Today, companies throughout the U.S. begin recognizing Data Privacy Day (formally set for Sunday, January 28). Now in its 10th year, the goal of this international event is to raise privacy awareness among businesses and individuals and promote strong data safeguarding practices. For those of us in the marketing and PR fields, Data Privacy Day offers a reminder to first think about data-centric initiatives in a way that protects your customers, your company and possibly your career. We work with marketing executives with cybersecurity companies every day, helping to share best practices that will safeguard consumer information. As a marketer with a passion for and specialization in data privacy, I’ve developed the following tips to help fellow marketers get the job done and better manage data risk:
Know what’s promised in your company’s privacy notice. Privacy notices – those external-facing documents that give customers the terms and conditions of sharing their data with you – have become de facto for most businesses, and are often legally required. Even though these policies can be lengthy and challenging to read, they’re a binding agreement with anyone whose data you collect. And there ARE people who read them! Know what your company notice says is being done with collected data – and make sure that actual marketing practices align to it.
Set limits on data collection. Understand what you’re collecting and why you need it. It is tempting to gather as much data as you can because “someday” it may come in handy. Realistically, data gets stale fast, limiting its useful shelf life. If you have a breach or get visited by a regulator, you may have to substantiate a business rationale for possessing whatever data you hold. That means a real business purpose now, not a “maybe someday we’ll use it” reason. You can’t get in trouble with what you don’t have, so gather what you truly need and let go of the rest.
Respect boundaries. While marketing automation enables highly targeted contact at more predictable times in the buy cycle, it can easily get overdone. People complain about ads following them for days after an online search, and ad blockers are gaining in popularity. Growing use of location tracking and facial recognition may increase a feel of stalking. Allow opt-out, and always give users choice in how much information they receive and how often. The Digital Advertising Alliance offers some helpful guidelines too.
Is texting in your marketing mix? Text messages to mobile devices are covered by the Telephone Consumer Protection Act and certain Federal Communications Commission rules. It’s prohibited to send texts to mobile numbers without express consent from the number’s owner. This practice can end up with a fine to your business or even law suits, so be sure you have permission before hitting ‘send.’
If your target market is kids … It’s flat out against U.S. law to collect personally identifiable information on children under age 13 without their parents’ consent. That includes monitoring what sites they go to, what they look at, their social media practices and their location data. You need to get explicit parental permission, or this can get serious. Yes, obtaining actual proof of age can be a little tricky – but using online verification methods and showing good faith efforts will help keep you covered.
Doing business in Europe? European laws around European Union (EU) citizen privacy are far more strict than those in the U.S., and are about to become more so under the EU General Data Protection Regulation (GDPR) effective as of May 2018. And if you’re marketing to kids, the GDPR raises the applicable age to 16.
Mind your workspace. While malicious outsider cyberattacks are real and escalating, a large percentage of breaches are still caused by human error – accidental data exposure, lost devices, disgruntled workers misbehaving, papers lying around, unsecured computer screens, etc. Staying aware of what’s available to who can go a long way in keeping data secure.
So how do you get started? For new programs, integrate a process called Privacy by Design from the get-go. That means designing in the right way to handle data from the start of development. For programs already in place, conducting a process known as a Privacy Impact Assessment will help you understand what’s working well and where you might need improvement. Efforts like these can help make the most of the data and tools you have while enabling an informed choice about how much risk your business should take.
Kathy Stershic is a Senior Director of Content for W2 Communications. She has earned two certifications, Certified Information Privacy Manager (CIPM) and Certified Information Privacy Professional – US (CIPP-US), from the International Association of Privacy Professionals. She writes and speaks on privacy implications for marketing in the digital age.