reaching out to clients on data and privacy concerns. Earlier this year, TUNE secured the ePrivacy certification for mobileapptracking (MAT); that effort was driven by both our internal imperative to be compliant, as well as a need to demonstrate the strength of MAT’s privacy and data practices to German clients.
Q: Could you give a brief definition of data privacy and data security, and what the various stakeholders of the adtech ecosystem need to do around these topics (advertisers, publishers, intermediaries - DSPs, SSPs, DMPs…)?
Data privacy and security are really two halves of the same coin.
With data privacy, we’re focused on the expectations of the end user - are they aware of which entities are collecting and using data about them or their device, and are they proving the right notice, choice and opt-out rights. This obligation primarily falls on brands and advertisers - the data controllers. But third parties or data processors (who process data on behalf of a first party or data controller) should also respect end user privacy rights. This is why TUNE has individual privacy policies for all of its services and corporate site, as well as an end user opt (in MAT) - even though we aren’t a consumer facing company.
With data security we care about measures taken to prevent unauthorized access to client and end user data. If your app or business model involves the collection of personal or sensitive data, then it’s important to be accountable for that collection and employ the right administrative, physical and technical safeguards to secure this data.
Q: Why are data privacy and data security such hot topics right now? Which recent developments have fostered such interest?
I think it all started with the massive data breaches of personal data we’ve been seeing in the past few years. this in turn has triggered regulatory interest and here in the US, interest by the class action bar. I saw a PWC webcast recently that stated that privacy fines and settlements had jumped from $70 million in 2013 to nearly $1 billion in 2014. It’s no wonder that privacy and data security have become the number one topic in corporate boardrooms. In addition, the revelations about government surveillance by Edward Snowden, and coverage in the mainstream press e.g. the Wall Street Journal’s What They Know series, has made privacy very real for individual users around the world.
Q: How can we strike a healthy balance between the need for user privacy and enabling the advertising ecosystem to offer ads that are relevant to the end users?
To deliver relevant ads to end users, advertisers must win the trust of those end users. Privacy is an important way to win end user trust. Companies should also think about whether they are demonstrating the benefit of targeted advertising to the end user. Some companies already do this and provide consumer education, as well as simplified disclosures. Others provide a discount or similar incentives to the user - that demonstrate a tangible benefit of targeted advertising to that user.
Q: What are the main differences in terms of data privacy regulations between the United States and Europe?
The US has a “sector-specific” approach to privacy and security with specific laws governing health and financial data, as well as marketing to children. But it lacks a comprehensive privacy or data security law. Much of US compliance is based on “best practices” or industry codes of conduct - a concept known as self-regulation. In some cases, the industry code is based on guidance from the government and this is referred to as co-regulation e.g. the 2009 FTC Staff OBA Guidelines, which became the basis of the DAA Online Behavioral Guidelines (www.aboutads.info).
In contrast, the EU has two data protection “directives”: the 1995 data protection directive is a comprehensive law covering online and offline data and the 2002 e-Privacy Directive covers online communications. Both directives provide EU member states a “floor” to impose additional stringent requirements. As a result, the EU has a patchwork of requirements among its 27 member states.
Another difference between the EU and US schemes is enforcement. The US Federal Trade Commission or FTC is probably one of the most active privacy and data security regulators in the world and enforcement is a hallmark of the US system. Although the US lacks a national privacy law, the FTC can enforce any “material” statement of compliance - including public statements (on a website or in marketing materials) around compliance with a co or self-regulatory scheme. For instance ,the US FTC has been very active in enforcing companies who misstate their participation in the US-EU Safe Harbor (that allows companies to transfer data from the EU to the US). In contrast, there’s been no enforcement of Safe Harbor violations by EU regulators.
Q: You wrote that defining privacy rules for fast-moving industries like technology is a “Sysiphean task”. What did you mean by that?
It’s just that technology is evolving so fast, it’s hard to write requirements that aren’t almost instantly redundant . Ideally, you want to have a framework of general principles e.g. securing data, and then think about the context within which the action is happening to identify a requirement. e.g. securing data is a general principle, hashing is a specific action arising out of that principle. One way to address the Sysiphean “boulder” is to work together with other companies and decide on a common way to address the issue. This, I think is the essence of self regulation - which is much better suited to fast moving industries than a system that’s governed by the slow moving legislative process.
Q: Which data privacy and security challenges do you see as specific to the mobile advertising ecosystem?
I think the main data privacy and security challenges in mobile stem from the fact that mobile devices are so much more personal than a desktop computer, and furthermore, they can track location. This requires mobile app marketers to think carefully about what types of data they are attempting to collect from an end user’s device, how they plan to use that data, and how that data is stored and associated with other types of data. This is both a challenge and an opportunity, requiring companies to truly build privacy into the design of their apps and/or services from the planning stage. With the advent of big data, marketers will be tempted to draw inferences from end user behavior and this is one area where it will be important to understand what your customer really wants and not assume that for them. I also think a big area of focus will continue to be location, which is viewed as sensitive data both in the US and EU. There are several use cases for combining analytics and location data, but marketers need to focus on those scenarios that truly provide value and don’t “surprise” the end user.