How New Data Protection Laws Affect Your Non-Transactional Website

Good news! Regulatory agencies are taking privacy policies and data protection more seriously than ever. Bad news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

Good news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

Bad news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

The increased regulatory activity is certainly good news for all of us as consumers. As marketers, that silver lining can be overshadowed by the cloud of fear, uncertainty, and doubt — to say nothing of the potentially enormous fines — attached to these new regulations. Let’s take a look at what your responsibilities are (or are likely to become) as privacy regulations become more widely adopted.

Before we begin: I’m not a lawyer. You should absolutely consult one, as there are so many ways the various regulations may or may not apply to your firm. Many of the regulations are regional in nature — GDPR applies to the EU, CCPA to California residents, the SHIELD Act to New York State — but the “placelessness” of the Internet means those regulations may still apply to you, if you do business with residents of those jurisdictions (even though you’re located elsewhere).

Beyond Credit Cards and Social Security Numbers

With the latest round of rules, regulators are taking a broader view of what constitutes personally identifiable information or “PII.” This is why regulations are now applicable for a non-transactional website.

We are clearly beyond the era when the only data that needed to be safeguarded was banking information and social security numbers. Now, even a site visitor’s IP address may be considered PII. In short, you are now responsible for data and privacy protection on your website, regardless of that website’s purpose.

Though a burden for site owners, it’s not hard to understand why this change is a good thing. With so much data living online now, the danger isn’t necessarily in exposing any particular data point, but in being able to piece so many of them together.

Fortunately, the underlying principles are nearly as simple as the regulations themselves are confusing.

SSL Certificates

Perhaps the most basic element of data protection is an SSL certificate. Though it isn’t directly related to the new regulatory environment it’s a basic foundational component of solid data handling. You probably already have an SSL certificate in place; if not, that should be your first order of business. They’re inexpensive — there are even free versions available — and they have the added benefit of improving search engine performance.

Get Consent

Second on your list of good data-handling practices is getting visitor consent before gathering information. Yes, opt-in policies are a pain. Yes, double opt-in policies are even more of a pain — and can drive down engagement rates. Both are necessary to adhere to some of the new regulations.

This includes not only information you gather actively — like email addresses for gated content — but also more passive information, like the use of cookies on your website.

Give Options

Perhaps the biggest shift we’re seeing is toward giving site visitors more options over how their PII is being used. For example, the ability to turn cookies off when visiting a site.

You should also provide a way for consumers to see what information you have gathered and associated with their name, account, or email address.

Including the Option to Be Forgotten

Even after giving consent, consumers should have the right to change their minds. As marketers, that means giving them the ability to delete the information we’ve gathered.

Planning Ad Responsibilities For Data Breaches

Accidents happen, new vulnerabilities emerge, and you can’t control every aspect of your data handling as completely as you’d like. Being prepared for the possibility of a data breach is as important as doing everything you can to prevent them in the first place.

What happens when user information is exposed will depend on the data involved, your location, and what your privacy and data retention policies have promised, as well as which regulations you are subject to.

Be prepared with a plan of action for addressing all foreseeable data breaches. In most cases, you’ll need to alert those who have been or may have been affected. There may also be timeframes in which you must send alerts and possibly remediation in the form of credit or other monitoring.

A Small Investment Pays Off

As a final note, I’ll circle back to the “I’m not a lawyer” meme. A lawyer with expertise in this area is going to be an important part of your team. So, too, will a technology lead who is open to changing how he or she has thought about data privacy in the past. For those who haven’t dealt with transactional requirements in the past, this can be brand new territory which may require new tools and even new vendors.

All of this comes at a price, of course, but given the stakes — not just the fines, but the reputational losses, hits to employee morale, and lost productivity — it’s a small investment for doing right by your prospects and customers.

White House ‘Big Data’ Review Recognizes Innovation and Self-Regulation

When the White House announced its intent to study the rise of “Big Data,” as a citizen, I guessed there might be a lot to say about government surveillance, public safety and terrorism, in light of Snowden. As a consumer, I suspected there might be a lot of attention to data breaches, in light of the recent Target incident among others. As a working individual whose livelihood depends on data access and use for more relevant marketing, I was nervous

When the White House announced its intent to study the rise of “Big Data” and its impact on business, commerce, government and consumer’s everyday lives, with privacy protection as an underlying theme, I have to admit I was bracing myself.

As a citizen, I guessed there might be a lot to say about government surveillance, public safety and terrorism, in light of Snowden. As a consumer, I suspected there might be a lot of attention to data breaches, in light of the recent Target incident among others.

As a working individual whose livelihood depends on data access and use for more relevant marketing, I was nervous there might not be a practical discussion of how information sharing and privacy protection can (and is) successfully provided through a combination of peer regulation, enterprising technology and sector-specific legal regulation where information protection and security is niche-based and designed to prevent harm from data error or misuse (credit, financial, health, for example).

Then the report, titled “Big Data: Seizing Opportunities, Preserving Values” (pdf), was released.

As a citizen, I was left wanting. Government surveillance of law-abiding U.S. citizens is parked for another report, another day. Some reforms have already been announced. Perhaps this is a blessing—there never should have been a link made between government spying and private sector use of data for commercial purposes anyway.

As a consumer, I was glad to see a call for a single national data breach notification standard. A few years back, I received several notices of “my” data being breached in a few months’ span—two of which offered a year’s worth of identity theft and fraud protection (which I continued to purchase on my own). Whether by luck or design, those notices have declined in number—I’ve had none in the past year. As I hear and read about more recent major data breaches, I haven’t been directly affected (to my knowledge), and maybe—just maybe—some organizations and brands in which I’m involved have gotten better about security. (Indirectly, we all pay for fraud—in higher prices for products and services, insurance, bank fees and the like—and perhaps in our collective loss of trust and carefree.)

As a marketer, I have to say I was happily surprised at the clear-headed conveyance of facts and reporting of opinion in this report—and, importantly, the steer-clearance of political grandstanding. I will leave it to our trade associations to comment on the policy recommendations, but as one our industry’s leading practitioners stated in Adweek, “If anyone of my clients wants a 101 on big data, I’m going to send them this report. This report is very relevant because a lot of what drives this business is programmatic media buying. There are millions of places to advertise on the Web, so an algorithm will decide what your likely audience will be.”

The report either cited or recognized such industry initiatives as the Data-Driven Marketing Institute’s “Value of Data Sharing” report, the Digital Advertising Alliance (disclosure, a client) and its own recent research on data sharing’s role in increasing advertising’s value, as well as DAA’s YourAdChoices.com site and consumer opt-out program for online interest-based advertising. There was care to note—even in the report’s title—that innovation is one of the benefits made possible by big data, and that this economic and social value needs to be enabled, if not fully supported and facilitated.

The report did raise red flags about commercial redlining, eligibility issues connected to employment, healthcare, finance and insurance, and data security (as noted)—but these important areas for consumer protection largely are already regulated, and even have industry backing for further regulation in certain areas such as breach notification. Most of these topics don’t have much to do with smarter marketing, even if some privacy advocates and academics hypothesize about that stretch.

Where do we go from here? The report did make several policy recommendations—and while there were some seeking to codify in law Fair Information Practices Principles (a Consumer Privacy Bill of Rights), there was no attempt to call for an omnibus privacy protection law that treats all data and all data usage the same. If you haven’t had the chance, give it a read—I actually learned from it, and avoided tears and rage.