The world watches as Apple, Facebook, and Google hash out their approaches to protecting consumer privacy while protecting their revenue streams, at the same time grappling with the restrictions of the GDPR, CCPA, and other data protection regulations.
But businesses - especially marketers, SEO experts, and influencers - can’t afford to simply watch and wait to see what happens. At stake are the data caches so many have come to rely on for the many ways such data can be used and sold. Indeed it is the very way many companies do business.
The Era of Data Privacy
The General Data Protection Regulations (GDPR) were enacted in the United Kingdom in 2018; and the California Consumer Privacy Act (CCPA) in 2020, both with rules that radically transform the collection, retention, and use of personal data.
Regardless of where a business is based, these, and other similar new laws, should be defining the way businesses collect and use data now, rather than waiting to see how it all shakes out.
Because increased data privacy is the direction we seem headed, operating from a stance of protecting consumer data can be an opportunity to set promotions and businesses apart. Also, if your business offers goods and/or services to people who are covered by these laws, then you are, too. Companies that don’t comply with GDPR, for example, can be fined up to 4% of their annual global revenue or 20 million euros, whichever is greater.
Embrace, Rather Than Avoid
The key is to demonstrate that a business can treat with respect and care the collection and processing of personal data while ensuring that the rights of consumers are not compromised in the process.
Based in the U.K., Reincubate is one business that had no trouble adhering to the guidelines of the GDPR. The creator of Camo, which helps people look better while streaming and videoconferencing, Reincubate helps consumers and businesses get more from their devices and data. It’s exactly the kind of business you would expect to be collecting and using as much data in as many ways as possible. (That’s what so many companies in this space have been doing in the sort of “Wild West” free-for-all of the internet for years, right?)
However, the founder of the company, Aidan Fitzpatrick, is a stickler and long-time advocate for responsible data-use policy. Accordingly, his company has maintained a strict no-tracking policy as a point of principle and business practice since its founding in 2008, using a low monthly subscription rate to produce revenue rather than selling user data or loading its apps with advertising targeted to users based on their data.
“It’s always been one of the most important values that we treat user data responsibly,” says Fitzpatrick. “Our business was built on ethical and transparent use of data, which allows us to occupy a trusted position within the app data ecosystem.”
Keys to Data Privacy
Since the GDPR is the most stringent of the data-use laws, any business that collects consumer and user data should be familiar with the basics of it:
Under the GDPR, any information related to a person is considered personal data. That’s not just the obvious stuff like name, address, and social security number. Personal data can include anything that could be linked to a particular individual.
“So, even what we think of as metadata can be considered as sensitive or as significant as a credit card number,” notes Fitzpatrick. “There are some frighteningly sophisticated statistical analyses that you can do now by putting together enough data to actually connect it to an individual.”
This doesn’t mean that you can’t use personal data. It’s all about how you use and store it, and letting consumers know how you use it. Basically, the way you use and store data must be necessary to perform the service for which that data was gathered. For example, if someone has signed up for a product or service and certain data is needed to deliver that product or service, you can capture and store that data.
Here are some quick data privacy rules to live by:
Consent: You have to get a user’s consent to gather their data, and to complete specific actions. Consent for some actions does not imply consent for other actions. For example, you can’t send a user your newsletter simply because you gathered their email address to confirm the shipment of a product. You must also get consent to send a newsletter. Providing an opt-out doesn’t cut it under the GDPR but is acceptable under CCPA.
Ownership: User data is just that—it belongs to the user. So users have to be able to delete not just their account, but all of their data. They should be able to ask that their data not be processed and to transfer their data when they want to. Under GDPR, you cannot sell user data without their consent. CCPA simply requires businesses to notify customers that their data may be sold or transferred to a third party and that they are given an opportunity to stop the sale or transfer.
Notification: If you suffer a data breach, you have to notify the relevant national Data Protection authority within 72 hours of having become aware of the breach, and also consider whether you need to inform any affected end-users.
It can be tempting to try to work around these rules and keep doing business as usual, but finding ways to work within the rules is a better approach to avoiding future headaches while gaining consumer trust.