Don’t alienate your international customers, and don’t stick your head in the sand. Just make sure your marketing technology partners have robust data security and aren’t collecting data without explicit permission.
Q: Will increased data privacy requirements interfere with your ability to personalize marketing and create messaging that’s fully relevant for your customers?
A: Not if you do it right.
So that’s reassuring.
Learning from some very public mistakes
We’ve watched The Great Hack and read all about the unethical ways Cambridge Analytica used Facebook user data to influence marginal voters. It’s given us a deeper understanding of the way data is used to target our content online and may have even changed the way we think about life on the internet.
Cambridge Analytica was clearly in the wrong, but the line between relevant personalization and creepy data manipulation is still being defined. Nobody wants to be the next to hit the headlines, so protection and privacy are a top priority for every company dealing with personal information.
To prevent any further catastrophic attempts at data weaponization, increasingly strict regulations around the collection and use of personal data are rolling out globally.
These have particular relevance to the marketing community. Just when we’ve all got on board with the idea of personalized – or individualized – messaging being the way of the future, suddenly we have more hoops to jump through to make it happen. And since consumers still expect personalization, just... not doing it isn’t really an option.
GDPR, while not the only regulation in play, has probably had the most press of the recent regulatory advances. It concerns personal data from the EU region, but unless you’re 100% sure nobody from that region ever interacts with your marketing, these rules also apply to companies outside of the EU. Simply blocking international visitors won’t make your data privacy responsibilities go away either: the California Consumer Privacy Act comes into effect in 2020, and other US states are preparing to follow suit. The whole world is now switched on to data privacy.
So how do you do it right?
Get explicit consent to collect and use data
You can’t assume people are OK with you collecting their data simply because they visit your website, download your app or follow you on social media. You need to get explicit consent – which means opt-out isn’t good enough either. Tell people up-front what data you’ll collect and what it’ll be used for: if people aren’t on board with that then you won’t get consent and you can’t proceed.
Only collect the data you need
If you’re tracking web activity, you’ll need to know which pages people visit, if they’re using mobile or desktop and possibly where they’re from. You don’t need their hair color or dress size (unless you’re a dress store!) If you’re collecting data you don’t need on the off-chance it might come in handy, then you’re not compliant.
Only keep data for as long as you need it
If you need data for a specific marketing campaign, then you should be deleting it once that campaign has ended; data shouldn’t be stockpiled indefinitely. There’s no specified data retention period, but you need to be consistent. If you tell people you’re deleting data after a year, then you need a process for deleting that data.
Respect peoples’ right to their data – and to be forgotten
Under GDPR, companies need to give people access to their data if requested: people have the right to know what information is being collected about them, and how it’s being used. People also have the right to be forgotten. So, if someone asks you to delete their data – to stop using it - you need to do that.
Maintain records and notify people of breaches
Companies need to have someone managing the data and overseeing the systems that monitor usage and access so that it is protected from breaches. If there is a data breach – whatever form that takes – companies have 72 hours to notify authorities and any affected parties.
It’s not a problem, it’s an opportunity
These new data privacy laws actually represent a fantastic opportunity for marketers.
Companies currently using massive scraped email lists may beg to differ, but this is a good way to build a marketing relationship based on trust. Instead of suspecting their details will eventually be sold to a third party a la Cambridge Analytica, consumers will know exactly how sharing their data will be used to benefit them.
If you’re planning on doing something underhanded with the data, you obviously won’t get permission to use it.
However, if you’re planning to create personalized and engaging customer experiences and are willing to be open and honest about how you’re going to use data to do it, then people will see value in sharing that data. You’ll find it much easier to build trust, goodwill, loyalty and word of mouth.
And if you’re planning to just ignore the new wave of regulations, you’ll find it’s not worth the risk. GDPR violations can result in a fine of up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year. In 2018 British Airways was fined $183m for its 2018 data breach, the highest penalty to date.
So, don’t alienate your international customers, and don’t stick your head in the sand. Just make sure your marketing technology partners have robust data security and aren’t collecting data without explicit permission.