Technology has changed the way businesses market themselves to consumers. Businesses now have the ability to identify shifting consumer preferences, launch highly targeted advertising campaigns, and communicate instantly with potential customers. One thing this new marketing has in common? Consumer data. As marketing technologies evolve, companies should be aware that the myriad of data security regulations don’t just apply to how companies conduct their business, but how they market it as well.
Some of the most common examples of marketing practices subject to regulatory scrutiny are:
- Collection of any personal information about a consumer visiting a company website or phone app,
- Storing consumer information,
- Sharing customer information with outside parties or vendors,
- Using email to communicate and market to customers, or
- Recording consumer information via cookies or other passive tracking tools.
To make matters more difficult, there is not one uniform law that companies can follow to avoid data security violations. Marketing practices involving consumer data are governed by federal law, state laws and rules established by administrative bodies, such as the Federal Trade Commission (FTC). The liabilities for not complying with the various rules can be hefty, as companies such as Yelp have learned the hard way.
In 2014, the FTC fined Yelp $450,000 because its app knowingly recorded and stored personal information of children under 13 in violation of the Children’s Online Privacy Protection Act (COPPA). Even though Yelp’s services are neither directed nor marketed toward children, COPPA covers any entity that knowingly records information about children under 13. Here, the culprit was a non-functioning age screening tool that recorded the age of each user, but did not trigger any procedures to comply with COPPA for data from users younger than 13 years of age.
The Yelp case is not unique. Even as of 2014, the FTC had brought hundreds of cases involving privacy and data security against all types of businesses. Using its broad authority to challenge unfair or deceptive acts and trade practices, the FTC has levied penalties against companies for not only violating laws, but for also violating their stated consumer privacy policies. In the last few years, companies such as Facebook, Snapchat, and LifeLock have all settled cases brought by the FTC for failing to faithfully adhere to their own privacy policies.
On top of the rules and laws governed by the FTC, companies may be held accountable by state governments, other federal agencies, and even the consumers themselves through individual or class action lawsuits. The damages companies face include not just monetary fines, but also reputational harm that can severely harm business growth.
So what’s a company to do in order to stay on the right side of data security and privacy regulations? The following steps are a good starting point:
- Identify relevant regulatory obligations. As the FTC’s Yelp case demonstrates, information privacy regulations carry a broad scope and harsh penalties. When a business definitely determines its regulatory obligations, it allows the organization to craft comprehensive procedures that reduce regulatory concerns.
- Create, review, or update a consumer privacy policy and make sure to comply with it. Businesses should strive to create a policy that collects only necessary and reasonable consumer information and provides adequate protection for this data, all while allowing the organization to carry out its operation. Having too narrow of a policy may make it easier for a company to overstep the rules it laid out for itself. Having an overbroad policy can lead to consumer backlash and reputational harm, especially due to the increased public concern for privacy.
- Develop internal privacy policies. Having, and following, a consumer privacy policy is an important first step. However, companies shouldn’t overlook the importance of also having an internal privacy policy. An internal policy should guide the company and its employees on how information is handled within the organization, set rules for email and internet usage, set procedures for protecting acquired data and, in the event of a breach, establish next steps to mitigate the damage.
- Agreements with Vendors. Marketing can take a lot of hard work and collaboration. Businesses regularly outsource different marketing functions, and as a result provide consumer data, to other firms. Businesses should take efforts to understand those third party’s privacy policies and ensure they provide the same level of protection. Data protection rules should be included on all such contracts with the third party. Additionally, privacy policies should inform consumers that their information may be shared with third parties and explain how that information is used.
As easy as technology has made consumer marketing, it has made compliance with data security and privacy regulations that much harder. When in doubt, consider the three main best practices for consumer data security and privacy – transparency, choice, and security. Make sure the consumers know what information you’re gathering and for what purpose, give the consumers options to have greater control over their information and provide adequate security measures that include steps to ensure compliance.