By Jonathan Crossfield published November 13, 2018

Data Privacy Law: Ignorance Is No Excuse

From the Cambridge Analytica and Facebook scandal to the arrival of the EU’s General Data Protection Regulation (GDPR), 2018 has pushed data privacy into the headlines. Ruth Carter – internet, intellectual property, and business attorney – talks to CMI’s Chief Content Officer magazine about how marketers should adapt to a world far less forgiving and far more skeptical of the ways we capture and use data.

CCO: Should marketers assume that capturing and managing customer or audience data is just going to get tougher? Is it time to stop looking for loopholes?

Ruth: Instead of things getting tougher, they’re going to get different. If you’re in a business that sells data, good luck. I don’t know if that is a sustainable business strategy at this point because of the way things are changing. We’re seeing things like with Cambridge Analytica and people being upset that their data is being given away and sold. With all the requirements now about having to get consent, I just don’t see selling data as an effective business. So, if that is how you’re making your money, I hope you have a backup plan.

I don’t see selling data as an effective business, says @rbcarter. Click To Tweet

This is not a static situation. Laws are going to be changing. GDPR just came out so we’re still looking at how this law works in reality versus just trying to apply it to your company based on the law as written. So, there are always lessons to be learned. I don’t think this is the end of new laws coming out.

CCO: Was it always unfair for marketers and certain business models to assume that people were cool with their data being captured, used, and possibly even shared in these ways? Who reads all those terms and conditions anyway?

Ruth: I think things changed so quickly in terms of becoming such an internet-based society that people didn’t think about what might be in those terms of service. They just clicked the box saying, “Yes, I agree.”

Just looking at things from an intellectual property perspective, I see people still using images that don’t belong to them and when I send them a cease-and-desist letter the most common reaction is, “I didn’t know.” That tells me we moved really fast, in terms of the technology developing and people taking advantage of the opportunities that came with that, without everyone necessarily reading the fine print or realizing that there was even fine print to be read.

There’s a difference between companies making that information available versus people availing themselves of that information and making educated decisions about when, where, and how they share their data with others.

Companies should be forthcoming about what they’re doing and not hiding the ball.

CCO: New rules and legislation around data privacy are, of course, aimed at curbing less-than-ethical or less secure business and marketing practices that might put personal data at risk. However, do such changes mean that even the best intentioned could be unwittingly caught out?

Ruth: I feel bad for some companies that have been doing everything above board, completely respecting their audience, as they’ve had to change. They’ve had to go through the process of updating their privacy policies.

One company sent me its “we’ve updated our privacy policy” email. They claim they’re complying with GDPR – and they get credit for trying – but they’re not lawyers. They haven’t read the law cover to cover like I have. I took one look at the email and I went, “Good effort, but you actually aren’t compliant.”

I emailed them and gave them some suggestions and some resources that I created. I just felt bad for them because they had this really simple privacy policy that made perfect sense for what they were doing and now it has to be much more complicated because the law changed – because some companies, for lack of a better term, shit the bed. So, now everybody has to adjust.

CCO: Is it advisable for marketers to take responsibility for data compliance themselves?

Ruth: I think it is. I think they can handle it themselves – with education. Yes, the rules have changed, and it’s much more complicated, but if you break it down into the requirements, it’s pretty doable, actually. But you have to go through the process of educating yourselves: “OK, this is what the rule is. What does this mean for our company?”

CCO: With the implementation of the recent European GDPR legislation, will concepts such as implied consent or inferred consent – concepts that many marketers have relied on for years to capture data and build lists – become less viable?

Ruth: I would agree with that. I’m definitely somebody who, if I exchange business cards with you or come to your booth at an expo and put my card in the bucket to win an iPad, doesn’t want to be on your newsletter list 30 seconds later. I didn’t consent to that and I think any company that does that is saying, “I don’t respect you.” Or, “We don’t know what we’re doing and we’re just going to throw everybody on our list and hope that it turns into sales.”

GDPR doesn’t apply to everybody, so there are situations where you can still put people on your list unless they have specifically written on their business card, “Don’t add me to your list.” But I think that isn’t a good strategy. Ditto to anyone who thinks they can buy a list. Apparently, that is still a thing.

Adding people who give you a business card to your mailing list isn’t a good strategy, says @rbcarter. Click To Tweet

CCO: How does GDPR define informed consent?

Ruth: The new GDPR legislation requires a business to provide 10 pieces of information when acquiring somebody’s consent to add them to an email list:

  • Identity and contact details of the controller or their representative
  • Contact information for the data protection officer, where applicable
  • Purpose of the processing for which the personal data are intended, and legal basis for the processing
  • Legitimate interests of the controller or third party (when sending commercial email/processing for
    a client/customer)
  • Recipients of the personal data
  • Intent (if applicable) to transfer personal data to a non-EU country or international organization and whether the EU Commission has determined that this entity has the appropriate safeguards
  • Length of time personal data will be stored or criteria for determining that period
  • Existence of the right to request from the controller access to, rectification or erasure of personal data or its restriction
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the supervisory authority at any time

CCO: The new GDPR legislation is based on where the customer lives and not where the business operates. Does this set a new precedent, where marketers need to consider data privacy globally and not just what’s permissible in their own backyard?

Ruth: I definitely agree with that. It’s too hard to try to have different rules for different people. Who knows where they live or where they are when they sign up for your email? You can’t go off IP addresses. It’s a mess if you try to sort it out that way.

From a point of convenience, it’s just easier for a company to say, “We are going to comply with all rules simultaneously and whichever is the most restrictive, that’s what we’re going to do. That’s the easiest way to cover our butts.”

Don’t make it more complicated than it needs to be. If you want to be a global company and you’re open to having people on your list from anywhere on the planet, well, then you have to comply with every rule on the planet. Good luck with that. Just go with the lowest common denominator and comply.

CCO: Is there an upside for marketers? How might complying with these recent changes actually improve our effectiveness?

Ruth: Look at what data you’re asking for and then question why you’re asking for it. Don’t ask for anything you don’t need.

And be transparent. I’m very happy to report that the majority, if not all, of the companies that I’ve written terms of service for, put in those terms of service, “We don’t sell or give away your data.”

Data privacy is as much a trust and reputational issue as it is a compliance and technical one.

#Data privacy is as much a trust & reputational issue as it is a compliance and technical one. @rbcarter Click To Tweet

A version of this article originally appeared in the November issue of  Chief Content Officer. Sign up to receive your free subscription.

Cover image by Joseph Kalinowski/Content Marketing Institute

Author: Jonathan Crossfield

If it involves putting words in a row with the occasional punctuation, then Jonathan has most likely given it a bash; from copy writing to screenwriting, blogging to journalism. He has won awards for his articles on digital marketing and his over-opinionated blog, Atomik Soapbox. Follow Jonathan on Twitter @Kimota.

Other posts by Jonathan Crossfield