We take action at a Group and operating company level to make sure that consumer privacy is protected and we engage with others to improve privacy practices.

The ability to collect and use consumer data online is changing the face of marketing. It is creating opportunities to deliver more targeted advertising and allowing companies to connect more closely with consumers and monitor the effectiveness of their marketing spend. However, these advances must be balanced with the need to protect privacy and to ensure that consumers also benefit from use of their data.

At WPP, data is central to our business as our companies collect, store and use consumer data on behalf of clients. We take action at a Group and operating company level to make sure that consumer privacy is protected and that we engage with consumers, regulators, clients and industry to improve privacy practices.

Our goal is that everyone within WPP companies should view privacy and security best practices as part of how we do business.

Profile: Integrating privacy at Xaxis

Xaxis Tim Abraham

Consumer choice is a key principle for us, and we are investing in information and tools to give people more control on how their data is used. That’s better for consumers and ultimately our clients.

Tim Abraham,
Director, Data and Audience,
EMEA at Xaxis

Xaxis, GroupM’s digital media company, is embedding privacy and consumer choice into the way it operates.

The Xaxis business creates and delivers audience-targeted campaigns for GroupM media agencies across a range of digital platforms. Xaxis uses cookies to deliver these products and help advertisers reach consumers who are more likely to be interested in their products and services. This enables Xaxis’ advertising and publisher clients to improve the effectiveness of their online advertising which in turn helps support the availability of free-at-the-point-of-use internet content.

Although cookies use anonymous browsing data and don’t capture any information that is personally-identifiable, Xaxis’ policy is to provide consumer choice and transparency for cookie data that, where possible, is similar to that used for personally identifiable information.

Its approach starts with a comprehensive privacy policy, designed to be easy to understand without oversimplifying complex topics. Privacy is an area that can change rapidly as new technology develops. To maintain knowledge, employees receive training on privacy, and privacy-related issues are discussed as regular agenda items at management meetings. The business encourages sharing of best practices between offices, for example through a monthly e-privacy working group in the UK.

Senior leaders at Xaxis take part in work by industry bodies to improve standards on privacy. This includes work with the Internet Advertising Bureau (IAB) to develop the technical specification for the AdChoices Icon component of the Online Behavioural Advertising Framework. This icon must be placed into every ad that uses cookie data for targeting, enabling users to get information on cookies. The AdChoices icon is now used on all Xaxis and GroupM ads in the UK, including those collecting cookie data as well as those using cookie data, exceeding the requirements of the IAB program.

The business is looking into development of a ‘consumer transparency portal’ that will make it easier for consumers to see what cookie data is held on them and give them more control to opt out or to specify the type of ads they would like to see.

Xaxis also engages on privacy at the policy level, for example through regular engagement with the Network Advertising Initiative in North America.

Policies and training

We launched the first global WPP Data Health Checker to review the privacy risks within WPP and to assess the privacy practices at each of our operating companies.

In 2013, we launched the WPP Data Code of Conduct, which provides a clear framework for privacy practices across all WPP agencies. We also launched global IT security, privacy and social media policies that all WPP companies must implement.

Our Group-wide ethics training includes four scenarios relating to privacy issues. We also run more detailed bespoke training sessions on specific topics. For example, employees in the UK were trained on the EU Cookies Directive during 2013.

Understanding our privacy footprint

In 2013, we launched the first global WPP Data Health Checker to review the privacy risks within WPP and to assess the privacy practices at each of our operating companies. It was completed by 73% of all companies and assessed both privacy risks (such as how much data is held and the types of data collected), as well as mitigation measures (the steps taken by companies to secure and protect data).

88%
of the agencies in our Data Health Checker have taken mitigation measures that match or exceed their level of privacy risk

The results of the Health Checker showed that 88% of the companies involved have taken mitigation measures that match or exceed their level of privacy risk. On average, companies were found to have a risk score of 2.73 out of 5, with 5 being the highest level of risk, with the average score for mitigation measures at 3.39 out of 5 with 5 being the highest level of mitigation. This means our companies had an average level of risk but with a higher than average level of mitigation. Companies showed good understanding of the consent requirements for collecting, using and storing consumer data, and 63% have a dedicated privacy lead and have launched bespoke privacy training. We provided results to the CEOs, chief financial officers and chief information officers of our 16 operating company groups, and maintain an ongoing dialogue with them on this subject. The Health Checker is also enabling our companies to assess how they compare with others in WPP and to understand where further action is needed.

Our internal (ITS) audit team reviews privacy risks and practices as part of its Group-wide audit program, focusing on a selection of companies each year. We have used the Health Checker results to assist in focusing these reviews, and have implemented measures to make sure that audits reflect WPP’s global IT security policy.

Working with others

We work with peer companies and industry bodies such as the Advertising Association, W3C Tracking Protection Working Group and the Interactive Advertising Bureau on privacy-related issues.

Chapter 3 of 10

30%