www.ipc.on.ca the privacy payoff: build your business by building customer trust ann cavoukian,...

www.ipc.on.ca

The Privacy Payoff:The Privacy Payoff:Build Your Business By Build Your Business By

Building Customer TrustBuilding Customer Trust

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

Coast Software

Privacy Best Practices Web Seminar Series

November 8, 2004

www.ipc.on.cawww.ipc.on.ca Slide 2

Impetus for Change

Growth of Privacy as a Global Issue

EU Directive on Data Protection

Increasing amounts of personal data collected, consolidated, aggregated

Consumer Backlash; heightened consumer expectations


Importance of Consumer Trust

In the post-9/11 world:• Consumers either as concerned or more concerned about online

privacy• Concerns focused on the business use of personal information, not

new government surveillance powers

If consumers have confidence in a company’s privacy practices, consumers are more likely to:• Increase volume of business with company…….... 91%• Increase frequency of business……………….…... 90%• Stop doing business with company if PI misused…83%

Harris/Westin Poll, Nov. 2001 & Feb. 2002


Information Privacy Defined

Information Privacy: Data Protection

• Freedom of choice; control; informational self-determination

• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual


What Privacy is Not

Security Privacy


AuthenticationData IntegrityConfidentialityNon-repudiation

Privacy; Data ProtectionFair Information Practices

Privacy and Security: The Difference

Security: Organizational control

of information through information systems


Fair Information Practices:A Brief History

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

EU Directive on Data Protection

CSA Model Code for the Protection of Personal Information

Canada Personal Information Protection and Electronic Documents Act (PIPEDA)


Summary of Fair Information Practices

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, RetentionAccuracy

SafeguardsOpennessIndividual AccessChallenging

Compliance


Extension of PIPEDA

As of January 1, 2004, the Personal Information Protection and Electronic Documents Act has extended to:

all personal information collected, used or disclosed in the course of commercial activities by provincially regulated organizations

unless a substantially similar provincial privacy law is in force


Provincial Private-Sector Privacy Laws

Québec: Act respecting the protection of personal information in the private sector

B.C.: Personal Information Protection Act

Alberta: Personal Information Protection Act

Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies


Ontario: Health Information Protection Act, 2003 (PHIPA)

Ontario government introduced health privacy bill (Bill 31) on December 17, 2003

Law comes into effect on November 1, 2004

Establishes privacy rules for personal health information that is collected, used or disclosed by health information custodians


The Bottom Line

Privacy should be viewed as a business issue, not a

compliance issue


The Promise

Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998

Electronic Commerce projected to reach $133 billion by 2004Wharton Forum on E-Commerce, 1999

Estimates revised downward to reflect lower expectations


Privacy is affecting E-Commerce

United States: e-commerce sales were only 1.6% of total sales -- $54.9 billion in 2003

-U.S. Dept. of Commerce Census Bureau, February 2004

Canada: Online sales were only 0.6% of total revenues -- $13.7 billion in 2002

Statistics Canada, April 2003


Lack of Privacy = Lack of Sales

“Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.”

Forrester Research, September 2001

“Privacy and security concerns could cost online sellers almost $25 billion by 2006.”

Jupiter Research, May 2002


The Business Case

“Our research shows that 80% of our customers would walk away if we mishandled their personal information.”

CPO, Royal Bank of Canada, 2003

Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.


ISF Highlights Damage done by Privacy Breaches

The Information Security Forum reported that a company’s privacy breaches can cause major damage to brand and reputation:• 25% of companies surveyed experienced some

adverse publicity due to privacy• 1 in 10 had experienced civil litigation, lost

business or broken contracts• Robust privacy policies and staff training were

viewed as keys to avoiding privacy problems

The Information Security Forum, July 7, 2004


How The Public Divides on Privacy

26

64

10

0 20 40 60 80

Feb 2003(%)

PrivacyUnconcerned

PrivacyPragmatists

PrivacyFundamentalists

The “Privacy Dynamic” - Battle Dr. Alan Westinfor the minds of the pragmatists


It’s all about Trust

“Trust is more important than ever online … Price does not rule the Web …

Trust does.”

Frederick F. Reichheld, Loyalty Rules:

How Today’s Leaders Build Lasting Relationships


The High Road

“When customers DO trust an online vendor, they are much more likely to share personal information. This information then enables the company to form a more intimate relationship with its customers.”

Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders

Build Lasting Relationships


Lack of Trust on the Web

“In 70% of instances where Internet users were asked to provide information in order to access an online informational resource, those users did not pursue the resource because they thought their privacy would be compromised.”

Narrowline Study, 1997


Trust and Privacy Policies

Fully 50% of online users said they would leave a Web site if they were unhappy with a company’s privacy policy.

Customer Respect Group, February 2004 survey


Falsifying Information on the Web

“42.1% have falsified information at one time or another when asked to register at a Web site.”

10th WWW User Survey, October 1998


Make Privacy a Corporate Priority

An effective privacy program needs to be integrated into the corporate culture

It is essential that privacy protection become a corporate priority throughout all levels of the organization

Senior Management and Board of Directors’ commitment is critical


Good Governance & Privacy

“Privacy and Boards of Directors: What You Don’t Know Can Hurt You”

• Guidance to corporate directors faced with increasing responsibilities and expectation of openness and transparency

• Privacy among the key issues that Boards of Directors must address

• Potential risks if Directors ignore privacy• Great benefits to be reaped if privacy included in a

company’s business plan


Privacy Diagnostic Tool

Simple, plain-language tool (paper and e-versions)

Free & self-administered

CSA model code to examine an organization’s privacy management practices

www.ipc.on.ca/PDT


Final Thought

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

Forrester Research, March 5, 2001

www.ipc.on.ca

How to Contact UsHow to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario M4W 1A8

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: [email protected]