There's a pretty good commentary by Michael Fitzgerald in ComputerWorld Norway:
"CIOs generally don't care about privacy," says Peter Milla, former CIO and chief privacy officer at Survey Sampling International (SSI). Milla says most CIOs either focus on technology, or regard privacy as outside their domain, the province of a chief privacy or chief security officer. He finds both attitudes wrongheaded."
I agree with Milla. It seems stupid for a CIO to focus on information and ignore data security. They go hand-in-hand. One is wholly dependent upon the other.
"Milla says he recently worked to modify a request from a big-box retailer who wanted information about the people surveyed by his company on their behalf. 'They were bewildered and frustrated that we wouldn't give it to them,' says Milla. The retailer already collects plenty of data on its customers and didn't see what the problem was with a bit more. But Milla saw a breach of privacy, a contractual violation. If it leaked out that SSI shared personal data about its panelists, it could devastate its business. Milla says the big-box retailer's attitude is endemic. Companies think the data they gather belongs to them."
To me, this episode demonstrates an arrogance and entitlement about the consumer and customer data their company archives. Without customers, their company wouldn't exist. Fitzgerald points to one historical example of this arrogance:
"Ten years ago, then-Sun Microsystems CEO Scott McNealy told us, 'You have zero privacy anyway. Get over it.' "
Given the recent rise in use of social networking sites by consumers, Fitzgerald listed some of the companies, behavioral advertising efforts, and lawsuits about bungled consumer privacy. Fitzgerald highlighted one episode:
"In the wake of its privacy faux pas with Beacon, Facebook has moved to asking its users their opinions on its privacy policies. It has also created more ways for its users to control who sees their data. To Fenwick's CTO, Matt Kesner, this creates an expectation about control over data that will ripple through the IT world."
Yes, Facebook has made some changes. In my opinion, more changes by Facebook are needed. The site still doesn't disclose how and with home customers' personal data is shared by those popular Facebook applications. And, browsers still don't provide options for consumers to block Web beacons.
Yes indeed. I, the consumer, have an expectation about control over my personal data -- all of it, not just some of it. Fitzgerald highlighted a behavioral advertising example:
"one of the British ISPs, BT, acknowledged piloting the program using actual consumer data, without asking for permission. That has landed BT in hot water. The European Commission has initiated legal action against the United Kingdom over its refusal to stop companies like BT from using live customer data without permission. Meanwhile, Amazon and Wikimedia have said they will block Phorm from accessing traffic on their sites, and in late April, the U.S. Congress began holding hearings on deep-packet inspection."
While some executives (and some consumers) maintain the myopic position that there is no privacy for consumers, these folks entirely miss the point.
First, it is about choice. Consumers choose whether or not to disclose their personal data when doing business with these companies. Second, control matters. Just because consumers choose to disclose their personal data (at the cash register or at the company's web site) doesn't mean that consumers give up all rights to control their personal data. Third, legal compliance matters. In the USA there are existing laws that require companies to protect certain types of sensitive consumer personal data (e.g., financial data, medical data, etc.).Fourth, it's about notice. Consumers expect opt-in mechanisms and to be notified about when and how their personal data is used. Opt-out mechanisms are not enough.
For me, my awareness as a consumer has been raised about privacy and various Internet technologies. It is no longer acceptable for a company:
- To perform a behavioral advertising program without first notifying consumers and getting consumers' explicit permission via opt-in,
- Not to disclose in its web site policies the offshore outsource vendors it works with and which circumstances and when it shares consumer data with those offshore vendors,
- Not to disclose data breaches by the offshore vendors the company does business with,
- Not to provide a mechanism for customers to communicate directly and immediately to a company representative via the company's web site using e-mail, reply forms, or similar methods.
Company executives that don't understand this and the shifting landscape are setting up their companies to go out of business, and suffer class action lawsuits.