Behavioral Advertising and “Do Not Track”: Navigating the Privacy Minefield
February 28th, 2012By Aaron Messing
The Internet is fraught with privacy-related dangers for companies. For example, Facebook’s IPO filing contains multiple references to the various privacy risks that may threaten its business model, and it seems like every day a new class action suit is filed against Facebook alleging surreptitious tracking or other breaches of privacy laws. Google has recently faced a resounding public backlash related to its new uniform privacy policy, to the extent that 36 state attorney generals are considering filing suit. New privacy legislation and regulatory activities have been proposed, with the Federal Trade Commission (FTC) taking an active role in enforcing compliance with the various privacy laws. The real game changer, however, might be the renewed popularity of “Do Not Track”, which threatens to upend the existing business models of online publishers and advertisers. “Do Not Track” is a proposal which would enable users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.
To understand the genesis of “Do Not Track” it is important to understand what online tracking is and how it works. If you visit any website supported by advertising (as well as many that are not), a number of tracking objects may be placed on your device. These online tracking technologies take many forms, including HTTP cookies, web beacons (clear GIFs), local shared objects or flash cookies, HTML5 cookies, browser history sniffers and browser fingerprinting. What they all have in common is that they use tracking technology to observe web users’ interests, including content consumed, ads clicked, and other search keywords and conversions to track online movements, and build an online behavior profiles that are used to determine which ads are selected when a particular webpage is accessed. Collectively, these are known as behavioral targeting or advertising. Tracking technologies are also used for other purposes in addition to behavioral targeting, including site analytics, advertising metrics and reporting, and capping the frequency with which individual ads are displayed to users.
The focus on behavioral advertising by advertisers and ecommerce merchants stems from its effectiveness. Studies have found that behavioral advertising increases the click through rate by as much as 670% when compared with non-targeted advertising. Accordingly, behavioral advertising can bring in an average of 2.68 more revenue than of non-targeted advertising.
If behavioral advertising provides benefits such as increased relevance and usefulness to both advertisers and consumers, how has it become so controversial? Traditionally, advertisers have avoided collecting personally identifiable information (PII), preferring anonymous tracking data. However, new analytic tools and algorithms make it possible to combine “anonymous” information to create detailed profiles that can be associated with a particular computer or person. Formerly anonymous information can be re-identified, and companies are taking advantage in order to deliver increasingly targeted ads. Some of those practices have led to renewed privacy concerns. For example, recently Target was able to identify that a teenager was pregnant – before her father had any idea. It seems that Target has identified certain patterns in expecting mothers, and assigns shoppers a “pregnancy prediction score.” Apparently, the father was livid when his high-school age daughter was repeatedly targeted with various maternity items, only to later find out that, well, Target knew more about his daughter than he did (at least in that regard). Needless to say, some PII is more sensitive than others, but it is almost always alarming when you don’t know what others know about you.
Ultimately, most users find it a little creepy when they find out that Facebook tracks your web browsing activity through their “Like” button, or that detailed profiles of their browsing history exist that could be associated with them. According to a recent Gallup poll, 61% of individuals polled felt the privacy intrusion presented by tracking was not worth the free access to content. 67% said that advertisers should not be able to match ads to specific interests based upon websites visited.
The wild west of internet tracking may soon be coming to a close. The FTC has issued its recommendations for Do Not Track, which they recommend be instituted as a browser based mechanism through which consumers could make persistent choices to signal whether or not they want to be tracked or receive targeted advertising. However, you shouldn’t wait for an FTC compliance notice to start rethinking your privacy practices.
It goes without saying that companies are required to follow the existing privacy laws. However, it is important to not only speak with a privacy lawyer to ensure compliance with existing privacy laws and regulations (the FTC compliance division also monitors whether companies comply with posted privacy policies and terms of service) but also to ensure that your tracking and analytics are done in an non-creepy, non-intrusive manner that is clearly communicated to your customers and enables them to opt-in, and gives them an opportunity to opt out at their discretion. Your respect for your consumers’ privacy concerns will reap long-term benefits beyond anything that surreptitious tracking could ever accomplish.
How Can They Post That? Understanding the Communication Decency Act
February 15th, 2012The Communications Decency Act Provides Immunity For Third Party Submitted Content
By Aaron Messing
We often get questions from both clients and journalists (e.g., here, and here) regarding liability for posting content on the internet, most of it centering around the same basic premise: “Why can Company X post this content on their website? How is that legal? Isn’t that an invasion of privacy?”
In most cases, the answer can be found in Section 230 of the Communications Decency Act of 1996, 47 U.S.C. § 230 (“CDA”). The act provides immunity for Internet Service Providers (read: websites, blogs, listservs, forums, etc.) who publish information provided by others, so long as they comply with the Digital Millennium Copyright Act of 1998 (“DMCA”) and take down content that infringes the intellectual property rights of others. In order to understand the CDA and DMCA, it is helpful to understand how each came about.
The United States has historically favored free speech, with certain limitations. Under the law, a writer or publisher of harmful information is treated differently than a distributor of that information. The theory behind this distinction is that the speaker and publisher have the knowledge of and editorial control over the content, whereas a distributor might not be aware of the content, much less whether it is harmful. Thus, if a writer publishes defamatory content in a book, both the writer and the publisher can be held liable, whereas a library or bookstore that distributed the book cannot.
Initially, courts found a distinction in liability based on whether the website was moderated. An unmoderated/unmonitored website was considered a distributor of information, rather than a publisher, because it did not review the contents of its message boards. Conversely, courts found a moderated/monitored website to be a publisher, concluding that the exercise of editorial control over content made it more like a publisher than a distributor – and thus the website was liable for anything that appeared on the site. Unsurprisingly, this created strong disincentives to monitoring or moderating websites, as doing so increased potential liability.
Given the sheer amount of information communicated online, the potential for liability based on third-party content (i.e. user comments on a blog, website or web bulletin board) threatened the viability of service providers and free speech over the internet.
Congress specifically wanted to remove these disincentives to self-moderation by websites and responded by passing the CDA. The CDA immunizes, with limited exceptions, providers and users of “interactive computer services” from publisher’s liability, so long as the information is provided by a third party (interactive computer service is defined broadly, and covers blogs). This immunity does not cover intellectual property claims or criminal liability, and of course the original creator of the content is not immune. That means a blogger or commentator is responsible for his/her own comments, though not for the submitted content of others (even if it violates a third-party’s privacy, or is defamatory, etc). Generally, the CDA will cover a website that hosts third-party content, and exercises editorial functions, such as deciding whether to publish, remove or edit material does not affect that immunity unless those actions materially alter the content (e.g.. changing “Aaron is not a scumbag” to “Aaron is a scumbag” would be a material alteration, whereas cropping a photo or fixing typos would not).
Accordingly, websites that post only user submitted content (even if the website encourages or pays third parties to create or submit content) are protected under the CDA, and immune from liability, with two major exceptions. The CDA does not immunize against the posting of criminally illegal content (such as underage pornography), and it does not immunize against the posting of another’s intellectual property without permission. Tasked with balancing the need to protect intellectual property rights online, as well as the various challenges faced by websites that lead to the CDA, Congress implemented the DMCA. The DMCA creates a safe harbor against copyright liability for websites, so long as block access to allegedly infringing material upon receipt of a notification from a copyright holder claiming infringement.
Ultimately, protecting yourself from liability under the CDA and DMCA or protecting your intellectual property rights online can be tricky. If you have any questions, feel free to contact us.
RFID and Workplace Privacy
February 12th, 2012
The Use of RFID In The Workplace Sparks Privacy Concerns
By Aaron Messing, Esq., CIPP
I recently had the opportunity to speak with Karen Boman of Rigzone about RFID technology and workplace privacy. Although the article focuses on the oil industry, the best practices of openness and transparency are generally applicable to most workplaces. The entire article can be found here, and makes for an engaging and informative read.
RFID technology in and of itself does not pose a threat to privacy – it’s when the technology is deployed in a way not consistent with responsible privacy information security practices that RFID becomes a problem, said Aaron Messing, associate with Union, N.J.-based OlenderFeldman LLP. Messing handles privacy issues for clients that include manufacturing and e-commerce firms.
Legal issues can arise if a company is tracking its employees secretly, Messing noted, or if it places a tracking device on an employees’ property without permission.
He recommends that clients should follow basic principles of good business practices, including making employees aware they are being monitored and getting written consent.
“Openness and transparency over how data is tracked and what is being used is the best policy, as employees are typically concerned about how information on them is being used,” Messing commented. “We advise clients to limit their tracking of employees to working hours, or when that’s not feasible, they should only access the information they want to track, such as working hours.”
The clients Messing works with that use RFID typically use the technology for tracking inventory, not workers. Messing can see where RFID would have legitimate uses on an oil rig. In the case of oil rigs, RFID tracking can be a good thing in case of emergency, as RFID makes it possible to determine whether all employees have been evacuated or how evacuation plans should be formed, Messing commented.
“It really depends on what the information is being used for,” Messing commented. However, employers that don’t have legitimate reasons for tracking workers can result in loss of morale among workers or loss of workers to other companies.
Workers who have RFID lanyards or tags can leave their tags at home once the work day is over to avoid be tracked off-hours. However, employees generally don’t have a lot of rights in terms of privacy while on the job. ”Since an employee is being paid to work, the expectation is that employers have a right to track employees’ activities,” said Messing. This activity can include monitoring phone conversations, computer activity, movements throughout a building and bathroom breaks.
However, companies should try to design monitoring programs that are respectful of employees.
“Companies that do things such as block personal email or certain websites and place a lot of restrictions on workers may do more harm than good, since workers don’t like feeling like they’re not trusted or working in a nanny state,” Messing commented.
Cctv Camera by Colin Russell
Massachusetts Data Security Regulations
February 2nd, 2012Service Providers Face New Regulations Covering Personal Information
By Aaron Messing
If your company is a service provider (generally any company providing third-party services, ranging from a payroll provider to an e-commerce hosting provider) or your company utilizes service providers, you need to be aware of the Massachusetts Data Security Regulations (the “Regulations”). The Regulations require that by March 1, 2012, all service provider contracts must contain appropriate security measures to protect the personal information (as described below) of Massachusetts residents. See 201 CMR 17.03(2)(f). All companies that “own or license” personal information of Massachusetts residents, regardless of where the companies are physically located, will need to comply with the Regulations. Additionally, all entities that own or license personal information of Massachusetts residents are required to develop, implement and maintain a written information security program (“WISP”), which lists the administrative, technical and physical safeguards in place to protect personal information.
“Personal information” is defined by the Regulations as a Massachusetts resident’s first and last name, or first initial and last name, in connection with any of the following: (1) Social Security number; (2) driver’s license number or state-issued identification card number; or (3) financial account number, or credit or debit card number.
If your company uses service providers, you are responsible for your service provider’s compliance with the Regulations as it relates to your business and your customers. The Regulations are clear that if your service provider receives, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents, you are responsible to make sure that your service providers maintain appropriate security measures to protect that personal information. Therefore you should make sure that your agreements with service providers contain appropriate language, obligations and indemnifications to protect your interests and assure compliance by your service provider. If you are a service provider, you need to develop a comprehensive WISP in order to protect yourself from liability.
If you have any questions or concerns regarding the implementation of the Regulations or how it may affect your business, please feel free to contact us.
New Jersey Trade Secrets Act
January 15th, 2012By Christian Jensen
On January 9, 2012, New Jersey Governor Chris Christie signed into law the New Jersey Trade Secrets Act (NJTSA). The NJTSA codifies many court decisions that provide certain rights and remedies in the event that a trade secret – such as a formula, design, prototype or invention – is misappropriated. The NJTSA provides New Jersey businesses with a statutory vehicle to use in the event of either actual or threatened misappropriation of trade secrets.
The NJTSA is modeled after the Uniform Trade Secret Act (USTA), making New Jersey the 47th state (plus the District of Columbia) to enact a version of the USTA and leaving just Massachusetts, New York and Texas as the only non-UTSA states. Notably, the definitions of “trade secret” and “misappropriation” under the NJTSA are broader than under the UTSA, thus providing more protection to businesses. Further, while the UTSA provides that, as a general rule, it “displaces other law which provides civil remedies for misappropriation of a trade secret,” the NJTSA specifically states that “the rights, remedies and prohibitions provided under this act are in addition to and cumulative of any other right, remedy or prohibition provided under the common law or statutory law of this State.”
An action for misappropriation must be brought under the NJTSA within three (3) years after the misappropriation is discovered, or, with reasonable diligence, should have been discovered. It is not a defense to the NJTSA to argue that proper means to acquire the trade secret existed at the time of the misappropriation.
The remedies available under the NJTSA to the holder of a trade secret include:
- Damages for both the actual loss suffered by the plaintiff and for any unjust enrichment of the defendant caused by the misappropriation. Damages may also include the imposition of a reasonable royalty for unauthorized disclosure or use.
- Injunctive relief for actual or threatened misappropriation of a trade secret. Under certain exceptional circumstances, an injunction may condition future use upon payment of a reasonable royalty.
- In cases involving the willful and malicious misappropriation of a trade secret, punitive damages may be awarded in an amount not exceeding twice that awarded for actual damages and unjust enrichment.
- An award of attorney’s fees and/or “reasonable” expert fees if: (i) willful and malicious misappropriation exists; (ii) a claim of misappropriation is made in bad faith; or (iii) a motion to terminate an injunction is made or resisted in bad faith.
It remains to be seen how the passage of the NJTSA will affect business competition in New Jersey, but the enhanced protections offered by the Act and the availability of attorney’s fees, expert fees and punitive damages will hopefully deter frivolous litigation and the theft of trade secrets.
Limits of Privacy on Facebook
December 1st, 2011Despite Facebook’s “Privacy Settings”, Your Information Might Not Be So Private
By Michael Feldman
With over 800 million users, there is a good chance that you, a family member or a business colleague uses Facebook. Many people assume that their posts and information viewed on Facebook is only available to their “friends.” Such an assumption would be wrong for several reasons.
First, your information is only private to the extent you affirmatively check certain boxes for your Facebook page. If you fail to select the appropriate settings, you will be allowing more than your “friends” to view your personal information. Remember that these settings involve not only limiting what the general public can see, but what advertisers and other websites you visit can see about your Facebook page (even if you are not logged on to Facebook at the time). Therefore, consider adjusting your privacy settings in the category marked “Apps, Games and Websites” and “How people bring your info to apps they use.” To maximize your privacy, turn off all platform apps.
Second, unlike Google+, Facebook does not make it easy to create different categories of “friends”, each of which only has access to limited information. Rather, once you make someone your “friend” – whether that person is a true friend, your boss or co-worker, someone you met last night, or even a celebrity you never met – that “friend” has the same access to your personal information that your best “friend” has. Though the user can block off certain “friends” from certain information, the process to do so is neither obvious nor simple. Such sharing of personal information would never occur outside of online social networking sites.
Third, you might never know what personal information Facebook or other social networking sites actually share. As you may have heard, Facebook just settled a Complaint by the Federal Trade Commission (“FTC”), which alleged that Facebook deceived consumers by asserting that their information would be private, then making it Public. Pursuant to the settlement, Facebook must now be honest in what it tells users, provide users with notice before changing its privacy settings (assuming the user actually reads these) and will undergo privacy audits every 2 years for the next 20 years. The settlement is far from perfect from a consumer viewpoint. The settlement is unclear about whether Facebook can share your information with advertisers – the primary source of Facebook’s revenue. In addition, though Facebook has to disclose its privacy policy to users, there is no requirement that the policies be in language easily understood by its users, as opposed to legalese. Perhaps most disturbingly to some is that the settlement keeps Facebook’s users in the dark about the results of the FTC’s investigation. Therefore, the taxpayers who paid for the investigation and the alleged victims – the Facebook users – will not know what privacy violations have already occurred. Thus, Facebook users may never know how their personal information has already been used, sold or distributed.
Fourth, several recent Court decisions have held that your Facebook page is not necessarily private. That is, litigants have obtained access to Facebook pages (among other social networking sites like MySpace) to prove their case. For example, in one case, a plaintiff claimed she was injured and unable to participate in activities she previously enjoyed. Against her objection, her adversary obtained access to her Facebook and MySpace pages to prove that the plaintiff was lying. The defendant was even able to gain access to “deleted” information from those pages. Similarly, other Courts have held that you have no “right to privacy” in your Facebook or MySpace pages because those companies do not guarantee complete privacy. As a result, employees have been terminated for information they posted online.
Fifth, your “friends” can share your information without your permission. Unauthorized sharing has also occurred as a result of viruses or hackers, both of which are rampant.
Sixth, never assume that what you delete is truly deleted. It is not. “Deleted” information is usually stored for an extended period of time with or without your knowledge.
The bottom line is that you should be very careful when you post information on a social networking site such as Facebook. You should assume that despite your privacy settings, the information may potentially be seen, shared or obtained by other than your “friends” without your explicit permission or knowledge. Notwithstanding, it is also critical that you take advantage of the privacy settings available and be familiar with the privacy policy of your social networking site to maximize your privacy. You would not allow strangers to wander your house or office, so do not let them wander your Facebook page.
Entertainment Weekly Calls On OlenderFeldman For Comments
October 18th, 2011On Tuesday, October 18th, a 40-something year old actress filed a law suit against IMDb and Amazon for publishing her real name and age on IMDb’s website. Entertainment Weekly asked Michael J. Feldman, Esq., CIPP, to weigh in on the merits of the plaintiff’s privacy claim.
Feldman, a partner at OlenderFeldman who is also not involved in the IMDb suit, believes “the most pivotal issue in the case” will be the clarity of IMDb’s Privacy Policy and Subscriber Agreement. According to Feldman, IMDb’s “mistake here is that neither the Privacy Policy nor the Subscriber Agreement are clear as to the purpose for obtaining credit card information, and how that information will be used.” Without that confusion, Feldman speculated that IMDb could have avoided this lawsuit altogether. Still, he agreed that Doe “has numerous hurdles to overcome,” primarily that she “appears to confuse promises made in those agreements concerning security of information provided to IMDb and the privacy rights afforded to subscribers of the website.”
Making the case even less promising, Feldman thinks the $1 million price tag on Doe’s suit is unreasonable: “She will have an extremely difficult time proving damages under the facts alleged.” Added Feldman, a founding member of privacy and data protection consulting firm Acentris: “Even if IMDb is at fault, damages are limited to the total amount [she] paid” as an IMDbPro subscriber.
To read more on this intriguing matter, click here.
ZIP Code Collection – An Invasion of Privacy?
September 22nd, 2011Zip Codes Can Reveal Customer Information, Leading To Privacy Concerns
By Michael Feldman
A February 2011 ruling against Williams-Sonoma by the California Supreme Court held that a consumer’s ZIP code was “personal identification information” that merchants are not permitted to demand from customers under a California consumer privacy law. The result was a rash of lawsuits against businesses such as Wal-Mart Stores Inc., Bed Bath & Beyond Inc., Crate & Barrel and Victoria’s Secret. Though some stores claim to use the ZIP code information to protect against credit card fraud (i.e., if the card was stolen, the user is less likely to know the ZIP code of the true owner), most businesses use the information for marketing purposes. Ultimately, the California Supreme Court held that merchants can still collect customer’s ZIP codes under limited circumstances such as gas station pumps where the information is requested for security reasons, and in transactions involving shipping. Retailers may also ask customers to produce a valid driver’s license for security reasons, but may not record the personal information contained on the license.
The California Supreme Court’s decision was premised upon California’s strict consumer privacy laws. However, the theory of ZIP codes representing personal or protected information has now spread to New Jersey. Superior Court Judge Stephan Hansbury refused to dismiss a lawsuit against Harmon Stores, Inc. for collecting ZIP code information from its credit card customers. The Court held that New Jersey’s Truth in Consumer Contract, Warranty and Notice Act allowed the plaintiffs to assert a claim for violation of N.J.S.A. 56:11-17, which provides:
No person which accepts a credit card for a consumer transaction shall require the credit card holder, as a condition of using a credit card in completing the consumer transaction, to provide for recordation on the credit card transaction form or any other form, any personal identification information that is not required by the issuer to complete the credit card transaction, including, but not limited to, the credit card holder’s address or telephone number, or both; provided, however, that the credit card holder’s telephone number may be required on a credit card transaction form if the credit card transaction is one for which the credit card issuer does not require authorization. (emphasis added)
It appears that the New Jersey Superior Court, like the California Supreme Court, considers ZIP code information to represent protected “personal identification information.” As a general matter, the ZIP code information is not required by the credit card company. As the New Jersey case is in its infancy, we do not yet know the results or full repercussions.
While it is likely that the Harmon Stores case will be appealed at some point (if it does not settle), its very existence creates new uncertainty amongst New Jersey consumers and merchants alike. For consumers, Judge Hansbury’s opinion suggests that the consumer can refuse to provide his or her ZIP code information when engaging in a live transaction (as opposed to online transactions or, like in California, when using an automated machine to charge a transaction). Of course, it is also possible that refusing to provide ZIP code information could simply result in the merchant demanding that you produce a driver’s license.
Merchants, on the other hand, should be sure to have a valid justification for seeking a customer’s ZIP code information in connection with any credit card transaction. Merely seeking it for marketing purposes will not suffice. Alternatively, merchants can be clear in seeking the ZIP code information that providing the information is completely voluntary. However, engaging in such a practice presents its own pitfalls and could create new confusion or a public relations nightmare.
As privacy-related litigation and consumer’s concerns about their privacy rights increase, one thing is becoming abundantly clear: now is the time for businesses to proactively use consumer privacy protection as a marketing tool to distinguish the business from its competitors.
Putting Privacy First
August 18th, 2011“Putting Privacy First” was originally published in the August 2011 edition of TechNews.
By: Michael J. Feldman
Many businesses view legal compliance as a necessary evil and an obstacle to profits. Thus, compliance is often made a mere formality. Dealing with the complex privacy and data protection rules and regulations is often viewed no differently – be it industry-specific rules such as HIPAA (healthcare), age-specific rules such as COPPA (online marketing to minors), agency-specific rules (i.e., SEC or FTC rules), the rules and regulations of each individual state, or even the various foreign laws such as the Data Protection Act (applies to businesses which conduct any business with many European nations). However counterintuitive it may be for some, forward-thinking businesses do not view privacy and data protection compliance as a necessary drag on revenue, but instead, they use it as a marketing tool to distinguish themselves from the competition and grab an increased market share.
As privacy and data breach issues continue to make front page news on a near-daily basis, and with the U.S. Congress working on sweeping new privacy laws, such compliance concerns are increasing in magnitude and importance. The reality is that whether you are aware or not, the various privacy and data protection laws impact and govern the operations of almost all businesses. For example, if you can answer “Yes” to any of these questions, there are privacy and data protection laws that govern your operations: Do you accept credit cards for payment? Do you gather any personal information about your customers, patients, employees, members or vendors? Do you electronically store any data on your computers or servers? Do you sell or market on the Internet? Do you conduct any business with, or market your business to, any person or entity located in another country? Are you in the financial industry? Do you seek to conduct any credit checks on potential employees or customers? The above only addresses a tiny fraction of the activities which subject you to regulation.
So what can and should a business do to not only survive, but actually thrive in this ever-changing regulatory environment? The answer is quite simple – be compliant and market the advantages of your privacy policies.
As acknowledged by the Washington Post on July 18 in “Tech IPO’s Grapple With Privacy,” Google did not have to deal with online privacy in 2004 as such a concept did not exist. Times have certainly changed. On the same day as the Washington Post article, the New York Times reported in an article entitled “Privacy Isn’t Dead. Just Ask Google+” that “Rather than focus on new snazzy features — although it does offer several — Google has chosen to learn from its own mistakes, and Facebook’s. Google decided to make privacy the No. 1 feature of its new service.” Google+ represents a significant attempt by Google to break Facebook’s near stranglehold on social media. Given Google’s past success, it is no surprise that Google has attacked privacy concerns head-on, and turned consumers’ concern for privacy into a marketing bonanza. Such a strategy has been used successfully in the automobile industry for years by companies such as Volvo, Subaru and Mercedes; each of whom turned consumer concern about automobile safety into a marketing opportunity to distinguish themselves from the competition by marketing their superior safety features.
The obvious next question is how does a business use consumers’ privacy concerns as a marketing tool? The answer is to acknowledge your customers’ concerns, explain how and why your business cares about the customer more than your competitors, and that you will keep them safe. To accomplish this goal, you must first determine which regulatory scheme(s) govern the operation of your business. Second, you must determine the best method for compliance with the applicable law, and whether it makes business sense to implement privacy and data security policies which go beyond the minimum required by law. Third, you should examine how, if at all, your competitors address and promote their privacy obligations. Fourth, you must develop a strategic plan to promote to your customers the superiority of your privacy and data security policies. Importantly, you must not only inform your customers of what your privacy and data security policies are, but how such policies help and protect your customers. For example, Mercedes realized that people were scared of getting injured in car crashes, so their advertisements often explained how Mercedes technology would help avoid accidents (i.e., anti-lock brakes) and how they would protect you if you did crash (i.e., airbags and crumple zones). The same applies to privacy and data protection concerns. In the end, by carefully planning out and implementing each of the above four-steps, you will avoid regulatory problems while simultaneously gaining a leg up on the competition.