How To Build A Privacy Infrastructure For Digital Out Of Of Hme (Dooh)

Transcription

1 Building the Digital Out-Of-Hme Privacy Infrastructure March 1, 2010 Intrductin Digital Out-Of-Hme (DOOH), als knwn as digital signage r smart signs, is a cmmunicatins medium characterized by a dynamic display presenting messages in a public envirnment.1 One f the mst cmmn examples f DOOH media is a flat screen televisin displaying a lp f advertisements in retail stres. Other DOOH units take the frm f kisks, prjectrs r digital billbards. The units appear in a brad range f settings, including in shpping malls, hspitals and dctrsʼ ffices, public transprtatin, gas statins, restaurants, gvernment facilities and public schls. The messaging cntent is ften cntrlled via cmputer, enabling ne master lcatin t cntrl many netwrked units. The medium is a prminent part f the shift in cmmunicatins and advertising away frm traditinal ffline media.2 DOOH has rapidly grwn int a multibillindllar industry ver the past decade. Despite the ecnmic dwnturn, industry frecasts predict grwth at duble-digit rates fr the next 3-5 years.3 There were an estimated 630,000 displays in the United States in 2007, thugh there are many mre wrldwide, particularly in China.4 1 Digital Signage Resurce, Digital Signage Terms Glssary, (last visited Jan. 3, 2010). 2 VSS Frecast Shws Majr Shifts in Cmmunicatins Industry Grwth Patterns, Digital Signage Exp, Sep. 14, 2009, ArticleID/1854/reftab/67/t/VSS-Frecast-Shws-Majr-Shifts-in-Cmmunicatins-IndustryGrwth-Patterns/Default.aspx. 3 Frecasts Shw Digital Out-f-Hme Still n Track fr Grwth, Digital Signage Exp, Nv. 18, 2009, ArticleID/2249/reftab/67/t/Frecasts-Shw-Digital-Out-f-Hme-Still-n-Track-frGrwth/Default.aspx. 4 InfTrends Study Shws Strng Grwth Up Ahead fr Digital Signage, InfTrends, Jun. 6, 2007,

2 Until recently, a shrtcming f digital signage as an advertising medium was the challenge in determining hw many and what kind f individuals see a given display unit. This made it difficult fr advertisers t measure the size f their audience and price ad time n DOOH netwrks accrdingly. This prblem als makes it relatively difficult t target ads t specific audience demgraphics r psychgraphics, which is a crnerstne f mdern advertising. T vercme these bstacles, the DOOH industry is explring several technlgies that will imprve audience measurement and interactivity. Depending n the system, these enhancements ften btain a range f infrmatin abut cnsumers. Sme f the technlgies have the ability t identify individual cnsumers, track them as they mve frm place t place and stre detailed infrmatin abut their preferences and activities. These emerging technlgies include Facial recgnitin: Increasingly, DOOH units use facial measurement technlgy t discern certain characteristics abut a persn lking at the display. This is perhaps the mst cmmn methd, with ne cmpany claiming t have scanned 120 millin peple t date. 5 Sme systems, while nt yet cnfigured t identify individuals, can calculate a passerbyʼs age, gender, and race, and determine hw lng an individual watches the display. The advertisement n the screen can then change t match the cnsumerʼs prfile. Other systems nte nly gender, and still thers merely cunt the number f faces that see the screen (gazetracking). Mbile marketing: A rising number f DOOH units interact in varius ways with prtable devices, particularly mbile phnes. Sme units cmmunicate with phnes via SMS messaging and Bluetth t send rich cntent (like ringtnes r mvie trailers) t cnsumers. Other units enable cnsumers t dwnlad a cupn, play games, r enter cntests thrugh their mbile phnes. Given the brad range f ptential applicatins fr mbile marketing and DOOH, industry analysts predict the tw media will grw tgether. Scial netwrking: Sme DOOH units prvide access t scial netwrks like Facebk, Twitter and Flickr thrugh the Web r apps n cnsumersʼ mbile devices. In sme applicatins, cnsumers can send user-generated messages, phts and ther cntent t specific DOOH screen lcatins in real time. Sme lng-view predictins see cnsumers cnsulting friends abut clthing purchases thrugh retail-based DOOH screens ver scial netwrks. Radi Frequency Identificatin (RFID): The mst cmmn use f RFID in DOOH features RFID-enabled shelves that prmpt nearby digital signage units t display advertisements related t the prducts 5 Quividi, Autmated Audience Measurement, (last visited Jan. 3, 2010). 2

3 n the shelves. Other DOOH systems air ads triggered by shpper lyalty cards equipped with RFID. 6 License plate scanners: In a 2009 advertising pilt, digital billbards alng a UK highway displayed persnalized advertisements t passing cars. Radside cameras scanned license plates and ran the numbers thrugh the Driver and Vehicle Licensing Agency. The billbard then displayed the license number and the best type f mtr il fr that make and mdel f car. Public utrage and questins abut whether the piltʼs use f mtr vehicle registratin data fr marketing vilated UK privacy laws led t the piltʼs abrupt shutdwn. 7 DOOH uses ther technlgies, such as GPS, t a lesser extent, and mre have ptential t cmbine with DOOH t create interactive experiences fr cnsumers. Clearly DOOH can integrate many technlgies t cllect a brad range f cnsumer data in varius cntexts. Althugh the privacy recmmendatins in this dcument is intended t ffer suggestins fr present and future DOOH data cllectin practices, the significant innvatin DOOH has shwn in the past will likely lead t hithert unfreseen business mdels. The lng view: Behaviral advertising n the Internet f Things The Internet f Things has prfund implicatins fr ut-f-hme targeted marketing. Several sectrs are cnverging t encurage the grwth f pervasive cmputing, including DOOH, lcatin-based services, mbile payment systems, supply chain management, intelligent buildings and security. An extensive digital signage netwrk cmbined with ubiquitus bject tagging wuld enable advertisers t target persnalized, lcatin-based messages t individuals wherever they are. The Internet f Things is a term used t describe a cmputerized netwrk f physical bjects. 8 The netwrk wuld be supprted by an array f sensrs and data strage devices embedded in bjects, interacting with web services. 9 The 6 Clair Swedberg, French Jean Butique Adpts RFID t Bst Lyalty, RFID Jurnal, Jul. 11, 2007, 7 Christpher Leake, Driversʼ details sld by DVLA are used in bizarre radside adverts fr Castrl, Daily Mail, Sep. 27, 2009, /Nw-drivers-details-sld-DVLA-used-bizarre-radside-adverts-Castrl.html. 8 Fr a detailed discussin, see Intʼl Telecmm. Unin, ITU Internet Reprts 2005: The Internet f Things (7th ed. 2005). 9 One cmmnly referenced Internet f Things scenari envisins a refrigeratr that can mnitr the fd it stres. 9 The refrigeratr culd ntify the wner when fd spils, dwnlad recipes frm websites that make use f the fd in the fridge, ntify the wner f recalls frm the manufacturer, r ntify the wner f sales f fd he r she prefers. Several early versins f this appliance are ut n the market. See Richard MacManus, Internet Fridges: State f the Market, ReadWriteWeb, Jul. 28,

4 first generatin Internet f Things is being built n RFID tags and readers, and the related Near Field Cmmunicatin, but may als use Bluetth and ther technlgies that enable cmmunicatin at a distance. Because these technlgies reveal unique numbers r addresses t readers, they are easily assciated with the wners f the tagged bjects. Widely deplyed, this system wuld reveal vast amunts f data related t the tagged bjects, including lcatin infrmatin, envirnmental cnditins and prximity t ther bjects. Marketers, gvernment r researchers culd gather highly detailed data regarding an individualʼs activities, preferences and habits anywhere the individual ges, nt just when an individual is in frnt f a digital sign. 10 Data aggregatrs wuld be able t accumulate the varius pieces f data t create a unique prfile t serve targeted advertising as individuals passed a digital sign. An envirnment in which digital tags and readers are ubiquitus raises difficult issues f transparency, user cntrl ver data cllectin, lng-term prfiling and lcatin tracking. This dynamic is likely t blur the traditinal distinctin between privacy in the hme and utside the hme, particularly if husehld bjects relay data t third parties, which may necessitate a new thery f privacy that encmpasses bth the hme and public places. Even s, as a practical matter, privacy safeguards may be significantly mre difficult t implement n the massive scale that a pervasive system f tags, readers and advertising screens wuld require. The Internet f Things can bring numerus benefits, but unless careful attentin is paid t privacy as the system is being built, the Internet f Things can als create a sciety in which cnstant targeted advertising and gvernment surveillance diminish quality f life. This will take a cmmitment t privacy n the part f all the stakehlders in the Internet f Things, including the DOOH industry. The time is right fr a DOOH privacy framewrk Using identificatin and interactivity technlgies, the DOOH and mbile industries are taking the Internet experience int the physical wrld. In ding s, DOOH has established a burgening ffline versin f the behaviral advertising that currently ccurs nline the practice f tracking cnsumersʼ activities in rder t deliver advertising targeted t the individual interests. 11 Deplyed t enugh lcatins in digital signage units, such a practice may well be prfitable t the industry, just as behaviral advertising has prven prfitable n the Internet. 10 As example f an early pervasive tracking system, see the 2008 Cityware research prject. Researchers mnitred the Bluetth signals f hundreds f thusands f peple withut their knwledge in the UK twn f Bath. The researchers installed Bluetth signal receivers in pubs, ffices and ther public spaces and recrded the cllected infrmatin in a central database t study hw peple mve in the city. See Paul Lewis, Bluetth is watching: secret study gives Bath a flavur f Big Brther, The Guardian, Jul. 21, 2008, 11 Federal Trade Cmmissin, FTC Staff Reprt: Self-Regulatry Principles fr Online Behaviral Advertising, Pg. 2 (Feb. 2009), 4

5 Privacy invasin assciated with DOOH is nt rampant because nly a small percentage f digital signage units have audience measurement, identificatin r interactive capabilities. Hwever, the industry trend is clearly tward greater adptin f measurement, identificatin and surveillance capabilities, nt less. The usefulness f audience data t marketers and the increasing cst effectiveness f sphisticated equipment will encurage the DOOH industry t cllect detailed cnsumer data. Interactivity has been named a key driver f digital signage grwth in In January 2010, Intel and Micrsft annunced a jint effrt t develp DOOH that can emulate the ability f nline retailers t identify returning custmers and tailr advertisements t them based n their shpping histries. 13 Crdinating nline and ffline behaviral advertising will be especially natural t cmpanies like Fcus Media Hlding. Fcus Media wns an extensive Internet advertising netwrk and als perates the largest DOOH netwrk in China, with mre than 190,000 screens. 14 Cnsumers and cmpanies are already wary f the privacy implicatins f identificatin and cnsumer prfiling technlgies in DOOH. Cmments t blg psts and news articles n facial recgnitin in digital signage indicate many cnsumers have little faith that DOOH cmpanies will prtect cnsumer data. 15 Sme industry figures have said that cmpanies must guarantee cnsumer privacy, 16 while thers have cited privacy issues as an bstacle t using facial recgnitin technlgy fr advertising purpses. 17 A New Yrk Times article n billbards with facial recgnitin prmpted a majr DOOH cmpany t publicly defend its privacy practices. 18 Public backlash and pssible vilatins f existing 12 Capital Netwrkʼs Research Identifies Custmer Interactin as Key Digital Signage Trend fr 2010, Digital Signage Exp, Dec. 3, 2009, ArticleID/2312/reftab/66/Default.aspx. 13 Dn Clark and Nick Wingfield, Intel, Micrsft Offer Smart-Sign Technlgy, Wall Street Jurnal, Jan. 12, 2010, 14 Fcus Media, Cmpany Overview, (last visited Jan. 3, 2010). 15 Nilay Patel, TruMedia says its facial-recgnitin bilbards will never recrd vide, it wnʼt share with cps User Cmments, Engadget, Jun. 10, 2008, 16 Bill Gerpa, Digital signage netwrks must guarantee viewer privacy, The Digital Signage Insider, Aug. 1, 2008, es/digital_signage_netwrks_must_guarantee_viewer_privacy-569.html. 17 Digital Signage Exp, Questin f the mnth, Sep., 2009, 18 TruMedia: Facial Recgnitin Bards Will Never Recrd, Share Data, MediaBuyerPlanner, Jun. 11, 2008, 5

6 privacy laws have already led t the discntinuatin f sme DOOH advertising prjects, as with the billbard which scanned UK license plates. The reactin t smart signs parallels the cntrversy assciated with nline behaviral advertising. A 2009 study f cnsumer attitudes twards behaviral advertising fund tw-thirds f Americans definitely wuld nt allw marketers t track them nline, even if the tracking is annymus. 19 The study als fund 90% f yung adults reject advertising tailred t them based n ffline activities. Cnsumers repeatedly vice ppsitin t behaviral tracking fr nline advertising. Facebk users have revlted several times ver uses f their infrmatin n Facebk, persuading the scial netwrking site t repeatedly revise its privacy plicies and the infrmatin management tls it prvides t its users. 20 In 2009, the Federal Trade Cmmissin (FTC) issued self-regulatry guidelines fr nline behaviral advertising. 21 The sn-t-be Chairman stated the guidelines may be the last clear chance the industry had t shw it wuld effectively prtect cnsumer privacy in the absence f stricter legislatin. 22 Cngress has held multiple hearings n the issue, 23 and members f Cngress 19 Jseph Turw, Jennifer King, Chris Hfnagle, Amy Bleakly & Michael Hennessy, Cntrary t What Marketers Say, Americans Reject Tailred Advertising and Three Activities that Enable It, Pg. 3 (Sep. 29, 2009), 20 David Cursey, After Criticism, Facebk Tweaks Friends List Privacy Optins, PC Wrld, Dec. 10, 2009, friends_list_privacy_ptins.html?lmia_w=t0:s0:a41:g26:r32:c :b :z 0. See als Jessica Vascellar, Facebkʼs Abut-Face n Data, The Wall Street Jurnal, Feb. 19, 2009, See als, Juan Perez, Facebkʼs Beacn Mre Intrusive Than Previusly Thught, PC Wrld, Nv. 30, 2007, sly_thught.html. 21 Federal Trade Cmmissin, FTC Staff Reprt: Self-Regulatry Principles fr Online Behaviral Advertising, (Feb. 2009), 22 Id., Cncurring Statement f Jn Leibwitz, Chairman f the FTC, 23 Behaviral Advertising: Industry Practices and Cnsumersʼ Expectatins: Hearing befre the United States Huse f Representatives Cmmittee On Energy And Cmmerce Subcmm. On Cmmunicatins, Technlgy and the Internet and the Subcmm. On Cmmerce, Trade and Cnsumer Prtectin, 111th Cng., (Jun. 2009), :energy-and-cmmerce-subcmmittee-hearing-n-behaviral-advertising-industrypractices-and-cnsumers-expectatins&catid=122:media-advisries&itemid=55. 6

7 have repeatedly called fr privacy legislatin t regulate hw cnsumer infrmatin is cllected, used and shared fr nline marketing. 24 Given this envirnment, DOOH cmpanies shuld practively adapt their practices t be transparent and minimally intrusive, and t affrd cnsumers cntrl ver hw their infrmatin is cllected and used. Incrprating privacy int the fabric f DOOH business mdels and data management practices is the best way t prevent privacy risks befre they arise. 25 It will be less expensive fr DOOH cmpanies t integrate privacy cntrls nw, while identificatin technlgies are still relatively new t the industry, than it will be t retrfit privacy prtectins nt existing systems. Hw DOOH cmpanies handle the privacy issues they face tday will affect the way the public, regulatrs and advertisers perceive the industry, as well as the industryʼs directin in the future. The industry shuld prve its dedicatin t privacy prtectin t reduce the risk that the public will cnsider interactive DOOH a disrespectful intrusin. POPAI, a trade assciatin, recently released a first generatin set f privacy guidelines fr the industry. 26 POPAIʼs Cde f Cnduct is an excellent start fr industry self-regulatin. In particular, the Cdeʼs sectin n crss-channel and crss-dmain marketing cntains several gd privacy prtectins, such as the requirement that a cnsumer re-pt in each time he r she enters a new venue where crss-dmain marketing takes place. 27 Hwever, the Cde des nt articulate a full set f Fair Infrmatin Practices, nr des it suggest DOOH cmpanies establish a cmprehensive privacy framewrk. The POPAI Cde is a sund fundatin fr the DOOH industry, but the industry shuld nt limit itself t the Cdeʼs recmmendatins. Prtectin shuld g beynd directly identifiable infrmatin Sme privacy prtectin framewrks, including many industry guidelines, typically extend nly what was traditinally cnsidered persnally identifiable infrmatin (PII). PII was thught t include nly infrmatin that can be directly linked t an individualʼs identity. Hwever, it is increasingly being realized that the distinctin between PII and nn-pii is becming much less meaningful in light f data analytic capabilities. Researchers have demnstrated that individuals can 24 Rep. Rick Bucher, Behaviral ads: The need fr privacy prtectin, The Hill, (Sep. 24, 2009, 25 Fr mre detailed discussin f the Privacy By Design cncept, see Center fr Demcracy & Technlgy, The Rle f Privacy by Design in Prtecting Cnsumer Privacy, Dec. 21, 2009, 26 POPAI Digital Signage Grup, Best Practices: Recmmended Cde f Cnduct fr Cnsumer Tracking Research, (last visited Feb. 7, 2010). 27 See POPAI Cde, Pgs

8 still be identified frm recrds stripped f traditinal identifiers. 28 The FTC supprts extending privacy prtectin t infrmatin beynd that which nly directly identifies individuals. 29 Therefre, the best apprach fr cmpanies is t evaluate all the data they cllect n a spectrum ranging frm directly identifiable t pseudnymus t aggregated, prviding different levels f privacy prtectin crrespnding t the sensitivity f the infrmatin invlved. 30 Directly identifiable data includes what was nce referred t as PII: Name Address Telephne number Date f birth Scial Security Number Driverʼs license number License plate number address Bank, credit card, r ther accunt number Bimetric data, such as unique data pints captured via facial recgnitin systems Images f individuals. In additin t directly identifiable data, cmpanies shuld extend prtectin t any data that culd reasnably be assciated with a particular cnsumer r a particular cnsumerʼs prperty, such as a smart phne r ther device. 31 The term pseudnymus data refers t infrmatin assciated with a unique identifier. Althugh pseudnymus data des nt directly identify an individual, pseudnymus data can be traced t an individualʼs identity with relative ease. This type f data includes, but is nt limited t RFID cdes: RFID chips frequently cme with a uniquely identifiable number, which can individualize any prperty t which the chip is attached. Device identificatin numbers, such as IP address, Mac address, Bluetth number, Near Field Cmmunicatin number, Internatinal Mbile Equipment Identity number. 28 See Paul Ohm, Brken Prmises f Privacy: Respnding t the Surprising Failure f Annymizatin (August 2009), 29 Federal Trade Cmmissin, FTC Staff Reprt: Self-Regulatry Principles fr Online Behaviral Advertising, Pgs. iii, (Feb. 2009), 30 See Center fr Demcracy & Technlgy, Threshld Analysis fr Online Advertising Practices, Pg. 17 (Jan. 2009), 31 Federal Trade Cmmissin, FTC Staff Reprt: Self-Regulatry Principles fr Online Behaviral Advertising, Pgs (Feb. 2009), 8

9 Internet username, such as the name with which ne uses t psts t a discussin frum. Scial netwrking data, including lgin infrmatin and friend lists. User-generated data: data generated knwingly by an individual, such as search terms, psts in discussin frums and data input int scial netwrking prfiles. Whether a data element will reasnably identify an individual will depend n the cntext in which the data was cllected. When determining the privacy practices necessary fr handling pseudnymus data, cmpanies shuld cnsider the availability f ther data sets. 32 An individualʼs identity may be reasnably inferred by cmbining pseudnymus data with, fr example, recrds f purchases frm credit r lyalty cards, security surveillance systems, r aggregated lcatin data which reveals unique habits r travel patterns. Aggregate data includes infrmatin abut multiple individuals that cannt reasnably be used t directly identify r infer the identity f a single individual. The mst prminent example f this in DOOH may be facial qualificatin, where the demgraphics f individuals passing by a digital sign are cmpiled ver time, but unique bimetric data pints and images f individuals are nt saved. Even thugh aggregate data may nt be directly identifiable r re-identifiable, cmpanies shuld incrprate privacy practices particularly transparency int their cllectin f such data. Many cnsumers bject t cvert behaviral targeting even if it is dne n an annymus r aggregate basis. 33 Plicy Framewrk and Mdels Privacy standards fr DOOH shuld be based n the widely accepted Fair Infrmatin Practices (FIPs). These internatinally recgnized principles are reflected (althugh ften incmpletely) in many privacy laws in the U.S. and are als the basis f mre cmprehensive privacy laws internatinally, such as the Eurpean Uninʼs Data Prtectin Directive. Recently, the U.S. Department f Hmeland Security adpted a mdern and cmprehensive frmulatin f these principles. 34 CDT has recmmended DHSʼ frmulatin f the FIPs t the FTC as the basis fr addressing nline behaviral advertising, and we believe it is equally well-suited as the basis fr privacy guidelines fr the DOOH industry. These are the FIPs as set frth by DHS: Transparency 32 See, e.g., Bradley Malin and Latanya Sweeney, Hw (Nt) t Prtect Genmic Data Privacy in a Distributed Netwrk: Using Trail Re-identificatin t Evaluate and Design Annymity Prtectin Systems, Jurnal f Bimedical Infrmatics 37 (2004), Jseph Turw, Jennifer King, Chris Hfnagle, Amy Bleakly & Michael Hennessy, Cntrary t What Marketers Say, Americans Reject Tailred Advertising and Three Activities that Enable It, Pg. 3 (Sep. 29, 2009), 34 Department f Hmeland Security, The Fair Infrmatin Practice Principles: Framewrk fr Privacy Plicy at the Department f Hmeland Security (Dec. 2008), 9

10 Individual Participatin Purpse Specificatin Data Minimizatin Use Limitatin Data Quality and Integrity Security Accuntability The nline behaviral advertising industry has partially incrprated the FIPS int varius self-regulatry guidelines. These include the guidelines issued by the Netwrk Advertising Initiative and by the Interactive Advertising Bureau. Hwever, as CDT has pinted ut, the guidelines f the nline advertising industry fall shrt in key areas, s the DOOH industry shuld nt merely mimic them. 35 Nevertheless, the industries share the practice f targeting advertisements t cnsumers based n their activities. This makes it wrthwhile fr DOOH cmpanies t familiarize themselves with the privacy framewrks f their nline cunterparts. DOOH cmpanies and their affiliates may als find relevance in existing framewrks fr the technlgies they use. Fr example, DOOH cmpanies that utilize mbile marketing shuld use the Mbile Marketing Assciatin (MMA)ʼs Glbal Cde f Cnduct as a baseline n which t build. 36 Similarly, DOOH cmpanies that use RFID shuld integrate the standards f relevant trade assciatins r privacy grups. 37 Nne f these framewrks is perfect, and sme are deficient in certain areas, but they may serve as a starting pint fr cmpanies t develp their wn plicies. With reference t existing mdels, and drawing n the cmprehensive DHS framewrk, CDT recmmends that the DOOH industry develp a privacy framewrk alng the fllwing lines: 1) Transparency DOOH data cllectin and use shuld be transparent. Generally, there are tw imprtant ways fr DOOH cmpanies t d this. First, DOOH cmpanies shuld develp privacy plicies and publish them n their websites. Secnd, DOOH cmpanies shuld give cnsumers ntice at the lcatin in which the DOOH unit is placed. Transparency thrugh ntice and a public privacy plicy is the 35 Center fr Demcracy & Technlgy, Online Behaviral Advertising: Industry's Current Self-regulatry Framewrk is Necessary, But Still Insufficient On Its Own t Prtect Cnsumers, Dec. 7, 2009, 36 Mbile Marketing Assciatin, Glbal Cde f Cnduct (Jul. 2008), 37 Center fr Demcracy & Technlgy Wrking Grup n RFID, Privacy Best Practices fr Deplyment f RFID Technlgy, May 1, 2006, See als Electrnic Privacy Infrmatin Center, Guidelines n Cmmercial Use f RFID Technlgy, Jul. 9, 2004, 10

11 respnsibility f nt just the technlgy vendrs, which are unfamiliar t cnsumers, but als the digital signage netwrk peratrs and the wners f the establishments at which the signage is lcated. a) Privacy Plicies Privacy plicies serve an imprtant rle. Internally, the prcess f develping a privacy plicy frces a cmpany t assess its data cllectin practices and develp rules fr the custdianship f the data it cllects. A privacy plicy shuld describe in cncise, specific terms What cnsumer data is cllected, Hw the data is cllected, The purpses fr which the data is used, With whm the data is shared, Hw the data is prtected, Hw lng the data is retained, and The chices that cnsumers have with respect t their data. Once the plicy is set, data shuld nt be cllected, shared r used in any way cntrary t the published privacy plicy. 38 In sme cases, the data management practices f the DOOH cmpany may verlap with the practices f anther cmpany, such as when DOOH integrates with mbile marketing r scial netwrking applicatins. The DOOH privacy plicy shuld underscre hw these services interact. Numerus DOOH cmpanies already publish privacy plicies. Fr example, sme f the plicies f cmpanies using facial recgnitin state they d nt retain images r identify individuals. 39 Similarly, sme cmpanies that integrate digital signage and scial netwrking publish privacy plicies. 40 Hwever, existing plicies vary greatly in detail, and nt all DOOH services specify what they d with persnal infrmatin. 41 A privacy plicy alne is nt enugh, hwever, and 38 The FTC cnsiders a material vilatin f a published privacy plicy t cnstitute an unfair and deceptive trade practice prhibited under the Federal Trade Cmmissin Act. 15 U.S.C. 45(a)(2). See als Mark Fley, The FTCʼs Web Site Privacy and Security Rules fr Every Business, Wiscnsin Lawyer, (Mar. 2008), tentdisplay.cfm&cntentid= Cgnvisin, Privacy Plicy, Sep., 2007, 40 LcaMda, Privacy Plicy, (last visited Jan. 3, 2010). 41 See e.g., The Marketplace Statin, Privacy Plicy, (last visited Feb. 7, 2010). The plicy makes n reference f the data cllectin systems integrated int sme f Marketplace Statinʼs screens. See Cgnvisin integrates with BradSign fr autmated digital signage campaign analytics, Digital Signage Tday, Apr. 17, 2009, 11

12 many cnsumers cnfuse the mere existence f a plicy with substantive privacy prtectins. 42 b) Ntice At present, mst DOOH cmpanies are cmpletely unknwn t cnsumers, s cnsumers are unlikely t lk fr the privacy plicies psted n the websites f DOOH cmpanies. Even if cnsumers cme t knw the names f DOOH cmpanies, current practices give cnsumers little hint as t what cmpany is respnsible fr a given DOOH display. The challenge fr the industry is t find a way t present meaningful ntice at the pint f data cllectin. Such ntice is fundamental t transparency and individual participatin. Cnsumers shuld be given clear, prminent ntice f DOOH media units that cllect cnsumer data at the physical lcatin in which the unit perates. T the extent pssible, the ntice shuld appear cnspicuusly n r clse t each DOOH unit that is cllecting the infrmatin. 43 One ntice shuld nt cver, fr example, an entire supermarket, but instead shuld be at each sensr and assciated DOOH screen within the supermarket. There shuld be n hidden receivers, cameras r sensrs used exclusively fr marketing. Generic ntices like These premises are under vide surveillance are nt sufficient. Cnsumers have cme t assume such ntices t relate t security measures, nt marketing. Such ntices d nt prvide accurate ntificatin f the mre cmprehensive data cllectin, sharing and usage assciated with marketing. If a DOOH unit is used fr bth security and fr marketing, r if security infrmatin is used fr marketing, the ntice (and privacy plicy) shuld clearly disclse this. CDT cnceptualizes three tiers f ntice. At minimum, DOOH cmpanies culd adpt a symbl t place n signage units, such as n a small placard r appearing n the screen alngside cntent. The symbl shuld identify the unit as ne that cllects sme frm f cnsumer data. This apprach wrks best if the symbl is adpted n an industry-wide basis and tested t ensure real cnsumers understand what it means. The nline behaviral advertising industry is adpting this apprach. Many nline ads that use demgraphic and behaviral data will include a certain symbl and phrases like Why did I get this ad?. An Internet user wh clicks the symbl r phrase will receive an explanatin f the hw the ad was targeted t him r her. 44 Similarly, if DOOH units include nly 42 Jseph Turw, Chris Hfnagle, Deirdre Mulligan, Nathaniel Gd, Jens Grssklags, The FTC and Cnsumer Privacy in the Cming Decade, Pg. 2 (Nv. 8, 2006), 43 The POPAI Cde permits ne ntice t cver ne establishment. See POPAI Cde f Cnduct, Pg. 8. Hwever, CDT believes a ntice shuld be prvided at each screen. One discreet ntice in an islated lcatin within a large retail stre full f labels cmpeting fr cnsumersʼ attentin is insufficient t prvide ntice fr a DOOH netwrk cllecting data thrughut the stre. 44 Stephanie Cliffrd, A Little ʻiʼ t Teach Abut Online Privacy, New Yrk Times, January 26, 2010, 12

13 symbls as ntice, a cmprehensive ntice shuld als be placed elsewhere in the establishment. The secnd tier f ntice that culd be placed n the DOOH unit wuld identify the cmpany wh wns r perates the unit, infrm cnsumers f what infrmatin is being cllected. Again, there shuld be a cmprehensive ntice elsewhere in the establishment. The third tier is a cmprehensive ntice that includes the abve infrmatin, and als the purpses fr which the infrmatin is being used, with whm the infrmatin is shared, what ther cnsumer data will be cmbined with the infrmatin and, if applicable, the chices cnsumers have with respect t the infrmatin being cllected. In cases where DOOH units interact with cnsumersʼ devices, such as with smart phnes via Bluetth, a cmprehensive ntice shuld als be delivered directly t the cnsumersʼ devices. This shuld be the nrm when the DOOH unit r the cnsumer initiates the interactin. 2) Individual Participatin The FIPs principle f individual participatin embdies tw cncepts: the right t cnsent t the cllectin and use f data and the right t access t data that has been cllected abut neself. The rbustness f the individual participatin prtcl required varies depending n the sensitivity and identifiability f the infrmatin cllected and the use t which it is put. Similarly t the POPAI Cde, CDT cnceptualizes DOOH audience measurement and interactive marketing as ccurring n general three levels: Level I: Audience cunting. Infrmatin related t cnsumers is gathered n an aggregate basis and nt used fr tailring advertisements. N retained infrmatin, including images, links t individuals r their prperty. Example: facial recgnitin systems that track gazes r recrd passerby demgraphics, but d nt stre facial images r cntextualize ads. Level II: Audience targeting. Infrmatin related t cnsumers is cllected n an aggregate basis and is used fr tailring cntextual advertisements t individuals. N retained infrmatin, including images, links t individuals r their prperty. Example: facial recgnitin systems that recrd passerby demgraphics and cntextualize ads accrdingly. Level III: Audience identificatin and/r prfiling. Infrmatin related t cnsumers is cllected n an individual and aggregate basis and is used fr tailring advertisements. Infrmatin linked t individual identity r an individualʼs prperty (such as a mbile phne) is retained. Example: using DOOH netwrks fr scial netwrking, RFID tracking, mbile marketing. a) Cnsent 13

14 Cnsumers shuld have a ready means t chse whether their data is cllected fr advertising purpses. The means will differ between DOOH systems and services. Levels I and II shuld implement pt-ut cnsent. At minimum, pt-ut cnsent can be accmplished via ntice by giving cnsumers an pprtunity t avid a particular DOOH unit. Level III requires pt-in cnsent, which shuld be issued after the cnsumer has the pprtunity t examine the applicable privacy plicy. Cnsumers shuld be able t exercise cntrl ver what infrmatin is cllected, which marketing messages they receive, and which ther cmpanies and parties may see the data. The cnsent shuld be persistently hnred until the cnsumer alters his r her chice, and the cnsent shuld als be revcable at any time. T the extent pssible, pt-in cnsent prtcl shuld be granular withut als being cnfusing t cnsumers. One way t strike this balance is t ffer varius privacy cntrl ptins, but t als ffer an easy means t pt-ut r pt-in t all the chices at nce. b) Access Cnsumers shuld have the ability t view and crrect any directly identifiable data cllected abut them fr DOOH marketing. Cnsumer cnfidence in an rganizatin may be vastly imprved if individuals have access t their wn data, whereas cnsumers will perceive surveillance and data analysis behind clsed drs as cnsiderably mre intrusive. 3) Purpse Specificatin, The purpse specificatin principle requires a cmpany t think thrugh its data cllectin and use practices and t specify hw the cmpany intends t use the data it is cllecting. The purpses t which cnsumer data will be put shuld be nly specified nt later than at the time f cllectin. Prperly applied, the principle shuld lead cmpanies t minimize the cllectin f unnecessary data, which is the next principle. 4) Data Minimizatin Thrugh privacy plicies and guidelines, individual cmpanies and the DOOH industry as a whle shuld cmmit t limit their data cllectin and retentin t nly the minimum necessary t achieve specified ends. DOOH cmpanies shuld cllect and use the minimum amunt f cnsumer data necessary t deliver their services. Fr example, there is n need t use a license plate number when a carʼs make and mdel will d. 45 In mst cases, it may nt be necessary t retain cnsumer data fr future use beynd the delivery f a cntextual advertising message. Fr example, there is n need t maintain persistent recrds f phne numbers r Bluetth addresses when a cmpany 45 Christpher Leake, Driversʼ details sld by DVLA are used in bizarre radside adverts fr Castrl, Daily Mail, Sep. 27, 2009, /Nw-drivers-details-sld-DVLA-used-bizarre-radside-adverts-Castrl.html. 14

15 des nt seek an nging relatinship with the individuals assciated with that data. When a DOOH cmpany des retain cnsumer infrmatin, that retentin shuld last n lnger than is needed t serve the purpse fr which it was cllected, as specified in the privacy plicy. 46 If a cnsumer pts-ut r cancels a service, the assciated infrmatin shuld be destryed. 5) Use Limitatin Cnsumer data shuld nt be shared fr any uses that are incmpatible with the purpses specified in the cmpanyʼs privacy plicy. Transfers f cnsumer data t any third parties r affiliates shuld be transparent, specified in advance t cnsumers and may require pt-in cnsent. 47 6) Data Quality & Integrity DOOH cmpanies shuld, t the extent practicable, ensure cnsumer data they cllect is accurate, relevant, timely and cmplete. Allwing cnsumers t access and edit data cllected abut them is ne f the best mechanisms fr ensuring data quality and integrity. 7) Security DOOH cmpanies shuld exercise reasnable and apprpriate effrts t secure infrmatin cllected abut cnsumers. In s ding, a cmpany shuld maintain a standard infrmatin security prgram apprpriate t the amunt and sensitivity f the infrmatin stred n its system. Such a security prgram shuld include prcesses t identify and address reasnably freseeable internal and external risks t the security, cnfidentiality, and integrity f infrmatin. The nature and extent f security required will largely depend n what kind f cllectin technlgy is emplyed and what cnsumer data is retained. Unnecessary cnsumer data shuld be destryed via secure methdlgies. The best data security is fr a cmpany nt t pssess cnsumer data in the first place. 8) Accuntability There has been substantial criticism f self-regulatin f the behaviral advertising industry because f a lack f accuntability fr nncmpliance. DOOH cmpanies wh cllect and use cnsumersʼ infrmatin shuld establish internal accuntability mechanisms. These mechanisms shuld ensure strict cmpliance with cmpaniesʼ privacy plicies, as well as laws and ther applicable privacy prtectin requirements. Cmpanies shuld prvide privacy and security training t all emplyees, cntractrs and affiliates wh cllect and 46 The POPAI Cde recmmends that image r bimetric data shuld be stred fr up t 3 mnths r the maximum perid allwed by law. See POPAI Cde f Cnduct, Pg. 6. It is unclear whether POPAI means that the data shuld be stred n lnger than that perid, r whether POPAI recmmends that the data be stred regardless f whether there is a business need fr it, s lng as the law allws it. 47 See POPAI Cde f Cnduct, Pgs

16 use cnsumersʼ infrmatin. There shuld be meaningful penalties fr vilatins, especially willful r chrnic nncmpliance. The DOOH industry may als cnsider empwering ne r mre trade assciatins with independent versight functins t mnitr cmpliance and ffer privacy management guidance fr individual cmpanies. The rganizatin that takes n these functins shuld prvide a dispute reslutin frum fr cnsumers and articulate clear benchmarks fr cmpanies t evaluate the efficacy f their privacy practices. Fr mre infrmatin, please cntact Harley Geiger Staff Attrney, CDT x 316 harley@cdt.rg CDT wishes t thank Melissa Ng f Privacy Lives ( fr her cnsultatin and cntributins t this reprt. 16