In the wake of the upcoming GDPR, as well as recent data breaches and alleged data misuse with Cambridge Analytica, Equifax, My Fitness Pal, and others, it’s never been a better time for organizations to take a close look and ask hard questions around how they collect, manage, and act on audience data.
Working with organizations around the world who comply with laws such as GDPR, CASL (Canada’s Anti-Spam Legislation) and others, in addition to our own work in protecting customer data according to worldwide regulations and best practices, we’ve assembled these tips for organizations working through these questions to protect their customers—as well as their reputations.
Get proper consent from your audience
Consent or clear opt-in is a major requirement for the General Data Protection Regulation (GDPR), which will apply beginning May 25th, 2018 to companies marketing and selling goods or services to EU residents. That applies not only to communicating to those residents around what data is collected and how it will be used, but how that data is collected and stored as well. And while US laws are not as stringent (for example, GDPR will not allow pre-checked boxes to opt into email newsletters while the US doesn’t require opt in at all), many companies outside the EU already proactively add opt in language for their newsletters and other communications. Umbel, for example, works with its clients to have the correct language for their locality.
In response to Cambridge Analytica allegedly harvesting data around millions of users without their consent, Facebook is getting proactive in and out of the EU, requiring certification that advertisers have obtained consent from uploaded Custom Audiences for advertising on the platform.
Don’t rely exclusively on third-party data
Another major change for Facebook is that, coinciding with GDPR, they have announced that they will no longer allow organizations to use data from third-party data aggregators such as Experian on their platform, which includes data around demographics like household income and race, as well as “in-market shoppers.”
We’ve been talking about the benefits for first-party data for some time. Those include ownership of data instead of relying on other sources, and trust in the data since it’s straight from the source, as well as increased return on ad spend because you’re targeting on things that truly matter (e.g., directly observable purchase history, stated interests). Since GDPR requires consent for collecting and storing data, this means third-party data will no longer even be an option for EU marketers and advertisers, as demonstrated with Facebook’s recent move.
We encourage organizations we work with to focus on creating engaging content for their users that are compelling enough to share contact information with you, and then asking them relevant questions to use for relevant segmentation (e.g., season ticket promotion for people who say they’re interested in season tickets).
Limit access to your customers’ data
When your customers give you consent, that consent doesn’t necessarily extend to other parties. This was another major issue with Cambridge Analytica: even though the initial data collection was allegedly compliant with Facebook’s rules at the time, allowing app developers to collect data of friends, it was positioned as research, but then sold to Cambridge Analytica to be used for their clients. The long and short of it: don’t sell your data.
Be clear with what you’re collecting and how you’ll use it
Organizations should also consider what level of data collection makes sense for the level for engagement. For example, a simple email can make sense to sign up for a monthly newsletter, while access to an exclusive piece of content could have several additional fields, as well as a question around content preferences to better reach those users in your next interaction.
Evaluate yourself—and your vendors
Finally, inform yourself on the issues but then take action; make sure your organization goes through a rigorous internal evaluation, and then explore validation through third-parties.
And don’t forget about when your customer data leaves your four walls. Is it safe when it reaches your CRM, your marketing automation, and all of your advertising partners? For organizations that must comply with GDPR, for example, anyone processing their data needs to comply as well. As part of our preparation for GDPR, we went through not only our own practices, but as part of our integrations as well.
While it’s a legal issue to make sure you’re following any applicable regulations, the process of going through audits, certifications and best practices can help in another way. It can begin a conversation around the type of data you’re currently collecting, and whether you’re collecting the right data or using it to adequately improve your audience’s experience of interacting with you. Improving that interaction improves your relationships with your customers, bringing loyalty, trust, and even additional revenue.
Visit Umbel’s Trust Center to learn about our certifications and privacy practices and watch an on-demand webinar on how organizations can prepare for GDPR for more best practices. Later this month, we’ll hold a deep dive webinar into ethical data collection—Let us know what topics you’d like covered or questions answered!