Thursday, June 05, 2014

Privacy cost of Cadbury's "Joy" promotion

Inside a chocolate bar wrapper:
"Joyful jubilations!
You've won a FREE
chocolate bar!"
Visit or and enter the code below..."
They've got to be kidding? Right? Nope.

Ok, I'll bite (sorry, couldn't resist).

Pull up the Cadbury site. Promotion front and centre. Click on the enter the code for FREE chocolate bar button. Click on the enter the code button again on the next page. Enter the code. Click through.

"Oh JOY! You've won a free
chocolate bar.
Enter your details to get your Cadbury coupon for one of the bars below."

Now they want a name and email address and here we have it - the links to the 2378 word terms and conditions and 3134 word privacy policy. I'll try the privacy policy first. Not sure I could stomach the terms and conditions. (That one I'm not apologising for).
"Mondelez Privacy Policy
All content on this website is owned and operated by Mondelez UK Ltd ("MDLZ" or "we")..."
Ok so I'm not even dealing with Cadbury any more? Oh yeah I forgot. Mondelez manages Cadburys for Kraft. Move along.
"Your access to and use of this Site and its contents (the “Site”) is subject to the terms and conditions of this Privacy Policy... By accessing and using this Site, you (the “User” or “you”) accept and agree to these terms and conditions without any limitation or qualification."
Absolutely. Accept urrg ur I agree... After all  my FREEE (sic - given the privacy policy has a number of typos I figured I was entitled to one and you can have that one for FREE) chocolate bar is in your hands.
"What type of data do we collect?
Personally-Identifiable Information On our Site, we may collect certain personally-identifiable information, such as name, gender, telephone number and e-mail address...
We may use cookies, web beacons/pixel tags, log files, and other technologies to collect certain information...
We may obtain information about you from other sources, including commercially available sources, such as data aggregators and public databases. This information may include name, demographic information, interests, and publicly-observed data, such as from social media and shopping behavior... "
All that data? "FREE" chocolate bar?

How do you process and use my information? For "promotional offers, materials, and other communications and information about MDLZ", to respond to me, to contact me...
" In addition we may use such personal information:
  • to respond to your questions and requests, to provide you with access to certain areas and features and to communicate with you about your activities on this Site;
  • to share it with our Related Parties as required to perform functions on our behalf in connection with the Site (such as delivery of merchandise, administration of the website or promotions or other features on it, marketing, data analysis or customer services). To do so, it may be necessary for us to transmit your personal information to outside the above Jurisdiction, and, where the site is based within the European Economic Area (EEA), to outside the EEA, and you agree to this transfer. Further use or disclosure of the information by them for other purposes is not permitted. To provide you with product information or promotional and other offers from us or our Related Parties;
  • if required by law, regulation or court order;
  • for the purpose of or in connection with legal proceedings or necessary for establishing, defending or exercising legal rights; or
  • in an emergency to protect the health or safety of website users or the general public or in the interests of national security."
So you are going to share my information with "Related Parties" including transmitting it outside the  European Economic Area (EEA) and I agree to this.

Dey don't know me vewy well do dey?

As if that extracting of the proverbial Michael Mouse wasn't enough, national security?!! I hereby put out a call to Bruce Schneier to include a special category in his 8th annual movie plot threat contest next year for plots centred on chocolate bars.
"How we share your information
    We do not sell or otherwise disclose personally identifiable information about our website visitors..."
Hang on, you've just said exactly the opposite.
"... except as described here."
So when you say you don't sell or disclose personally identifiable information, what you mean is you do. Gotcha.
"We may share personally identifiable information among MDLZ and MDLZ brands and subsidiaries... with service providers... [who may] disclose the information as necessary... In addition, we may disclose information where we think it’s necessary... in response to a request from... government officials
We may share with our promotional partners (and their service providers)... "
Ok so you're giving my information to all and sundry. What about security?
"The security of personally-identifiable information is important to us... To the fullest extent permitted by law, we disclaim all liability and responsibility for any Damages you may suffer due to any loss, unauthorized access, misuse or alteration of any information"
Ah yes. The old security is important but it's never, ever going to be our fault if we muck it up routine.

Well at least I know what I'm signing up to. It's all clear and fixed at the time I claim my FREE chocolate bar.
"We may change or update parts of this Data Privacy Statement at any time and without prior notice to you."
 Er. You and only you can change the deal at any time after it is concluded?

Right then I demand to know how long you are going to keep all the data you will gather on me, in exchange for this FREE chocolate bar you are offering.
"Your personal data will be kept by Mondelez Europe ... for as long as is reasonably necessary for the purposes for which they are processed"
That's clear, except you can change the deal whenever you feel like it. And despite it being a breach of a fundamental data protection principle, the purposes for which you are collecting this data appear already to be pretty fluid, even before you decide to change them at some unspecified point in the future.
    We take the protection of children’s privacy seriously. We operate this Site in compliance with all applicable law in the above Jurisdiction. Children under the age referred to below for the appropriate Jurisdiction for the Site should have a parent/guardian’s consent before providing any personal information to the website. We will not, as provided by applicable law, require or request children under this age to provide more personal information than is reasonably necessary to participate in the applicable activity on the Site. If we determine upon collection that a user is under this age, we will not use or maintain his/her personal information without the parent/guardian’s consent. Without such consent, though, the child may not be able to participate in certain activities. However, in certain circumstances, we may maintain and use such information (in accordance with the rest of this Policy and applicable law) in order to notify and obtain consent from the parent/guardian and for certain safety, security, liability and other purposes permitted under applicable law. A parent/ guardian can review, remove, change or refuse further collection or use of their child’s personal information by contacting us as provided above (include child’s name, address and e-mail address).
Site’s Jurisdiction/Applicable Age:
  • United States & Australia: Under 13 years of age.
  • Other Jurisdictions: Under 12 years of age."
In short you take children's privacy seriously. Parents or guardians should be involved if kids under 12 want to claim a FREE chocolate bar and they can chase you to alter or remove the child's details from your systems. But hey, if the the kid ticks the box to say s/he is 16 or over when claiming the FREE bar that's the parents/guardians' problem not yours.

Last question, what if a corporate raider comes a calling? Cadbury has been subject to hostile takeovers bids in the past after all.
"Transfer of assets
    During the course of our business, we may sell or purchase assets. If another entity acquires us or all or substantially all of our assets, personally and non-personally identifiable information we have collected about the users of the Site may be transferred to such entity. Also, if any bankruptcy or reorganization proceeding is brought by or against us, such information may be considered an asset of ours and may be sold or transferred to third parties."
Right so when the asset stripper moves in all bets are off and previous and loosely prevailing privacy "protections" are even more worthless than the prior electronic paper they were written on.

Fair enough. An hour down the road, even though I have not perused your terms and conditions yet, I now feel like I'm finally in a position to decide whether to indulge in joyful jubilations and claim my  FREE chocolate bar! My response Ms Rosenfeld, Chairman and CEO of Mondelez International is -
In fairness, Mondelez are just asking for a name and email address and engagement with their website, rather than anything more invasive in the first instance. They then email the coupon for the FREE chocolate (a certain Michael Mouse will be getting mine). But the overreaching "privacy" policy is all too typical and yet another indicator that the sugar industry is also now in the surveillance business.

Tuesday, June 03, 2014

John Oliver on FCC proposals to kill Net Neutrality

John Oliver, doing more in 13 minutes for the cause of net neutrality than years of campaigning by digital rights NGOs, academics and certain brands of big tech...

I particularly liked his point (at about 10m 20s) about corporate America understanding that "if you want to do something evil put it inside something boring. Apple could put the entire text of Mein Kampf inside the iTunes user agreement and you'd just go urrg ur I agree..."

His call to arms to internet trolls to explain, in the abusive way only they do, their disapproval, at, however, may well land him in trouble, after the FCC site reportedly went under with the weight of the response elicited.