Who has your data?6/6/2018
And what are they doing with it?
Swipe your loyalty card at the grocery store, and all of those purchases are now tracked.
Browse for an item on a company’s website, and the next time you’re on your computer, an ad will likely show up for that product or another from that company.
Track your food and exercise in a fitness program, and that program will suggest workouts or recipes based upon what you’ve previously done.
From grocery shopping to browsing a company’s website to keeping track of health and wellness, personal data is collected and stored about most people’s actions.
Many businesses, particularly those with an online presence, collect data, whether it be about trends in the market, customers’ purchases or even details about competitor companies. In addition, most devices are now part of the Internet of Things, a network of physical objects that range from devices, vehicles, appliances and more that are
embedded with electronics, software, sensors and network connectivity that collect and exchange data.
“Data can be collected in more ways than ever before, and there’s more ways being added,” says Rebecca Herold of Des Moines, who is known as The Privacy Professor and has advised people about information security, privacy and compliance issues for more than 25 years. “The data is collected not only through the network system but through
various apps that are put out and through the Internet of Things and IOT devices. Businesses are even collecting data through these devices.”
Data collection has occurred for decades, back to the old-school technique of people putting their business card into a fishbowl at a conference to the typical customer feedback survey. What is new is the ease in which the Internet has made it for people and businesses to collect more intimate data and to use it to their benefit, both good and bad, says Drew Larson, a data security and privacy attorney at BrownWinick in Des Moines.
“People get worked up when they believe their data has been used in a way that is unexpected by them and in a way that maybe violates some expectations or social norms,” he says.
Those social norms are fluid and change with the times. What is acceptable now was inconceivable 20 years ago, Larson says.
Who’s watching and why?
Between IOT devices and surveillance equipment, let alone a person’s website and application activity, most of an individual’s actions that involve technology are recorded each day.
Take a fleet of semi-trailer trucks, for example, Herold says. Each truck has a computer, and the company that owns the trucks tracks who is driving which truck and knows where they’re located at any time.
From the moment an employee arrives at work until he or she leaves, their actions are monitored, not only through surveillance cameras but also their electronic keycard. If that employee sends emails at work, even if encrypted, there’s still meta data recorded that is evidence the communication took place, with whom, the date and time it was sent and received, and the location from which it was sent and received, Herold says.
“Basically, in today’s world, there are very few types of businesses where there’s not a huge amount of data that is being collected or could be collected and being shared potentially with hundreds, or I have clients who have even thousands of third parties they’re sharing with,” she says.
Many websites use “cookies” or web beacons or web bugs to learn more about users. A cookie is a small amount of data that is sent to a user’s web browser from a web server and stored on that person’s computer’s hard drive. An individual’s web browser can be set to reject all cookies or to ask whether to accept or decline a cookie from a particular site.
Web beacons or bugs are 1-by-1 pixels that can relay information from your device back to its source. They work beyond website interaction and record information about PDF or PowerPoints that are downloaded or a video that is watched. These provide more insight about the user, Herold says.
“Web beacons have been under the radar since the early 1990s,” she says. “There’s not much you can do. People can’t turn these off.”
Social media sites such as Facebook made it even more possible for companies, the digital advertising industry and even law enforcement to gather data about individuals. Users’ likes and dislikes can be tracked to determine their political affiliation or political leanings, so preemptive campaigning can take place.
Law enforcement can monitor discussions and topics to determine things such as where white supremacist activity might take place or to identify terrorist activity, Herold says.
“It’s really amazing how widely and increasingly all of this data is used for so many other purposes from what it
was originally collected,” she says.
She continues: “It blows people’s minds when they find out these innocent types of activities that you do with all of these gadgets and games and apps and how very widespread that data gets used by so many others that goes way beyond the initial organization.”
One of the more common ways businesses gather customers’ information is through loyalty programs or offers to provide coupons and discounts through an email list. This allows the business to track buying habits and then better market itself to the customer, says Denny Fisher, a chief strategist who advises on cybersecurity issues for Associated Computer Systems Ltd. in Urbandale.
“Most businesses want more insight as to how their customers are behaving,” he says. “Anything that would give them any type of behavior thing: Where you’re going, what type of card you use, how often do you come to their store?”
Companies by law can’t keep credit and debit card information without encrypting it, Fisher says, but some will track what types of cards are used at their stores in order to receive a deal from that credit card company or bank.
Online shopping or web browsing provides even more information about the customer. Amazon monitors shoppers’ buying history and sends them emails about similar products to try or reminders to rebuy. Websites monitor a person’s browsing history and will then place ads for those products on the screen when the person is looking at other sites.
Data collection comes down to the bottom line for most businesses, Fisher says.
“Most people use it for targeted marketing to determine what products they may or may not sell, to make better decisions and to generate more revenue,” he says.
Hy-Vee, Inc., which has its headquarters in West Des Moines, uses customer data to streamline marketing efforts, so the company can offer the best deals to customers for products they typically purchase, says Tina Potthoff, the company’s vice president of communications.
The company does not sell customer data to third parties; however, on occasion, Hy-Vee does share customer information with third-party vendors
with whom the company works to provide services to customers, she says.
All third-party vendors are bound by non-disclosure agreements to not release the information and only act on behalf of Hy-Vee.
A third party would include the vendor Hy-Vee uses for text messaging services for Aisles Online pickup notifications, Potthoff says.
information is shared.
The company’s system automatically gathers and stores certain information when customers interact with a service, whether it be the website, the Fuel Saver + Perks program, its mobile applications or a contest. The information does not personally identify an individual unless he or she logs into their account.
All customer information is protected by a layered cybersecurity procedure Hy-Vee has in place, Potthoff says.
An individual’s use of a store’s loyalty card can help them receive points toward future purchases, discounts and more. In the case of Hy-Vee, customers receive discounts on fuel prices and reduced food and product prices for using their Fuel Saver + Perks card.
There is a payback in data that is collected about that person. Loyalty cards “collect a lot of data about where you are and what you’re doing and what you’re getting and so on,” Herold says.
Fisher himself has several loyalty cards he uses knowing his personal information is being collected. “In the world we live in today, people are less hesitant to share information,” he says. “I think they value what they can get from social media. They value what peoplesuggest they buy and where to go on vacation. They just want people to protect their information.”
This year, West Des Moines Community Schools began tracking health information about its students Students in fourth grade through high school at the start of the school year were given wristbands to wear during physical education classes to track their heart rate and time in the heart rate zone to show students which activities require more cardiovascular endurance, stamina and more, according to a release on the district’s website.
Data is calculated each time a student uses the wristband and is stored through a cloud-based program that allows students to track their progress. The information is instant on the monitor, and a summary is emailed to students after each session, director of school/community relations Laine Mendenhall-Buck says.
Families had the option of opting out of the wristband tracking, she says.
The wristbands are part of the Spirit System, created by Interactive Health Technologies. According to the
company’s website, IHT does not share personally identifiable information with anyone other than representatives of the customer who has provided the information. The company also says it does not collect, maintain, use or share information about students enrolled in its K-12 educational programs other than what is needed for the school’s purposes. Once school officials have notified IHT the student is no longer part of the program, the company no longer retains that student’s information.
The website also explains the company’s security procedures and steps to keep all information secure, private and confidential. A student’s data is kept in the system as he or she moves from year to year and school to school. If he or she leaves the district, the data is inactivated, Mendenhall-Buck says.
Only students and their teacher have access to identifiable data, and summaries can be shared with parents upon request, she says. District officials are developing a process through which summaries would automatically be shared with parents.
“In the event that we discontinue using IHT services, all data will be returned to the district and permanently removed from their servers,” Mendenhall-Buck says.
Convenience and personalization vs. privacy and security
There are conveniences associated with data collection that allow more efficiencies in a modern world, Larson says, yet there’s a discomfort with knowing a supermarket chain, retailer or website knows what a person has purchased and can target them with specific advertisements and coupons.
“People will have to make decisions about what they’re willing to give up versus the benefits,” he says.
Most consumers get agitated when they’re contacted unexpectedly or enter into something innocently, only to discover the reach is beyond their expectations, says Brian McCormac, a data security and privacy attorney at BrownWinick. He points directly to the recent Facebook-Cambridge Analytica scandal and says users didn’t understand how broadly their information was being mined and shared.
“Companies get into trouble when they say one thing and do another, or they don’t explain what they’re doing adequately,” he says.
The Pew Research Center, a nonpartisan think tank in Washington, D.C. that conducts polls, research and analysis about issues, attitudes and trends, says Americans have an “it depends” attitude when it comes to sharing personal information in return for products, services and other potential benefits.
The center explored six scenarios in which people might encounter a privacy-related question and found that Americans weighed their decision on the value of the benefit offered, the circumstances of their lives, how they felt about the organization collecting the data, what would happen to the personal data after it was collected, and how long the data was retained.
Data collection is mostly unregulated
The collection of data is a mostly unregulated area, though that could change with the General Data Protection Regulation that went into effect May 25 in the European Union.
The GDPR is a data privacy law that protects all European Union citizens from privacy and data breaches. It applies to all companies, regardless of location — this would include U.S. companies that process personal data of EU residents. There are huge penalties for violation of GDPR — up to $24 million.
Most states, Iowa included, have data breach notification laws. These laws require businesses and entities to notify affected individuals if there is an unauthorized disclosure of certain personal information that includes the person’s name and social security number, driver’s license number, financial account number, medical information, insurance information, date of birth, mother’s maiden name or DNA. This can vary by state, and there are provisions regarding the type of breach and whether the information was encrypted.
Some states, including Massachusetts and California, have tougher laws about data privacy and security.
Massachusetts requires businesses to have a written information security program that includes encryption of personal information. California requires privacy notices on websites that collect personally identifiable information such as name, address, email and phone number. California’s “Shine the Light” law also requires companies to disclose to an individual within 30 days of a request any specific information the company has disclosed and to whom. There are exceptions.
The FTC acknowledges that companies have personal information and recommends they safeguard that information with a sound data security plan. It also recommends that businesses don’t collect or keep any sensitive personally identifying information that does not have a legitimate business need and is not integral to the business’ products and services.
Is there cause for concern?
Cybersecurity breaches are common these days. Companies big and small have reported them to customers.
One of the most publicized was Facebook’s announcement that Cambridge Analytica might have scraped data on 87 million people through Facebook. Consumers had no idea the amount of personal data that was being collected about them through Facebook and then shared with third parties such as Cambridge or that their actions were tracked after leaving Facebook’s site.
Facebook settled an eight-count complaint the FTC filed against the social networking service in 2011 that charged it deceived customers by telling them they could keep information private and then made
changes that removed privacy settings and allowed private information to be shared and made public. Facebook was required to live up to its promises and give customers clearer notices before sharing information beyond the established privacy settings.
Cambridge Analytica also runs the “My Life” website, which puts all of an individual’s personal information in one place. The company creates personal profiles on most individuals that lists their age, birthdate, current and past addresses, marital status, employment, and relatives, including children.
My Life says it uses information from public sources to create background reports and reputation scores for more than 300 million individuals, ages 18 and older in the United States.
According to the entity’s website: “We believe it’s important for you to know what’s available online, how it affects your Reputation Score and help you correct or remove what’s wrong to improve your reputation and life.”
Public pages cannot be deleted from My Life, according to its website, unless a person has “extenuating
circumstances,” in which case he or she is directed to the customer care department.
Individuals who play online games and through game apps also have their information tracked. The meta data
tells game operators who is playing, when and from where, and with whom they’re playing, Herold says.
Last year, the personal data and credit card information of Sears and Delta Air Lines customers might have been exposed during a data breach. Also, hackers took over 150 million MyFitnessPal accounts, according to Under Armour, the company that oversees the app. Data was stolen for 5 million Saks, Lord & Taylor customers’ cards.
Ask questions, take necessary precautions
Experts say there is likely to be some push for increased privacy, controls for data collection, the boundaries for what should be collected and shared, and new regulations as the Facebook/Cambridge Analytica debacle continues to unravel.
Legal and privacy law experts say education is the best way to protect oneself. Ask questions and read all privacy notices.
“It’s a reasonable question to ask what companies are doing with my data,” McCormac says. “Most companies
Herold says, the more the public can question why a business needs its data and the more the business is forced to answer that question, the more likely privacy will be addressed within that organization and elsewhere.
Larson says there’s an element of personal responsibility once a person is educated about a company or website’s privacy and data collection policies.
“There are no protections. If you want something to be private, don’t share it,” he says.
Even though emails and messages are supposed to be encrypted and the content protected, the best bet is still
to pick up the phone and call someone.
“We want things to be easily available but then for no one to know about it,” Larson says. “You can’t have it
both ways. There’s only so much you can do to control it; be cognizant. Assume everything online, regardless of
policy, can be available to someone someday.”
The more businesses prove they can keep data private, the more willing customers will be to share their personal information, Fisher says. Consumers should ensure businesses are compliant with the laws and regulations for their industry and that they have a layered security policy in place that includes encryption of data and restrictions and monitoring of access to data. The policy also needs to have a plan in case there is a breach, he says.
“People feel more comfortable if someone has a plan,” Fisher says. “Then they can make a choice if they want to continue (to do business) if there is a breach.” Herold, the privacy adviser, says users of Facebook should restrict access of their friends list and other personal information. Part of the issue with Facebook and Cambridge Analytica was the background data that was being collected including access to the profiles of users’ friends who hadn’t even taken online quizzes or opened apps.
“Most people don’t do that,” she says. “You need to lock that down if you haven’t.”
Individuals also should avoid using Facebook Messenger and messaging through LinkedIn because those messages are tracked even if the content is not, Herold says.
Users should review the settings for any IOT device or gadget, website or app before they use it and restrict access.
“That might limit functionality, but you have to decide: Is it worth sharing my data versus using this thing that may or may not have any impact on my life?” Herold says. ♦
New privacy laws in European Union could affect the United States
The collection of personal information is a mostly unregulated area in the United States, though that could change with the General Data Protection Regulation that went into effect May 25 in the European Union.
The GDPR is a data privacy law that protects all European Union citizens from privacy and data breaches. It applies to all companies, regardless of location — this would include U.S. companies that process personal data of EU residents. Personal data includes information that can be used to identify people such as name, photo, email address, bank details, social media posts, medical information and computer IP address.
• A company is required to alert an EU user when it is collecting data and the reason for it.
• A company must notify those affected by a data breach within 72 hours of becoming aware of it.
• Individuals have a right to know what personal data is being processed and for what purposes. Companies must provide a copy of the personal data free of charge in an electronic format to the individual upon request.
• All privacy and notification alerts for users must be provided in ordinary, nontechnical language, no legalese.
• EU consumers can request a “right to be forgotten” that entitles them to have their personal data removed from a company.
• Parental consent is required to process the personal data of children under the age of 16 for online services.
There are huge penalties for violation of GDPR — up to $24 million.
“There’s a great amount of regulation in the EU,” says Brian McCormac, a data security and privacy attorney at BrownWinick in Des Moines. “It might change things here. From a large company’s perspective, it’s not always practical to have rules on one side of the ocean versus the other.”
The rule is already forcing changes in the United States and Iowa. Iowa State University posted a release on its website in April that said the university was making changes in response to the new rule. The university recruits and enrolls students from EU countries, and ISU students and faculty study, teach and research in the EU. This activity creates data processes, the university said in its release.
ISU personnel were reviewing their systems to determine which data would be affected and then to determine a legal basis for processing the data. This could include treating all data as if it were subject to EU regulations, purchasing software that identifies and treats personal data in compliance with GDRP and performing regular internal audits to ensure compliance, according to the release.
An ISU spokesperson did not reply to a request for more information. ♦