Business owners must be careful to abide by the laws of various countries when tracking customer data online
The internet has erased many international borders when it comes to commerce and interactions. However, business owners must be careful to abide by the laws of various countries when tracking customer data online.
Marketing automation is the use of systems to collect and store visitor information with the goal of fine-tuning customer-directed messaging to produce income through sales. In its broadest sense, any collection of information from the computer or device used by a website visitor that identifies them can be considered marketing information.
Privacy policies are required to disclose what information a website or app will track and collect from the visitor. In recent years those policies have drowned in legalese and the consumer data potentially used for purposes other than marketing, all of which tarnished marketers and caused lawmakers to take notice.
Consumers are pushing back, too, the U.S. Federal Trade Commission notes, by manually clearing cookies or setting limits on tracking that people find intrusive, which can damage a company’s ability to benefit from the common practice of buying data from third-party tracking companies.
1. The current environment
Data breaches and complaints of overreaching, along with the evidence that data collection influenced the 2016 elections, have led to a widespread desire for more regulation. While changes to laws in other countries have prompted companies to be more transparent, they’re also hoping to stay ahead of any future legislation that would limit their data collection, by showing Congress that they’re good corporate citizens. That’s because online marketing is valued at $192 billion per year.
Strong online privacy laws that were enacted last year in Europe, called General Data Protection Regulations, or GDPR, are affecting all businesses that collect marketing data. California and Vermont have passed laws with some similarities, while other states are beginning to tiptoe into data privacy and protection. Federal laws protect the privacy of children under age 13, as well as medical information.
GDPR requires businesses to notify customers of data breaches within 72 hours. The law also requires a Data Protection Officer to oversee the privacy of files and allows fines of ten million pounds or 2% of revenue for those that do not comply. Most notably, Facebook is expected to be the first hit with a major fine of over $1.5 billion for breaches, but Marriott, the query website Quora, British Airways, and Ticketmaster have all been targeted as well. The new law is both publicly unveiling breaches and highlighting their frequency, underscoring the need for compliance and enforcement.
Europe has created a "white list" of countries that have enacted and enforce similar protection laws, essentially condoning business with them. Japan was the first to receive this designation for its Act on Protection of Personal Information (APPI). Like GDPR, it requires data collection to be limited to that which impacts the business’s ability to interact with the individual.
South Africa has a data protection law called the Protection of Personal Information Act (POPIA) that is limited to firms within the country but may impose prison time as well as fines for illegal use of consumer data. It requires that protections extend to data collected on legal entities (corporations, etc.) along with individuals.
Australia’s data protection law is seen as flawed due to its foundation in an information privacy statute created in 1988 and a provision that assigns responsibility based on company size, applying a more stringent data privacy protection requirement to those that do over $3 million in annual business. It also allows businesses 30 days to assess any breaches before reporting issues.
2. Where to start
In fact, many marketing experts are advocating for a return to basic, first-level relationships with customers rather than the scatter-shot approach of targeting anyone with a pulse who has a characteristic in common with the client demographic.
- What information is collected and whether/how it’s personally identifying.
- Where the information is stored.
- Whether the information is shared with others.
- How the information is used.
- How a consumer can remove or opt out of data collection.
- Collection only of data that is necessary.
- Safeguards from internal hacking.
- Cross-departmental understanding of data privacy rights and protections to avert an unintentional misuse or breach.
- A well-communicated breach-response plan.
4. Look to the future
The GDPR law states that companies that track residents in the European Union must comply with the regulations that took effect last year. Even if your business does not intentionally target or do business with Europeans, any marketing automation software must dump data gathered on those individuals unless you’ve done business with them in the past (called a soft opt-in). If your company has plans to expand into that market, you may want to start with a GDPR-compliant system rather than upgrading later.
The Facebook-Cambridge Analytica scandal revealed how user data was scooped up from unsuspecting participants – along with that of their friends – but the scope of the scandal wasn’t enough to shift pro-business sentiment among American lawmakers. Some say that Europe’s strict new law will trickle down, including from large multinational companies that have adjusted data collection to comply.
"Freely given, specific, and unambiguous" is the privacy standard for the GDPR. Similarly, California’s new law says that customers should be able to opt out of data collection and have some say over how their personal data is used and disseminated.
Most new data protection laws passed by states cover only data breach, but Colorado’s also requires safe storage and disposal of customer information. Vermont’s law includes regulations on third-party data mining and requires companies collecting such information to register with the state. Utah and California require disclosure of how a customer’s information may be shared with third-party companies.
First-party data is easier to collect because the individual is a customer. Third-party data, gathered through cookies, is sold to multiple companies and is, therefore, not unique. Industry experts suggest strengthening privacy policies and making it clear to customers and visitors that you value their information enough to protect it.
5. New old ways of tracking
Experts point to statistics that show high levels of mobile phone use for purchases through apps rather than websites, turning cookies-based customer tracking on its head. StoneTemple’s research shows mobile usage growing to over 63% of page views, up from 57% in just a year.
The industry experts who say 352 billion mobile app downloads are expected annually by 2020 and that profiling users across multiple devices are ever-more challenging concur that email marketing is the future, allowing first-person, personally identifiable information to be targeted and mined for opportunities.
Others argue that location tracking via mobile device number is more accurate, beneficial to advertisers and less invasive than developing profiles through personally identifiable information gathered online.
Trust is also considered key for marketing, something that was replaced by reams of data for a while. Now, when consumers are shopping online they look for long-lasting brand names and even individuals, such as social media ambassadors, to recommend a product. If a customer can trust a company with his or her email it’s a strong signal that the person intends to stay with the brand.