How New Data Protection Laws Affect Your Non-Transactional Website

Good news! Regulatory agencies are taking privacy policies and data protection more seriously than ever. Bad news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

Good news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

Bad news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

The increased regulatory activity is certainly good news for all of us as consumers. As marketers, that silver lining can be overshadowed by the cloud of fear, uncertainty, and doubt — to say nothing of the potentially enormous fines — attached to these new regulations. Let’s take a look at what your responsibilities are (or are likely to become) as privacy regulations become more widely adopted.

Before we begin: I’m not a lawyer. You should absolutely consult one, as there are so many ways the various regulations may or may not apply to your firm. Many of the regulations are regional in nature — GDPR applies to the EU, CCPA to California residents, the SHIELD Act to New York State — but the “placelessness” of the Internet means those regulations may still apply to you, if you do business with residents of those jurisdictions (even though you’re located elsewhere).

Beyond Credit Cards and Social Security Numbers

With the latest round of rules, regulators are taking a broader view of what constitutes personally identifiable information or “PII.” This is why regulations are now applicable for a non-transactional website.

We are clearly beyond the era when the only data that needed to be safeguarded was banking information and social security numbers. Now, even a site visitor’s IP address may be considered PII. In short, you are now responsible for data and privacy protection on your website, regardless of that website’s purpose.

Though a burden for site owners, it’s not hard to understand why this change is a good thing. With so much data living online now, the danger isn’t necessarily in exposing any particular data point, but in being able to piece so many of them together.

Fortunately, the underlying principles are nearly as simple as the regulations themselves are confusing.

SSL Certificates

Perhaps the most basic element of data protection is an SSL certificate. Though it isn’t directly related to the new regulatory environment it’s a basic foundational component of solid data handling. You probably already have an SSL certificate in place; if not, that should be your first order of business. They’re inexpensive — there are even free versions available — and they have the added benefit of improving search engine performance.

Get Consent

Second on your list of good data-handling practices is getting visitor consent before gathering information. Yes, opt-in policies are a pain. Yes, double opt-in policies are even more of a pain — and can drive down engagement rates. Both are necessary to adhere to some of the new regulations.

This includes not only information you gather actively — like email addresses for gated content — but also more passive information, like the use of cookies on your website.

Give Options

Perhaps the biggest shift we’re seeing is toward giving site visitors more options over how their PII is being used. For example, the ability to turn cookies off when visiting a site.

You should also provide a way for consumers to see what information you have gathered and associated with their name, account, or email address.

Including the Option to Be Forgotten

Even after giving consent, consumers should have the right to change their minds. As marketers, that means giving them the ability to delete the information we’ve gathered.

Planning Ad Responsibilities For Data Breaches

Accidents happen, new vulnerabilities emerge, and you can’t control every aspect of your data handling as completely as you’d like. Being prepared for the possibility of a data breach is as important as doing everything you can to prevent them in the first place.

What happens when user information is exposed will depend on the data involved, your location, and what your privacy and data retention policies have promised, as well as which regulations you are subject to.

Be prepared with a plan of action for addressing all foreseeable data breaches. In most cases, you’ll need to alert those who have been or may have been affected. There may also be timeframes in which you must send alerts and possibly remediation in the form of credit or other monitoring.

A Small Investment Pays Off

As a final note, I’ll circle back to the “I’m not a lawyer” meme. A lawyer with expertise in this area is going to be an important part of your team. So, too, will a technology lead who is open to changing how he or she has thought about data privacy in the past. For those who haven’t dealt with transactional requirements in the past, this can be brand new territory which may require new tools and even new vendors.

All of this comes at a price, of course, but given the stakes — not just the fines, but the reputational losses, hits to employee morale, and lost productivity — it’s a small investment for doing right by your prospects and customers.

Are We Hypocrites on Privacy?

I have been carefully reading the terms and conditions and privacy policies of companies to which I subscribe more often, lately. I am concerned about with whom my data is shared and under what conditions. While I hold my vendors to high standards, have I let our company’s standards slip?

I have been carefully reading the terms and conditions and privacy policies of companies to which I subscribe more often, lately. I am concerned about with whom my data is shared and under what conditions. While I hold my vendors to high standards, have I let our company’s standards slip?

With great confidence I can say, “No, I have not,” but can you?

My sister wears a FitBit. She explained to me it reminded her to walk 10,000 steps per day, and also enabled her to track her fitness progress on their website. That sounds great, I thought—until I read their privacy policy, one with gaping black holes and ambiguous terms. A privacy policy I found so objectionable the benefits simply did not justify the means.

After shopping for nearly a year, I recently bought an HTC phone—the unlocked version, which enables me to control which apps are installed and what they share. Though Google is by no means setting the standard for privacy, I feel Google is reluctant to share my information with others and so those are the only third-party apps allowed—no Facebook, no Twitter, no games, no sharing of any kind.

So, here are two instances where a company’s privacy policy has changed not just my habits, but my buying decisions. This got me to thinking about how many marketers’ privacy policies have been written in such a manner as to be intentionally ambiguous, somewhat misleading, or downright dishonest in order to encourage people to subscribe. As you set about collecting subscriber names, what are your answers to these hard questions:

  • Is your privacy complete and up to date?
  • Is your privacy policy clear and honest?
  • Do you use your subscriber names ONLY in the way you have described?
  • If your company marketing practices have changed, does your policy reflect these changes?
  • Are you collecting, or have you collected, information you did not disclose?
  • Do others have access to what you proclaimed as private?
  • Have you been hacked?
  • Has an employee taken your data with them when they left the company?

Some of these answers have the air of intent, while others present you as the victim. But in both cases, it’s time to update your policies, and this can present a wonderful, welcomed opportunity for dialog with your subscribers.

We’ve all received of one of those seemingly nefarious letters, “We’ve Updated Our Privacy Policy,” so how about a new take on an old problem: “Good News! We’ve Updated Our Privacy Policy to Give You Even More Privacy!”

If you’ve spent the last few years collecting data about your subscribers and you’ve found you’re not using the vast majority of it—and let’s face it, the data shows we’re simply not—it’s time to delete it from your list. If you haven’t used it thus far, it’s out of date and useless to you going forward. Delete it and brag about it. Send a cheery note to your subscribers reminding them that while others are collecting more and more, you are collecting less and you’re intentionally deleting everything you have not found directly useful to how you interact with them today and not specifically covered in your privacy policy.

Send them to a link with the shortest, sweetest privacy policy they’ve read, for example:

Our Privacy policy

  • We have on file only your first name, last name, and email address.
  • We ask for nothing else.
  • We send you only emails you request.
  • We have nothing to share with others, and wouldn’t if they asked.
  • We won’t change this policy without prior notice – ever.

Thank you for being our customer.

– Sincerely,
Your Grateful Vendor

No, I’ve never actually seen a policy like this, but if I did, I wouldn’t hesitate to purchase their wearables or buy their phone.

The Terms of Your Terms of Service

Most of us have a terms of service document on our websites, even if they’re mostly contained within our privacy policies. We reference these documents in much of our correspondence, including our business and marketing emails. Your privacy policy or terms of service sets the expectations for what your customers will receive from you as a company

Most of us have a terms of service (TOS) document on our websites, even if they’re mostly contained within our privacy policies. We reference these documents in much of our correspondence, including our business and marketing emails. Your privacy policy or terms of service sets the expectations for what your customers will receive from you as a company.

Recently, Google upgraded its terms of service to explicitly inform its customers they have automated systems analyzing content in order to deliver relevant ads and provide customization and security. General Mills in a separate, yet oddly related move, has changed its terms of service to inform customers who “like” their products on Facebook that they have given up their right to take the company to court if there’s a problem with the product.

As mentioned in previous articles, Google is already camped out in courtrooms for these business practices, and I am confident that General Mills will find similar legal challenges over their new draconian policies, which potentially create an adversarial relationship with their customers.

In both of these scenarios, and for our company, when the need arises to make changes to our policies, the new language is probably more enlightening to current customers, followers and subscribers than it is giving future customers sufficient warning—after all, when was the last time you read the terms of service of a new company with whom you’ve chosen to follow or create an account? Most of us are good about sending notices when we have a change in policy, and our subscribers are much more likely to read that than the original TOS.

The Trust Factor
As marketers and builders of brands, we know honesty is paramount. Building credibility and trust sells, whether it’s product or service. It’s why many of us choose to include a link to our privacy policies in our emails. We want our subscribers and customers to know we value their information and will do our best to protect it. When our privacy policy changes in a way not congruent with the original version the client may—or may not—have read, we run the risk of damaging the credibility we’ve worked so hard to build.

Companies such as Google and General Mills have the means to defend their companies against customers who object to the TOS changes, but for those of us who represent small- to medium-size businesses, lawsuits challenging a policy change could easily bankrupt even the most successful. What’s more, negative policy changes put us at odds with the very persons with whom we are trying to build a trusting relationship; and that is likely to land us, like Google and General Mills, on the social-media hot seat.

While truthfulness in our policies is necessary, it’s also important to give consideration to the delivery. Of course there is a need to have a TOS that protects us when a beautiful relationship becomes discourse, but a candy coating can make it that much easier for our customers to swallow. For a great take on how to deliver your TOS or make changes or updates to it, Daily Conversions did a great piece on this topic a couple years ago.

Our marketing emails are difficult to deliver and getting more so. We need to consider each component of the email to ensure deliverability improves over time, and a friendly, yet firm, privacy policy most certainly will have a positive effect.

Treat your recipients with respect—and humor when you can—and you will continue to create a nurturing, healthy, trustful relationship.

UPDATE: After I completed this article, General Mills announced (due to the severe roasting they took in social-media platforms), they will reverse their new policy. You can now safely like General Mills and reserve your right to sue them—not as though there was a whisper of a chance they could have defended their position in court, IMO.

Authentication Alliance Marks Data Privacy Day With Consumer Trust Best Practices

To mark World Data Privacy Day, Jan. 28, the Authentication and Online Trust Alliance published its top 10 list of privacy principles and business practices. These practices, many of which have been widely adopted by AOTA members, are calls to action for companies to help maximize consumer confidence and ultimately spur economic growth.

To mark World Data Privacy Day, Jan. 28, the Authentication and Online Trust Alliance published its top 10 list of privacy principles and business practices. These practices, many of which have been widely adopted by AOTA members, are calls to action for companies to help maximize consumer confidence and ultimately spur economic growth.

To me, it’s pretty simple: Adopt these principles or suffer the consequences of a consumer trust meltdown. And that could invite regulation, according to AOTA Founder/Chairman Criag Spiezel. Here’s what the group recommends you do, edited a bit:

1. Ensure all privacy policies are discoverable, transparent and written to ensure consumer comprehension, accessible from every page of a Web site and/or e-mail.

2. Periodically contact users and provide them with your company privacy policy upon any changes for their review; allow for provisions for consumer choice or their data usage.

3. Establish and publish procedures for data collection, transfer and retention; perform third-party or self-audits for compliance.

4. Support collaborative, global, public-privacy efforts to increase consumer awareness and education, as well as the adoption of fair information practices and privacy/security regimes (e.g., the appointment of a national chief privacy officer).

5. Support self-regulatory efforts to adopt standard data retention/use policies.

6. Set and publish standards of privacy, security and data retention policies with clear accountability between first-party sites and third-party content providers and advertisers.

7. Create response plans for accidental disclosure of personal information and data breaches, including notification to consumers and governmental agencies. Provide relevant remedies to consumers (e.g., no-charge credit record monitoring services to those affected, or other remedies as appropriate).

8. Commit to authenticating all outbound e-mail with Domain Keys Identified Mail and/or Sender ID Framework to combat forged e-mail and potential privacy exploits within six months.

9. Transactional sites should adopt Extended Validation Secure Sockets Layer Certificates within six months or upon existing certificate expiration.

10. All consumer-facing sites should obtain privacy certification and seals from third-party providers or other third-party consumer dispute resolution mechanisms.

More details can be found here.

Are you following these best practices? If not, why? Let’s start a dialogue on the subject. Post a comment now.