IAPP Canada Privacy Symposium 2016: Business Analytics and Privacy-Related Risks
We will discuss the fact that Canadian businesses have been capturing and analyzing large amounts of data for years, and they are now at the point where they want to use this data. For instance, they are looking to sell analytic tools allowing others to obtain more insights into their (actual or potential) customers or to provide more personalized products, services or advertising, both online (i.e. mobile) and offline, sometimes even using location data. In the era of Big Data, new business models and marketing techniques are emerging, including facial recognition and personalization reaching new levels of sophistication, as well as dynamic pricing practices, to name but a few.
Businesses need to consider whether personal information is properly “de-identified;” what type of information should be considered “sensitive” in various contexts (first party vs. third party targeted advertising, personalization, online services, etc.); how to obtain valid consent in compliance with the “reasonable expectations” of customers (a notion which is quite subjective and even more challenging in light of recent PIPEDA amendments through Bill S-4, Digital Privacy Act); and how to deal with technological innovation, shifting social norms and building customer trust through proper privacy practices. With new innovative technologies, businesses have to ensure that their practices are legally compliant, as well as ethical, fair and reasonable. They must also ensure they properly manage some of the most important legal risks: privacy class actions (given that some lawsuits are being filed following the launch of a new privacy-sensitive product or innovative marketing program) and dealing with law enforcement requests for disclosures.
What you’ll take away:
- At what point should personal information be considered “anonymized,” and what level of aggregation (5 individuals? 15? 40?) is acceptable to consider that the data used for analytics is no longer subject to data protection laws
- Whether analyzing data for internal purposes or conducting business analytics is subject to some form of consent requirements, and if so, how to obtain consent that is compliant with the “reasonable expectations” of the individual as well as in compliance with recent PIPEDA amendments (S-4, Digital Privacy Act)
- How to determine what can trigger customer privacy concerns (what type of information should be considered “sensitive”) and how to properly manage reputational risks and avoid being perceived as “creepy” by customers
- How to avoid, address and manage some of the most important legal risks: privacy class action lawsuits and law enforcement requests for disclosures
This content has been updated on May 3, 2016 at 8 h 55 min.