Your connected home knows you intimately and, soon, so will Google

Google’s business model, like many other consumer-facing companies’ business models, are changing to become far more context aware. We’re seeing that in apps that know our location and where we are going next and warn us when to leave to make it on time. That just scratches the surface and this trend can be tremendously helpful and useful if we can be sure that our personal information is not being abused or vulnerable to exploitation.

Nest cooling with leaf

Google has just announced that it intends purchasing Nest, a company that produced a connected home thermostat and smoke detector that is very well regarded in the United States. The purchase price is $3,2 billion, apparently in cash. That substantial purchase price is a pretty clear indication of the value Google places on Nest’s technology which gives its customers the ability to monitor and adjust their home environment. One of the implications of this purchase is that Google could soon have far deeper insights into what Nest’s customers are doing in their homes.

Although this is arguably a trend that is only going to grow, the question to ask is whether companies reaching into customers’ most intimate spaces have adequate protections in place to protect their personal data? Here is an one possible integration (no announcements about integrations yet so this is speculation) from Stacey Higgenbotham writing for GigaOm in her article titled “When Google closes the Nest deal, privacy issues for the internet of things will hit the big time“:

As a user of Google Now, the contextual service that tells me when to leave my house to make it to my next appointment in time, I see no reason Google couldn’t also tell my thermostat to cycle down before I actually leave. Or, based on my movements in my home, Google could start screening my calls. If I’m in the bedroom and motionless maybe Google could block the work calls from my colleague Om Malik.

Google’s business model, like many other consumer-facing companies’ business models, are changing to become far more context aware. We’re seeing that in apps that know our location and where we are going next and warn us when to leave to make it on time. That just scratches the surface and this trend can be tremendously helpful and useful if we can be sure that our personal information is not being abused or vulnerable to exploitation. As Higgenbotham points out –

Nest and the products the company builds could help provide ever more contextual clues to Google that it can use to help make your life better and even save you money. But in doing so we need to hold it, and other companies seeking to enter the connected home market, to a well-defined set of standards around data security and privacy. That means the industry and the regulators need to move past this impasse: where the internet of things is awesome but will also kill you because strangers can hack into your home and control your medical devices.

Don’t place too much emphasis on the Protection of Personal Information Act

With the Protection of Personal Information Act signed and likely to be implemented to some degree sometime this year, it is fashionable to focus on POPI when thinking about data protection and privacy. While POPI is a very important Act, a complete data protection review has to take into account much more. I prepared a diagram to give you a quick overview of what you should be considering when you assess your compliance readiness.

2014-01-14 Privacy is more than just POPI

PPC Lead Generation’s Privacy Risks

PPC lead generation is a search-based lead generation technique which leverages search terms to surface (preferably) relevant ads in search results. When you click on those ads you are often taken to landing pages where you have the option of submitting your details to a company so it can get in touch with you about its products and services. It’s a pretty smart marketing option because it begins with the premise that you are searching for what the company offers. It is also a potentially risky proposition for brands that fail to implement adequate privacy protections.

PPC_lead_generation_-_Google_Search - modified

PPC lead generation is a search-based lead generation technique which leverages search terms to surface (preferably) relevant ads in search results. When you click on those ads you are often taken to landing pages where you have the option of submitting your details to a company so it can get in touch with you about its products and services. It’s a pretty smart marketing option because it begins with the premise that you are searching for what the company offers. Here is an example:

How PPC Lead Generation Works

Let’s assume you are in the market for home insurance so you search for “home insurance”:

You’ll notice a couple ads which relate to “home insurance” and which are identified as ads. These are sponsored or paid ads which are displayed in your search results based on your search terms. The companies that purchase the ads (often an agency specialising in this sort of advertising) select key words that they believe will correspond with your search terms so when you run your search, their ads are displayed as relevant search results (Google regards these ads as something which may be valuable to you so it built an ad sales model based on this process). You click on a link in one of the ads and you are taken to a landing page which can look something like this:

Notice the form on the right? That form is an opportunity for you to submit your details to the brand behind the campaign, in this case MiWay, so its sales representatives can contact you about its products and services. Once you submit your details, you become a sales lead (hence the term “lead generation”). The “PPC” bit stands for “Pay Per Click” which is a reference to the payment model the advertiser agrees to. The advertiser pays for each click on the ad. Some advertisers will pay their agencies for leads generated. It depends on the advertiser’s preferences and the agency’s business model.

The Privacy Considerations

This form of advertising is an interesting one because it begins with a person searching for something she is interested in. In this example, “home insurance”. When she is presented with search results relevant to her search terms and she clicks on one of them (in this case the MiWay ad), she is implicitly indicating an interest in what the relevant brand has to offer. So far she is consenting to some of her personal information being collected although it is likely data such as her IP address, general location, browser and computer information and so on.

Assuming the ad takes her to a page that is relevant to her search term and the ad text which informed her decision which ad to click on, there aren’t any privacy concerns so far. If the ad is misleading then any personal information the advertiser collects so far is without her permission because she was expecting a different result and that would have informed her consent in whatever form she gave it.

Once she she loads the landing page, the situation changes somewhat. Presented with the form, the advertiser has two options:

  1. rely on the consumer’s continued implicit consent to have the personal information she submits through the form to process it as the advertiser intends processing it, or
  2. explain what personal information the advertiser will collect through its interaction with the consumer, what it will do with that personal information and under what circumstances it will share that personal information with others.

The first option is inherently risky because the consumer assumes that the brand itself, namely MiWay, will collect the consumer’s personal information and will only use it to contact the consumer. That, at least, is the impression the landing page gives. The consumer may also assume that her personal information will not be used for cross-selling, disclosure to associated companies and will be limited to what she submits through the form. This may not be the case.

Often what happens is that the agency collects leads generated through the landing page and passes them along to its client, the company behind the brand. That company may want to use that personal information to market other products and services within its group, share it with partners and so on. There is also little, if any, indication of how long the personal information will be stored, how it will be stored and at what point it will be destroyed.

All of these answers should be communicated to consumers going forward if they are to make informed decisions about who can process their personal information and under what circumstances under the expanded privacy compliance framework Protection of Personal Information Act is going to introduce shortly. One of the best ways to do this at the moment is through a clear privacy policy framework which solicits that consent from consumers arriving at the landing page. These policies should clearly identify the parties handling the personal information consumers submit and what happens to it from the time it is submitted.

Agencies have a couple options when it comes to implementing privacy policy frameworks which range from incorporating their clients’ privacy policy frameworks (assuming they are appropriate) to publishing custom policies. Whichever option, it is not a very complex process, it just needs to be done with sufficient thought about the compliance requirements marketers face.

Risk management doesn’t stop at a privacy policy. It extends to data management and ensuring that personal information is processed securely and consistently with privacy policies’ requirements. Agencies should also consider whether they have sufficiently structured their contractual relationships with their clients (and vice versa) in order to manage potential liability flowing from privacy violations which could occur and which could be remarkably costly, both in terms of reputational harm and monetary cost.

<

p>The potential harm is not always foreseeable and neither is its extent. A good example of this is the recent Adobe privacy breach which has had far-reaching implications not just for Adobe itself but for users who use a range of other services. This is just not something companies or their agencies can afford to ignore. They could be the next trending news item with a plummeting share price.