Best Practices for Ethical Data Collection and Use

In the wake of the upcoming GDPR, as well as recent data breaches and alleged data misuse with Cambridge Analytica, Equifax, My Fitness Pal, and others, it’s never been a better time for organizations to take a close look and ask hard questions around how they collect, manage, and act on audience data.

Working with organizations around the world who comply with laws such as GDPR, CASL (Canada’s Anti-Spam Legislation) and others, in addition to our own work in protecting customer data according to worldwide regulations and best practices, we’ve assembled these tips for organizations working through these questions to protect their customers—as well as their reputations.

Get proper consent from your audience

Example of granular consent from an EU-based organization

Consent or clear opt-in is a major requirement for the General Data Protection Regulation (GDPR), which will apply beginning May 25th, 2018 to companies marketing and selling goods or services to EU residents. That applies not only to communicating to those residents around what data is collected and how it will be used, but how that data is collected and stored as well. And while US laws are not as stringent (for example, GDPR will not allow pre-checked boxes to opt into email newsletters while the US doesn’t require opt in at all), many companies outside the EU already proactively add opt in language for their newsletters and other communications. Umbel, for example, works with its clients to have the correct language for their locality.

In response to Cambridge Analytica allegedly harvesting data around millions of users without their consent, Facebook is getting proactive in and out of the EU, requiring certification that advertisers have obtained consent from uploaded Custom Audiences for advertising on the platform.

Marketers and advertisers need to then not only look at applicable regulations with regard to privacy policy language, data storage, opt in (and opt out) language and remarketing. They also need to have an eye on how the landscape evolves and what users expect so that organizations can maintain their reputations, as well as positive engagement and conversion.

Don’t rely exclusively on third-party data

Another major change for Facebook is that, coinciding with GDPR, they have announced that they will no longer allow organizations to use data from third-party data aggregators such as Experian on their platform, which includes data around demographics like household income and race, as well as “in-market shoppers.”

We’ve been talking about the benefits for first-party data for some time. Those include ownership of data instead of relying on other sources, and trust in the data since it’s straight from the source, as well as increased return on ad spend because you’re targeting on things that truly matter (e.g., directly observable purchase history, stated interests). Since GDPR requires consent for collecting and storing data, this means third-party data will no longer even be an option for EU marketers and advertisers, as demonstrated with Facebook’s recent move.

We encourage organizations we work with to focus on creating engaging content for their users that are compelling enough to share contact information with you, and then asking them relevant questions to use for relevant segmentation (e.g., season ticket promotion for people who say they’re interested in season tickets).

Limit access to your customers’ data

When your customers give you consent, that consent doesn’t necessarily extend to other parties. This was another major issue with Cambridge Analytica: even though the initial data collection was allegedly compliant with Facebook’s rules at the time, allowing app developers to collect data of friends, it was positioned as research, but then sold to Cambridge Analytica to be used for their clients. The long and short of it: don’t sell your data.

Organizations also need to be careful around the access they offer partners (e.g., sponsors, companies under a parent company) to that data. While in the US, consent to share data with partners can often be placed in the privacy policy, GDPR requires consent not only for different forms of communication when data is collected, but also to every party who that communication would be coming from (e.g., one checkbox for “I agree to receive communications from X Company” and another for “I agree to receive communications from Y Company”).

Be clear with what you’re collecting and how you’ll use it

Where this is positioned again depends on who you’re marketing to. In the EU, you may need to have a message regarding your collection of cookies and how those cookies are used when someone hits your website. In the US, it would be acceptable to place that notice in your privacy policy. But in either case, it should be accessible.

For example, when our clients use Umbel’s engagement solutions, those either contain checkboxes to opt in to a particular form of communication or are linked to a privacy policy, which informs users how that data is used. When users access content or contests through social login, that screen contains not only what data our client receives, but also allows the user to uncheck fields on what data they don’t wish to give the organization access to.


Screenshot from Facebook Login
Example of Facebook app permission options presented to user

Organizations should also consider what level of data collection makes sense for the level for engagement. For example, a simple email can make sense to sign up for a monthly newsletter, while access to an exclusive piece of content could have several additional fields, as well as a question around content preferences to better reach those users in your next interaction.

Evaluate yourself—and your vendors

Finally, inform yourself on the issues but then take action; make sure your organization goes through a rigorous internal evaluation, and then explore validation through third-parties.

And don’t forget about when your customer data leaves your four walls. Is it safe when it reaches your CRM, your marketing automation, and all of your advertising partners? For organizations that must comply with GDPR, for example, anyone processing their data needs to comply as well. As part of our preparation for GDPR, we went through not only our own practices, but as part of our integrations as well.

While it’s a legal issue to make sure you’re following any applicable regulations, the process of going through audits, certifications and best practices can help in another way. It can begin a conversation around the type of data you’re currently collecting, and whether you’re collecting the right data or using it to adequately improve your audience’s experience of interacting with you. Improving that interaction improves your relationships with your customers, bringing loyalty, trust, and even additional revenue.

Visit Umbel’s Trust Center to learn about our certifications and privacy practices and watch an on-demand webinar on how organizations can prepare for GDPR for more best practices. Later this month, we’ll hold a deep dive webinar into ethical data collection—

Leave a comment