US20170068827A1

US20170068827A1 - Live privacy policy method and apparatus

Info

Publication number: US20170068827A1
Application number: US15/256,082
Authority: US
Inventors: Christopher David Sachs
Original assignee: SwimIt Inc
Current assignee: SwimIt Inc
Priority date: 2015-09-04
Filing date: 2016-09-02
Publication date: 2017-03-09
Also published as: US10367852B2; US20170070457A1; EP3341841A4; US20170070539A1; WO2017040997A1; US10362067B2; EP3341841A1

Abstract

A live privacy policy method and system enables enterprises to update in real-time their privacy policy declaration by monitoring the third-party activities using the invention described herein. Once the software is integrated into the website and web applications, third-party related activities are captured continuously and used to build a live profile that is also updated continuously. This allows enterprises adhere to privacy policy regulations without any delays. This also benefits consumers who are able to view the data being collected to determine if they want to opt out.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application claims the benefit of U.S. Provisional Patent Application Ser. No. 62/214,786, filed Sep. 4, 2015, and titled “PRIVACY AWARENESS APPLICATION, LIVE PRIVACY POLICY, AND DISTRIBUTED AND MULTIPLEXED PEER TO PEER REAL-TIME MESSAGING UTILIZING BACK PRESSURE SIGNALLING,” which is hereby incorporated by reference in its entirety for all purposes.

FIELD OF THE INVENTION

The present invention relates to the field of privacy and security. More specifically, the present invention relates to website privacy and security.

BACKGROUND OF THE INVENTION

Today's websites and web application interaction model involve a browser retrieving data over the Internet (e.g., WWW) from advertisers, data collectors, content delivery networks and enterprise servers. Interaction model refers to the flow of data and control between various entities. Browsers displaying the web application or website user interfaces directly interact with many types of systems on the internet (e.g., advertiser systems). The common perception is that the website or web application is driven from the software residing on enterprise servers. This might be the case for enterprises that are business-centric, but consumer-centric enterprises work with many partners and affiliates (e.g., Google Analytics, a data collector), and therefore the data and control flow is dynamically constructed based on the consumer activity on the website or web application.
This dynamic interaction model is important for implementation of today's business strategies. Unfortunately, there are people and businesses that are taking advantage of this model to collect and misuse consumer data that can lead to privacy and security issues.
Enterprises are providing free products (e.g., email application) and services in exchange for the right to collect user/consumer information. This was the start of consumer data privacy problems, and today this data collection is being taken advantage of by third-parties (partners, direct and indirect affiliates and others) without direct consent of users/consumers. Key problems associated with data collection are:

1. Users/Consumers do not have an explicit understanding of specific data that is being collected, stored, used, shared and for what purpose. This data is being monetized by the collecting enterprises. If consumers are aware of specifics and the associated opportunity cost then they can make a more informed decision about using these free products and services.
2. Consumers have a very limited or no understanding of data being collected by third-parties. This data is typically Personally Identifiable Information (PII) and Personality Profiling Information (PPI). This data is being monetized and misused by the collecting third-parties. If consumers are aware of what is being collected by these third-parties then they can opt-out or inform the enterprises to stop this data collection.

SUMMARY OF THE INVENTION

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of the live privacy policy system according to some embodiments.

FIG. 2 illustrates a flowchart of an implementation of the live privacy policy method according to some embodiments.

FIG. 3 illustrates a block diagram of an exemplary computing device configured to implement the live privacy policy method according to some embodiments.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

A privacy policy is a legal statement made by businesses to declare their policy regarding collection, use, dissemination, and maintenance of user/consumer/client (“Consumer”) personally identifiable information (PII) during the course of normal business conducted using the software applications or website of the business. Businesses are required to provide this legal statement to protect Consumer privacy. The United States Federal Trade Commission, U.S. state government agencies and similar agencies from other countries have been using a variety of tools to protect consumers' privacy and personal information.
Businesses have developed websites and web applications to support the interactive and highly interconnected environment in which people live and work today. These implementations involve: sourcing of content that is displayed in realtime when a user (e.g., Consumer) is interacting with the software; sourcing of content that is personalized to a user. Personalizations are based on: location of a user, profile/personality of the user, usage history, customer data from other sources and more; sourcing content from a multitude of sources; first party content where a first party is the website or web application owner that has the direct relationship with the user;
third party content, where a third party (e.g., advertisement networks) refers to: a business that is a separate legal entity from the first party, a business not affiliated by a common ownership or corporate control with the first party, a business that has access to first party resources (websites, web applications and data sources), if that business is authorized to use the information gathered from the resources for marketing or other purposes; content generation in realtime using dynamically generated scripts and other techniques, content personalization in realtime, customer data collection by first party or third parties, a large volume of data collection to support profiling and personalization, execution of range of analytics involving personal data to provide insights into individual and group trends, movements, interests, and activities; frequent and complex interactions among various businesses that involve personal data; and global availability of personal data, supported by communications networks and platforms.
These implementations are leading to many problems such as:

1. Privacy profiles that are high level and do not offer Consumers a precise, transparent and easily understandable statement about collection, use, dissemination, and maintenance of PII and Personal Profile Information (PPI).
2. Involvement of numerous third-parties results in Privacy profiles that do not provide a complete purpose specifications that requires disclosure of authority that permits the collection of PII & PPI, intended use of PII & PPI, inability to control the PII and PPI data collection and therefore adhere to the data minimization requirement which involves: businesses collecting PII that is directly relevant and required to accomplish a specified purpose(s), and businesses retaining PII for a duration of time that is necessary to fulfill the specified purpose(s).
3. Dynamic nature and the involvement of third parties causes business difficulty in tracking, accounting and auditing of PII
4. Inability of the businesses to capture and record changes to the privacy profile in a timeframe that reflects the reality.
5. Lack of Consumer participation in a business privacy policy implementation and maintenance due to lack of awareness regarding the PII data collection (what, when, where, who, and more) and inability and lack of technology/tools to offer consent to PII related activities of a business.
6. Security of PII is difficult because of the number of businesses handling the information and distribution to many geographically diverse locations.
7. Inability for industry watchdog groups and law enforcement agencies to monitor and enforce privacy guidelines and laws due to lack of information from the dynamic and realtime network of privacy data collectors and users.

A live privacy policy system that is generated by the collaborative efforts of key stakeholders involved in the PII collection, retention, usage, sharing and maintenance, includes: realtime data (who, what data, retention policy, usage policy and sharing policy) for a first party and third parties, consumer restrictions and business compliance information, and regulatory requirements and business compliance information.
The live privacy policy system is tailored to a user and reflects the true intent of privacy rights. The key stakeholders responsible for the privacy policy are representatives of the business, Consumers and Third parties. Each of the stakeholders contribute to the generation of the Live Privacy Policy using tools and data that is made available to them.
FIG. 1 illustrates a block diagram of the live privacy policy system according to some embodiments. The live privacy policy system 100 identifies the PII and PPI data collection of a business. A suite of tools automatically generates PII data from website and web applications associated with the business. For applications on the web/desktop/mobile 102 that capture PII and PPI data, an SDK along with a Privacy API 104 is able to be used to capture the PII and PPI data transacted using the application. The first party data is stored in the first party dataset 104 and the third party data is stored in the third party dataset 106.
For websites 108, PII and PPI data transacted is able to be captured by a browser extension 110, and the data is saved in first party dataset 104 and in third party dataset 106.
Regulated PII and PPI is captured from the regulations and saved in a dataset 112.
Users/consumers 114 view the first party dataset 104, third party dataset 106, regulatory dataset 112 and specify the consumer restrictions on the dataset 116. A live privacy policy manager 118 forwards restrictions specified by users 114 to a do not track manager 120. The do not track manager 120 generates the appropriate do not track requests to third parties and to the business applications. In some embodiments, the do not track requests are managed and monitored by industry entities such as National Advertising Initiative (NAI) and Digital Advertising Alliance (DAA). They will contact the appropriate company and request them to adhere to the user request. Once a confirmation is received from these entities, the do not track manager 120 will report back to the Live Privacy Profile Manager 118, and the restriction status will be updated from Pending to Active or will remain in Pending status if a response is not received. In some embodiments, the do not track implementation is automatically executed.
PII and PPI from business applications is captured in the business application PII/PPI dataset 122.
Each time a user 114 requests a live privacy policy from a business, the live privacy policy manager 118 reads the first party dataset 104, third party dataset 106, consumer restrictions and the business apps dataset 122 to generate the live privacy profile 124.
FIG. 2 illustrates a flowchart of an implementation of the live privacy policy method according to some embodiments. In the step 200, data collection is monitored from enterprise mobile and web applications. The data collection is able to be monitored by integration of enterprise mobile applications with the privacy API using the SDK and/or offering consumers using enterprise web applications and websites to install browser extension. In the step 202, once the software is integrated and installed, users using the mobile and web applications are able to perform actions regarding privacy. For example, users are able to observe the data being collected. This is reflected in the enterprise privacy policy. Users are also able to restrict the data the enterprise and third parties are able to collect, use and share. The restrictions are implemented by the software by forwarding do not track requests. Users are also able to have a live privacy policy profile generated which provides privacy information specific to the user. In some embodiments, fewer or additional steps are implemented. In some embodiments, the order of the steps is modified.
FIG. 3 illustrates a block diagram of an exemplary computing device configured to implement the live privacy policy method according to some embodiments. The computing device 300 is able to be used to acquire, store, compute, process, communicate and/or display information. In general, a hardware structure suitable for implementing the computing device 300 includes a network interface 302, a memory 304, a processor 306, I/O device(s) 308, a bus 310 and a storage device 312. The choice of processor is not critical as long as a suitable processor with sufficient speed is chosen. The memory 304 is able to be any conventional computer memory known in the art. The storage device 312 is able to include a hard drive, CDROM, CDRW, DVD, DVDRW, High Definition disc/drive, ultra-HD drive, flash memory card or any other storage device. The computing device 300 is able to include one or more network interfaces 302. An example of a network interface includes a network card connected to an Ethernet or other type of LAN. The I/O device(s) 308 are able to include one or more of the following: keyboard, mouse, monitor, screen, printer, modem, touchscreen, button interface and other devices. Live privacy policy application(s) 330 used to perform the live privacy policy method are likely to be stored in the storage device 312 and memory 304 and processed as applications are typically processed. More or fewer components shown in FIG. 3 are able to be included in the computing device 300. In some embodiments, live privacy policy hardware 320 is included. Although the computing device 300 in FIG. 3 includes applications 330 and hardware 320 for the live privacy policy method, the live privacy policy method is able to be implemented on a computing device in hardware, firmware, software or any combination thereof. For example, in some embodiments, the live privacy policy method applications 330 are programmed in a memory and executed using a processor. In another example, in some embodiments, the live privacy policy hardware 320 is programmed hardware logic including gates specifically designed to implement the live privacy policy method.
In some embodiments, the live privacy policy application(s) 330 include several applications and/or modules. In some embodiments, modules include one or more sub-modules as well. In some embodiments, fewer or additional modules are able to be included.
Examples of suitable computing devices include a personal computer, a laptop computer, a computer workstation, a server, a mainframe computer, a handheld computer, a personal digital assistant, a cellular/mobile telephone, a smart appliance, a gaming console, a digital camera, a digital camcorder, a camera phone, a smart phone, a portable music player, a tablet computer, a mobile device, a video player, a video disc writer/player (e.g., DVD writer/player, high definition disc writer/player, ultra high definition disc writer/player), a television, an augmented reality device, a virtual reality device, a home entertainment system, smart jewelry (e.g., smart watch) or any other suitable computing device.
To utilize the live privacy policy method and system, data collection is monitored from enterprise mobile and web applications. Once software is integrated and installed, users using the mobile and web applications are able to: observe the data being collected and restrict the data the enterprise and third parties are able to collect, use and share.
In operation, live privacy policy method and system provides many advantages:
Enterprises will provide an accurate and up-to-date privacy policy to the consumers and others who they conduct business with. This will improve the credibility for the enterprise and provide more confidence to consumers and others while conducting online business with the enterprise.
Data trackers and advertisers are able to continue to provide valuable personalization services to consumers but with explicit consent from the consumers. This cooperative environment will enable more accurate personalization and reduce the risks of inadvertent data leaks and security issues around personal data.
Consumers get personalized content while controlling what they want to share with enterprises providing products and services.
Consumer awareness that is context-specific and transparent, such as identifying: PII and PPI that is collected, third parties involved and their PII and PPI activities and other data sharing relationships among third parties that are not directly attributed to business that have direct consumer relationships. A business is better able to establish and maintain consumer confidence and trust, by: enabling consumer participation in PII activities, viewing PII being collected, providing tools to update or remove inaccurate data, providing a process to allow users to register, track and view progress of complaints, enabling business to monitor and manage data minimization requirements, enabling business to monitor and manage PII including usage, quality and integrity and security, and implementing realtime updates to privacy policy. Businesses and consumers are offered a process to handle Customer “Do Not Track” requests.
The present invention has been described in terms of specific embodiments incorporating details to facilitate the understanding of principles of construction and operation of the invention. Such reference herein to specific embodiments and details thereof is not intended to limit the scope of the claims appended hereto. It will be readily apparent to one skilled in the art that other various modifications may be made in the embodiment chosen for illustration without departing from the spirit and scope of the invention as defined by the claims.

Claims

What is claimed is:

1. A method programmed in a non-transitory memory of a device comprising:

a. collecting real-time data associated with a company's website ecosystem partners and affiliates; and

b. generating a dynamic privacy document which is updated based on the real-time data.

2. The method of claim 1 wherein the real-time data comprises a user's privacy data including Personally Identifiable Information (PII) and Personal Profiling Information (PPI).

3. The method of claim 1 wherein the user's privacy data includes the user's name, address, phone number, websites visited, location, or purchase history.

4. The method of claim 1 further comprising displaying the dynamic privacy document.

5. The method of claim 1 further comprising enabling a user to provide input regarding the collection of the real-time privacy data.

6. The method of claim 5 wherein enabling a user to provide input includes collaborating with the company's advertisement ecosystem and affiliates regarding private data collection, processing and storage of private data.

7. The method of claim 5 further comprising enabling a user to receive personalized content, and enabling the user to control what information is shared and how the information is used.

8. The method of claim 1 further comprising:

identifying personally identifiable information and personality profiling information; and

forwarding a restriction specified by a user to a do not track manager based on reviewing the personally identifiable information and the personality profiling information.

9. The method of claim 1 wherein collecting the real-time data is with a software developer kit along with a privacy application programming interface.

10. The method of claim 1 wherein collecting the real-time data is with a browser extension.

11. An apparatus comprising:

a. a non-transitory memory for storing an application, the application configured for:

i. collecting real-time data associated with a company's website ecosystem partners and affiliates; and

ii. generating a dynamic privacy document which is updated based on the real-time data; and

b. a processor for processing the application.

12. The apparatus of claim 11 wherein the real-time data comprises a user's privacy data including Personally Identifiable Information (PII) and Personal Profiling Information (PPI).

13. The apparatus of claim 11 wherein the user's privacy data includes the user's name, address, phone number, websites visited, location, or purchase history.

14. The apparatus of claim 11 further comprising a display for displaying the dynamic privacy document.

15. The apparatus of claim 11 the application further configured for enabling a user to provide input regarding the collection of the real-time privacy data.

16. The apparatus of claim 15 wherein enabling a user to provide input includes collaborating with the company's advertisement ecosystem and affiliates regarding private data collection, processing and storage of private data.

17. The apparatus of claim 15 the application further configured for enabling a user to receive personalized content, and enabling the user to control what information is shared and how the information is used.

18. The apparatus of claim 11 the application further configured for:

19. The apparatus of claim 11 wherein collecting the real-time data is with a software developer kit along with a privacy application programming interface.

20. The apparatus of claim 11 wherein collecting the real-time data is with a browser extension.

21. A system comprising:

a. a client device configured for collecting real-time data associated with a company's website ecosystem partners and affiliates; and

b. a server device configured for generating a dynamic privacy document which is updated based on the real-time data.

22. The system of claim 21 wherein the real-time data comprises a user's privacy data including Personally Identifiable Information (PII) and Personal Profiling Information (PPI).

23. The system of claim 21 wherein the user's privacy data includes the user's name, address, phone number, websites visited, location or purchase history.

24. The system of claim 21 wherein the client device is configured for displaying the dynamic privacy document.

25. The system of claim 21 wherein the client device is configured for enabling a user to provide input regarding the collection of the real-time privacy data.

26. The system of claim 25 wherein enabling a user to provide input includes collaborating with the company's advertisement ecosystem and affiliates regarding private data collection, processing and storage of private data.

27. The system of claim 25 further comprising enabling a user to receive personalized content, and enabling the user to control what information is shared and how the information is used.

28. The system of claim 21 wherein the client device is configured for:

29. The system of claim 21 wherein collecting the real-time data is with a software developer kit along with a privacy application programming interface.

30. The system of claim 21 wherein collecting the real-time data is with a browser extension.