Except for those times when a sauna is involved, staying out of hot water is generally considered to be a good idea. For corporate marketers, the rising tides of consumer data collection have dialed up the temperature of the surrounding salty waves, making it easier for companies to be pulled into the undertow.
Though nearly half of consumers in a recent survey expressed a willingness to share their personal information in exchange for deals, discounts, and better service, they do so with a tacit understanding that the company will be good stewards of that data.
Indeed, personal data collection represents a tightrope that most marketers are willing to walk – though savvy marketers use such insights to create sophisticated marketing campaigns, they realize the existence of a downside, in terms of broad consumer acceptability of these tactics, and, often, a changing regulatory landscape with regard to the use of this data.
With this dichotomy in mind, I checked in with Alan Friel, an advertising and privacy lawyer at Baker & Hostetler, LLP and an adjunct professor at UCLA and Loyola, to find out the latest on regulations and other legal concerns that may impact marketing initiatives using customer information. Of particular interest to Friel: How U.S. companies will comply with the European Union’s (EU) new data protection legislation; how prepared companies are in the event of a data breach; and TCPA compliance, in the age of robocalls and texting.
Let’s take a look at these present-day concerns in more detail:
If your company has personal information on an EU citizen, or you send your company’s U.S. data to the EU for processing (Ireland, it so happens, has become a popular choice for data cleansing or appending), this law may have real consequences for your company -- including heavy fines.
The GDPR, which will apply as of May 25, represents the most dramatic change in European individual data protection law in more than 20 years. Violations may result in a considerable financial sting to the corporate wallet -- up to the greater of $40 million or 4 percent of global annual turnover. This is the maximum fine that can be imposed for the most serious infringements, which include not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts.
What constitutes personal data, by the EU’s definition? Any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address. This is in stark contrast to U.S. law, where we do not think of unique identifiers like IP Address and Device ID or AD ID to be personal information.
Although bringing your company into compliance with the GDPR may represent an investment of both time and resources, it can also create an opportunity for the marketing department to upgrade outdated processes, while proactively tackling impending privacy and data security concerns. A threshold issue is to determine if the GDPR even applies to you. For instance do you “address” EU data subjects even though you do not significantly target them for business? Or, do you use EU vendors to process US data?
Together, corporate marketing and legal departments should assess compliance with privacy and data security policies and procedures, data transfer mechanisms, and service provider agreements, to ensure you’re meeting the letter and spirit of the GDPR, if it applies.
Unfortunately, data breaches and other cyber-crimes are becoming way too common. Did you know that 55 percent of small businesses have experienced a data breach, and that 53 percent have had multiple breaches, according to a recent report? In 2017, Yahoo disclosed that 3 billion accounts were breached and the credit monitoring agency Equifax suffered a breach that affected 145 million people. Names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, were exposed. Not only do breaches have hard costs in terms of fines, legal fees, and data remediation; but it can have an immeasurable impact on the value of a brand’s integrity.
What should marketers do? First off, investigate cyber insurance. It is affordable (particularly when compared with the post-breach costs outlined above) and can help with legal fees and expenses, notifying customers about a data breach, restoring personal identities of affected customers, recovering compromised data, and repairing damaged computer systems.
Second, work with your IT department to regularly assess and test your current security systems and protocols. Finally, proactively prepare for and practice what you would do in the event of a breach. Even having prepared trigger notifications can save you valuable time in a crisis. (Think about the time lag between the recent Hawaii missile defense warning text and the “oops, we got it wrong” text. They were not prepared.)
The Telephone Consumer Protection Act (TCPA), also known as the TCPA, was passed by Congress in 1991 as an amendment to the Communications Act of 1934. Congress created the TCPA to protect consumers from unsolicited telemarketing calls. Under the TCPA, telemarketers are restricted from calling consumers between the hours of 9 p.m. and 8 a.m. The legislation also limits the use of artificial or prerecorded voice messages, SMS text messages, fax machines and automatic dialing systems.
How serious are enforcement efforts? Just search for “TCPA class actions” or “TCPA settlements,” and you’ll find multi-million dollar penalties, doled out by well-known brands in the credit card, banking, mortgage and retail industries -- as well as promotions by law firms eager to let you know that each violation can earn claimants a nice payday. Some eye-popping settlements have included payments by Caribbean Cruise Line, Inc. ($76 million), Dish Network ($61 million), Uber ($20 million) and even AT&T Mobility – a telephone company ($45 million).
If you think you are safe because you fly under the radar as an SMB or mid-sized business, think again. A gym in New Jersey left a single unsolicited voice mail, then tried to resolve the issue by paying the $1,500 settlement, still found itself the subject of a class-action suit.
While most people are aware rules regarding telemarketing, the TCPA also applies to texts. Do you have your customers’ expressed consent to send an appointment reminder text? A flight delay notification? And if you use text for marketing, prior, express, written consent, that includes various “magic” words and acknowledgements is required. In either case, you must provide opt-outs by any reasonable means, and ensure you scrub out reassigned numbers regularly (the carriers provide lists). And don’t assume you vendor is handling the complaince details for you. Indeed, the trend for text vendors is to act as a platform or tool and put all compliance responsibility on you, and even make you indemnify them for errors and omissions.
I hate doom-and-gloom, but with vast amounts of customer information comes vast amounts of responsibility (a nod to Spiderman.) As data practices change and technology evolves, update and review your customer notifications – and, most importantly, make sure you are mindful of legal and regulatory regulations along the way. Otherwise, you could find yourself up the creek without a paddle.