Episode 81: Using Privacy to Differentiate Your Business with Ann Cavoukian

So why don't you introduce yourself? Sure. My name is Ann cavoukian. And I'm presently leading the Privacy by Design Center of Excellence at Ryerson University and privacy by Design is something I developed a long time ago while I was privacy Commissioner of Ontario, which I was first three terms. I'm the only one who stuck it out for 3 Sinai created it was because I'm not a lawyer. I'm a psychologist. That's my background. I study psychology in the law and I wanted to build a model of prevention looks like a medical model rust prevention. Will you could prevent the Provost jobs from a rising not just address them through Regulatory Compliance. I just wanted to get rid of it. I didn't want them to be created. So that's why I took a design approach to it by invading privacy into the design of our operations bake it into the code into the data architecture and all that we do.

Today, I'm thrilled to have and with us on the show to talk about how you could use privacy to differentiate your business. Look with a gdpr deployment behind us. Maybe you're breathing a sigh of relief on the other hand. Maybe you see it in all of the changes brought about is just another hassle. Yep. Just another regulation to comply with his to help keep people's day to secure. It doesn't have to be that way. What is your company recognized at the Strategic value in differentiation of data privacy and it becoming a company that people actually trust a company that values privacy as much as they value you being their customer. Well, that's what today's episode is all about. Anna and I are going to dig into trust privacy by Design and how this potential hassle is actually an opportunity but customer is always have a choice to stay with your company go to a competitor just walk away. Well, you know, which one you want. It's going to be a great show. So stick around and walk up to the Georgian impact podcast.

Thanks for being here. And it's great to have you thank you very much the pleasure to be here. So in my prepper this podcast actually went back and I acquired a copy of your 2002 book privacy payoff how successful businesses build customer trust opened it up and to my surprise. It was actually signed and your inscription said and I quote to Anonymous for reasons to private to mention. Here's to privacy now best regards. And do you write this in every book you sign or what I have to ask what was up with different things so that we can meet she'll make it a little interesting depending on who gets it. So, I forgot that one. Actually I'm delighted you have it data is being collected not less and I was actually a little flabbergasted on a recent New York Times article on these nine new Facebook patents, but they include they could infer.

Your relationship status by going to where you've been they could predict Life Changes. They're doing more analysis around your media consumption patterns, even to the point of notifying your understanding when your normal routine has been deviated. So we don't know what's going to do with this if anything, but I'd love to hear your thoughts about on how consumer awareness might have changed your do people care people do care people care more than ever before. I've been in this business well over 20 years. I've never seen concern for privacy and terms of the public opinion polls consistently at the 90 percentile 90% of those polled and Pew internet research and other public opinion polls 92% of those bulb have huge concern for privacy and the loss of control over their data and they don't know what to do about it and what accompanies that isn't all time low in terms of trust. So this huge concern for privacy very little Trust.

People don't know what to do about us. A lot of the public speaking that I do a lot of the stuff I do with the media is trying to tell them small measures in terms of things that they can do and my biggest pitch though is two companies and telling them for god sakes in bed privacy and of the design of your operations, and when you do shout it from the rooftops tell your customers the links you're going to protect their privacy the respect you have for them and it will pay off big time because you will gain a competitive Advantage by doing so people will reward you with the repeat business their loyalty and it will attract new opportunity. That's what we got to do a good journey and you mentioned that people can take small incremental steps. I actually was on Facebook the other day and they were giving me an option to update my status or their facial recognition option and it was interesting to me cuz they say click here to go to your settings and I'm on the facial.

But they don't really want me to turn it off cuz they said if you turn this off we won't recognize your face and now we won't be able to capture a bad guy who's using your face for bad things took a breath and said to preserve the date of they have in personally identifiable form and that's why I just think it's there's just so much deception taking place in so many Arenas to scare people to reveal their person identify well data, and if you don't horrible things will happen. It's nonsense. I don't know nonsense and we just have to educate people that you can still use the services you want. You going to search for things. You know, there's DuckDuckGo, which is a wonderful search engine.

For medical condition or whatever. It's nobody else's business. That's what I want people to take away from this a privacy tell about control to a personal control on the part of the individual relating that they are data. It's their data. And so if you want to give it away be my guest, you know, I tell people price. He's not a religion you you want to give away your information by all means I would never stand in your way as long as you do so knowingly because you say it's only the individual who knows the context associated with the information and the sensitivity or lack thereof. Nobody else knows that sure so I think we're not at the point of low. There was a little bit of in the wake of the Cambridge analytica stuff. There was the hashtag delete Facebook campaign. I'm not sure that had a meaningful impact. We still need to see companies kind of step up and do more right absolutely, but I read recently that 40% of Facebook users were at the very least reviewing and restricting who

Access to their data, so they're going into Facebook and they're narrowing at that the massive amount of information flowing out. I'll never forget a few years ago. I was at a conference and IP conference and I was about to give a talk and I ran into Aaron Hagen who said she's privacy officer Facebook and she said over you coming in my session on how we're doing privacy by Design at Facebook. I'm going to give you a shout out and I said, thank you very much, but I brought my own session. And now I'm thinking are you kidding me? You're doing by Design on Facebook or Over My Dead Body by call privacy by Design the little more restrictions of vacuuming up some metadata. You think we're going in the right direction with public-sector yet it certainly in the right direction at the recent Supreme Court decision in the US was wonderful witch said the police that got to get a warrant.

Or they can routinely access the Personnel at your location data off of your mobile phone. That's huge because they've been accessing it everywhere. They go to the telcos and they just take whatever they want. They won't be able to do that anymore. It's the same here in Canada. So I think it's very important to point that out. I actually have a greater concern with surveillance on the part of the public sector than the private sector because you can take your business elsewhere. You don't like that. You don't like what companies do with your information you go somewhere else. You can't do that with the government there it and they have enormous power and Norma's and massive capacity for surveillance. So I think we need to be have very strong oversight independent oversight over with the government does and call them out on everything that violates basic privacy premises. What would you have I guess it was some skirmishes with Google and Facebook where the employees complaining by government contracts. So I think that's a little bit of a trend in the companies are reacting as their employees are their lifeblood cuz I don't

Because even Amazon employees apparently recently objected to the way they're going to be using your Biometrics the way they're pushing done out on Amazon. So Aid if it's great that employees of these major companies are speaking out against certain practices that clearly fly in the face of Primacy kind of maybe it's probably not fair to say this is mirror is gdpr in the US but today the day we're recording this June 21st. I'm sure this will be out probably in August but there is a vote today on the California consumer Privacy Act of 2018. And I love the fact that tech companies will have to disclose the categories of day to take like I was going back to those patents on Facebook. We saw him earlier. So this could be very interesting fingers crossed at today in California. I'm just praying it goes through. I mean, it's huge and the gdpr obviously it doesn't impact that you asked directly.

How it is having an impact. There's no question because everyone u.s. Canadian businesses. We all want to do business with the EU and be able to freely exchange data and we won't be able to do that unless were considered to be adequate and terms of the provisions of our respective countries. I have never had more calls from companies as I have recently us for example companies that want to demonstrate that they're doing privacy by Design which as you know is a part of the gdpr and for that you don't need a regulation you need allies just have to follow the foundational principles calling me to say we wanted at least show good good face to the you that we're doing privacy by Design and since the suros, I've been offering privacy by Design certification because companies want to be certified to demonstrate their really joint. I want to get to the bill to privacy but there's a little bit of self-evaluation. So we've been warned by you and others We Are One by you for a long time. I mean

1998 you and Don Tapscott wrote the book on safeguarding in the network World. Obviously the book by inscriptions Book 2002 privacy pad was pretty cool. So my senses you aren't happy now that's what drove you to develop the Privacy by Design principles. What else drove you to do that with me? I have a psychologist. That's my background and I thought it was crazy that we would simply allow privacy harm set to continue. And in fact grow in this day in age of ubiquitous Computing massive online connectivity social media about I just thought there's no way GIF. We just deal with the problems about data breaches of privacy infractions after the fact, there's no way we're going to have a handle on this in terms of any kind of Regulatory Compliance. View obviously was agreed upon by the Privacy commissioner send data protection authorities who in 2010 unanimously passed Prime.

By Design as an international standard and most of the Privacy Commissioners are our lawyers. I got them lawyers lawyers brilliant lawyers who love drilling down into section 39 sub 2 parte in applying that to the facts situation, but after I spoke to them because it was you now see past night. I inquired they like me they understood that all we were seeing was a tip of the iceberg in terms of that privacy harms that the majority of the data breaches privacy arms privacy issues were evading our detection and evading any possibility of being regulated. So they said we have to revert to a model of prevention much like what you had in mind as a psychologist. That's what I always want to do. I want it for identify the wrist and then build in measures that can prevent them from happening. It's my background Sol cherry pick some of the principles obviously the first principle of being proactive not reactive holds true. I'd like to just focus on number 2, which is privacy is

Your default setting and in light of Cambridge analytica versus a gdpr. Where do you see companies? Are you can companies are there yet. I've or people beginning to demand that I am fascinated by your your data point about 40% of Facebook users date update their settings. What do you think? We are getting privacy as a default setting privacy as the default in the gdpr and its exact opposite. I John of what what's going on now, which is if you want to preserve your privacy after you've bought something online order something you are expected to go through all the legalese in the terms of service and all the details in the privacy policy to find the opt-out box that says do not use my information for any purpose other than the primary purpose intended for the data collection. We know nobody does that is because life is too damn short. We don't have time to do that, but it doesn't mean that people don't want it privacy as the default is the exact opposite.

The game changer it says two people. Don't worry. You don't have to ask for privacy its built-in automatically as the default we give it to you. So when you order something or purchase something online or whatever we will only be able to use your information for the purpose intended. The reason you gave it to us. You don't give us your information and say do whatever the heck you want with it. No, you give it to a fulfill a particular purpose. We can only use it for that purpose and down the road if we want to use it for a second areas where they come back to you and obtain your positive consent total game-changer from black to white in the beauty of the company's private business. When you do privacy as the default like that, it builds trust dramatically your customers begin to trust you. And once you have a trusted business relationship there than happy to say yes to you when you come back to them and ask them for additional consent. They always say yes, there's no issue. It builds trust and grows your business.

So that just privacy is the fault but it's followed by shouted from the rooftops. Absolutely. I always tell people to do that because you don't stay quiet about protecting people's privacy and the gifts you giving them by doing. So you want to make sure they know about it and you do that very respectfully people love hearing about it. First of all, I've been told that repeatedly and they didn't feel much more comfortable engaging in some kind of dialogue with you about other issues and other questions. They may have an information they may want to share with you. So dope opens up a whole new venue and it's your do that perfect follow-up. We got you talk about a positive-sum of security and privacy is a trade-off and I loved it a couple weeks ago. Merry makers report says tech companies are faced with his privacy paradoxical using data to provide a better customer experience versus violating consumer privacy. So my sense is this is going to drive kind of this product design. Peace.

Prophesy into the product design peace again. I just a question. Where do you think we're going to be in from beginning this to be a norm Equifax just got away without having penalties. They just going to change their product. What do you think is going to take to get this kind of done before the fact vs. After the fact that also there's Equifax and others. There's lawsuit said in their class action lawsuits against these companies, so it's not that there's no reprisal. I think it'll take a year or two to get this message across zero-sum. The either or trade off model is so deeply embedded in it seems like all of our operations that it will take some time to change that and I think part of the problem is they don't understand that you can have both you can't have positive some get rid of the either-or win-lose model and substitute and privacy and fill in the blank and they never actually considered that I talked to so many businesses and I told him I want you to have both it's not that I want you to have a tree.

Turn off at all. You can J have multiple games and your customers will also went and they say really you're kidding me know and then I get some examples of how you can do it and you see privacy and data utility. You can have massive uses of data. Would you use strong a Dean identification protocols combined with a risk of re identification framework? You can reduce the risk of identification to listen .05% That's huge. That's like rest of the likelihood of being hit by lightning if you go outside and it's raining out so that's an acceptable risk people. Some people have been people say well, there's no such thing as zero risk. I said, of course not that I got talk about the myth of zero risk all the time, but you don't need to bring it down to zero in my view. There's no zero risk anywhere in the world. But if you would do so dramatically the likelihood of that risk is so slim that it's quite acceptable realized. We don't need any more near deaths of companies and

Money, we just get it right early on. So what element then it goes kind of going through the design principles and her the visibility transparency keeping it open it all kind of wrapped up in in the last so much is respect for user privacy. So let's take a really nice but they use our first, you know, we could have started with that as the first principle. I always say that when I when I found with companies that are user-centric it changes their entire mindset the way they approach a problem. They always start with what are there any applications to the user to our customers in terms of how are using their information? Will it be made publicly available in ways you were never intended and reforms the whole practice and then it leads to something. I got a phone call at 10 a data map title companies. Do you have a data map meaning? Do you know how identifiable data flows to write your organization you collected for the primary purpose intended totally acceptable then what happened?

Does it go to any other departments in your organization is it used for any secondary uses that have not been consented to when you met that out it clarifies everything beautifully it in Hales that user-centric philosophy into your operations is the best way to understand different forms of a best practice for a company that data map is something I hadn't really thought about it really is a great way to think about how you're impacting different parts of the product. What you doing with it and then and then makes it that much easier to communicate it back to the end users in terms of being transparent exactly. So again, if there's a feedback loop and it becomes this win-win proposition and it also shows your customers very clearly the links you going to respect their privacy. And is that what you'll be rewarded for that again? And again if we have your recognized at this is differentiations for company that they're going to be more competitive. They'll do a better job.

Satisfying their users. We are really getting for the point of the Strategic nature of this. This has to become not just a top-down policy. But this this issue of privacy has to begin to permeate the entire culture company. Totally totally it it's some from top to bottom. That's why I always start with the CEOs and a company once I get there buying then you go through I was going to say go right to the beginning to the front line staff and work your way up because everyone has to understand why you're doing it at first it may seem like a pain. Why are we doing this? We've been doing it this way forever. You have to explain it to them and explain that it is not more labor-intensive. It's just a different mindset in terms of your approach and I've never have a strand square at the end of doing this. There's been a negative result it always leads to positive and it also has to be an ongoing process. So I tell him it's like a chess games. I point-counterpoint.

In terms of the security you need associated with the production of the data as you know, there's still a massive daily cybersecurity text. You got to have very strong Security in place and you need to make sure that our operates in a way that is compatible with what you have in mind. So constant review and concern for privacy just permeates throughout the entire system. So in addition to you and I using the same, I'm not ready. I think my friends will my check your friend think I'm a little nut but I'm not ready to put in a nest or ring in my home as yet on what they're doing both to protect my data and how they're using the date. I'm still waiting for that. So what should a company to get our business what they should first of all demonstrate that it with an S and other pair were talking about internet of things connected devices excetera, and I've been saying for you

It's like the wild west they're so excited to get the product out the door the rushing out the door without building virtually any privacy and security into these products. It is appalling that all the data breaches that are happening. But all of the other was a story just a few weeks ago where I can't remember a thing was Alexa Echo where it picked up the personal conversation of this couple and it somehow related to one of their contacts now thank God the contact and it didn't then send it to the media. But the point is they were sure sure thing people. Do you really want ya the sweet nothings you're saying to your spouse the personal conversations you're having with your children my God you want that ever to possibly go public and the other thing I just learned about this last week and I was appalled by it and even I hadn't thought of this.

Smart devices in the home connected devices are being used as instruments of domestic abuse. Can you believe this or just read that myself young usually turns out it's usually the men who have the passwords and run the technology on these connected devices when they break up and they leave and they're mad they do horrible things to their worst movies connected devices. I was reading about this one woman or doorbell. She couldn't get it to stop ringing it was ringing all the time. And another one that it's in the middle of the summer. She put her air conditioning on the thermostat up one up to a hundred degrees Keech. She's dying if he said she stays the air conditioner. What is it? The guy had increased it that the temperature setting to a hundred degrees and her things like this are happening All the Time video surveillance cameras are going nuts. And this is the horror of it. I don't want to see the disease or safety issues. I never even considered so you got to be very careful.

When you use these devices are now telling everyone should know how to operate these things in their homes. They should have a password and most important that you know how to disable them. Right? So let's take this list countries wrap this up again. You're right in terms of a b c baking the consumers more intelligent, but I'm going to still lay this back on the companies in the sense of what their practice practice just might be so let's just kind of wrap up and have you reiterate for your kind of some of the key company best practices reference what individual should do but the responsibility has the light at the end of the company's first and foremost. I have to convey to all their employees the notion of primary purpose. There's two would have cost her information practices called purpose specification and use limitation, which means simply when you're collecting information from someone you collected for particular purpose you specify the purpose. I need your information your credit card.

Complete the transaction your home address to deliver the product you whatever that's purpose specification then use limitation is you the company limit your use of the information to that primary purpose of the data collection. That's the only reason I gave you the information and you were switching use of the information to that purpose unless down the road. If a second or use comes up, you go back to your customer and you obtain additional consent for the secondaries. If you do that, you will be golden. It's embedding privacy into the design of your operations up front so that you will minimize the likelihood of data breaches privacy harms and you will keep your customers informed of the links you're going to to protect their privacy by Design and they won't thank you for it. So you make it a win-win operation. I want everyone to win and we can do this or 2 better way to end it then on that point. That was fantastic and what a pleasure talk to you. Thank you so much. You're very kind.

It's my pleasure.

Thanks for listening if you like what we doing, we'd appreciate your telling other people about the show better yet. Give us a 5-star rating on iTunes or write a review doing so will really help ensure the more people can find us and if you haven't already please subscribe to the impact podcast on iTunes, SoundCloud or have you go to find your podcast.