Ramblings of a Marketing Gurl: privacy

Showing posts with label privacy. Show all posts

General Data Protection Regulation (GDPR)

The complete guide to GDPR and compliance can be found at gdpr.eu

GDPR began May 25, 2018, and since then has levied harsh fines against violators of the EU's data privacy legislation. According to website GDPR Enforcement Tracker, the top 10 countries with the highest total fines are:

And the breakdown of violations by industry:

While the US and US companies are not represented on these tables, that's not to say their European offices haven't been fined by the GDPR. Read more about that here. Google (fined $50m by France) and Marriott ($100m fine for its Starwood customer data breach) are the two largest entities to face GDPR fines.

In a nutshell, GDPR covers businesses, government agencies, and other entities:

In the European Union (EU);
That offer goods or services to anyone in the EU;
and collects, stores, transfers, or uses personal information about EU citizens

For individuals, GDPR offers extended protections regarding the use of personal data such as:

Right to Access:

Obtain confirmation as to whether or not their personal data is being processed, where and for what purpose
Access their personal data
Correct errors in their personal data

Right to be Forgotten:

Erase their personal data
Object to having their personal data processed

Data Portability:

Receive a copy of any personal data stored, and transfer that data to another vendor/controller

GDPR defines personal data as:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (source)

California Consumer Privacy Act of 2018 (CCPA)

This privacy act became effective on January 1, 2020.

The California Consumer Privacy Act of 2018 (CCPA) is a law that gives California residents more control over their personal information. The CCPA applies to businesses that collect personal information from California residents and that meet certain thresholds, such as having annual gross revenue of $25 million or more, collecting the personal information of more than 50,000 California residents, or deriving more than 50% of their annual revenue from selling personal information.

The CCPA gives California residents the following rights:

The right to know what personal information a business has collected about them.
The right to delete their personal information.
The right to opt out of the sale of their personal information.
The right to non-discrimination for exercising their CCPA rights.

Businesses that collect personal information from California residents must comply with the CCPA. If a business violates the CCPA, it may be subject to civil penalties of up to $7,500 per violation.

The CCPA is a landmark law that gives California residents more control over their personal information. It is likely to have a significant impact on businesses that collect personal information from California residents.

Canada's anti-spam laws (CASL) and its impact on US marketing

Here are the top 10 elements of Canada's CASL anti-spam legislation and its impact for US companies marketing to Canadian citizens:

CASL applies to all commercial electronic messages (CEMs) sent to Canadian electronic addresses. This includes emails, text messages, and social media messages.
CASL requires that you obtain consent before sending a CEM to a Canadian resident. Consent can be express or implied.
CASL requires that you identify yourself and your business in all CEMs. This includes your name, physical address, and email address.
CASL requires that you provide a clear and conspicuous unsubscribe mechanism in all CEMs. This means that recipients must be able to easily unsubscribe from your mailing list without having to contact you.
CASL prohibits the sending of CEMs that are false or misleading. This includes CEMs that contain false or misleading information about the sender, the content of the message, or the purpose of the message.
CASL prohibits the sending of CEMs that are unsolicited. This means that you cannot send a CEM to a Canadian resident unless they have given you their consent to receive it.
CASL prohibits the sending of CEMs that are excessive. This means that you cannot send too many CEMs to a Canadian resident in a short period of time.
CASL prohibits the sending of CEMs that are harassing or annoying. This means that you cannot send CEMs that are intended to annoy, alarm, or inconvenience the recipient.
CASL prohibits the sending of CEMs that contain viruses or other harmful content.
CASL provides for significant penalties for non-compliance. These penalties can include fines of up to $10 million for individuals and $100 million for organizations.

The impact of CASL for US companies marketing to Canadian citizens is that they must comply with the law in order to send CEMs to Canadian residents. This means that they must obtain consent, identify themselves, provide an unsubscribe mechanism, and avoid sending false or misleading, unsolicited, excessive, harassing, or annoying CEMs. If a US company does not comply with CASL, it may be subject to significant penalties.

Mobile App Auto Email Opt-In

I met up with a long-time friend in Los Angeles who told me about this new dating site called "Coffee Meets Bagel". An interesting enough name that got me hooked. However, as a marketer, after being on the site for less than an hour, I found that I couldn't unsubscribe nor delete my account. And, because I have so much fictitious info on Facebook, much of what is displayed on the CMB profile is inaccurate to say the least and there are aspects of the CMB profile that you can't edit, like your age. Apparently I have a bachelor's degree from the Restaurant at the End of the Universe, according to my CMB profile.

What caught my attention on their privacy page was this statement: "...we reserve the right to send you certain communications relating to Coffee Meets Bagel such as service announcements, security alerts, update notices, or other administrative messages) without affording you the opportunity to opt out of receiving such communications."

Oh really. Plenty of startups have burned on such flagrant disregard for privacy standards.

If I delete the smartphone app, would that in turn really delete all my info on their server; or would they continue to use my info to hook other people into the system?

From the app's web and iPhone interface, it doesn't look like I can delete my account at all. How to do this is not apparent. I had to look at the intro email and it's not terribly obvious. It's in the mice print section of the email where one normally unsubscribes. But, before you opt for permanent deactivation, be sure to unsubscribe yourself from everything you've been already subscribed to. Because heck, there isn't anything more annoying that receiving email from a deleted account.

One thing comes to mind when it asks for my mobile number as a means of tracking, I mean matching, my profile to a potential bagel: lead generation. Nothing nefarious here. But it has the makings of bait and switch written all over it.

Rise and Fall of Privacy

In the US, the right of publicity and the right to privacy are not the same issue; nor are they managed at the same statutory levels; state or federal.

"The right of publicity prevents the unauthorized commercial use of an individual's name, likeness, or other recognizable aspects of one's persona. It gives an individual the exclusive right to license the use of their identity for commercial promotion." --Cornell University, Legal Information Institute

The right to privacy, while inferred in the Constitution, is not explicitly stated and is narrowly defined in Amendments 1, 4 and 5. The Federal Trade Commission (FTC) largely enforces the statutory right of privacy; and the increased occurrence of companies and individuals having privacy policies and privacy statements are evidence of the work the FTC has done.

This is a gray area that Facebook, and other corporate or social networks deliberately trespass into again and again. Users have few options to respond in kind; two of which are that you don't sign-up for the service to begin with and in the event that you are an existing user, you can always cancel and delete your account. Is the average user going to lobby for FB (or any other social network provider) to change its policies or hire a lawyer to negotiate a bilateral policy with FB? Doubt it.

Instagram has changed its usage policy to take advantage of its treasure trove of photo content and enable its advertisers and 3rd party partners to use its user content without having to define licensing or copyright protections. This is a usage policy notion that gets lauded by the general public as a social media no-no and generally results in a mass exodus of users (and subsequently, user-generated content).

There are never any right or wrong ways to deliver such a message to an audience; there is only tact and diplomacy. Let's start with the basics. Instagram is a free-to-use photo customization and posting service; it allows users to take photos with any media device, upload them to be manipulated by Instagram's digital sepia process to mimic old Polaroid photos, and share with others (presumably, publicly) within social networks.

Facebook Places Enables Random Edits

This could be bad news for any company who wants to keep their online reputation clean and typo-free. It's interesting to note that Facebook doesn't have any means in place so that a company's site admin can monitor or reject recommended changes by random strangers. A competitor could log into Facebook and modify your Facebook Place page for the worse and no one would be the wiser, except you. Site settings have been like this for more than a year. But then, Facebook isn't interested in fixing petty details.

This is not to be confused with a Facebook company profile page, which appears to still be secure.

LinkedIn and User Privacy

Perhaps you were among the 100 million users who got automatically opted into LinkedIn's ad network, or perhaps you read about it through some social media site. Not terribly interested in having your demographics used within ad targeting? Here's how to opt-out:

Click on your name on your LinkedIn homepage (upper right corner). On the drop-down menu, select "Settings"
From the “Settings” page, select “Account”
In the column next to “Account”, click “Manage Social Advertising”
Un-check the box next to “LinkedIn may use my name, photo in social advertising”

You could also turn on/off Enhanced Advertising, Partner InMail, data sharing with 3rd party applications, invitations to participate in research, and LinkedIn announcements.

I'm a bit surprised that LinkedIn didn't have any Home dashboard messaging about the mass opt-in change to user settings. At least users have the ability to opt in and out when they want to. Options are always good. We make better decisions when presented with many options instead of few or none.

Sears Rewards Program #FAIL

Thanks a lot Sears, I really didn't need to be spammed by all your eCommerce entities all at once. Sears is typically where I go to get tools and appliances for the home; although, in today's age, Home Depot wins out on in-store price comparisons and Lowes wins on customer service; at least in southwest Washington anyways. The customer experience is probably different where you live. Regardless, this post reflects upon the poor execution of what could have been a good retention marketing campaign by the Sears rewards program.

The cloud, it poked me in the eye

Is there any data that isn't compromised by the US Patriot Act?

I thought about writing an intro series for marketers to the Cloud (as in cloud-based apps and marketing), but I'll jump right in here. Imagine if you would, your personal hard drive (from a computing device: say, an iPad, laptop, netbook, desktop monstrosity, server, etc.) with documents (e.g., text, photos, presentations, spreadsheets, notes) that you share with your colleagues or clients in an online platform where you presumably control access privileges and file privacy rights. On zdnet.com, Zack Whittaker highlights an interesting perspective on how Microsoft is dealing with privacy with respect to law enforcement requests for documents shared on a cloud.

The Microsoft statement: "Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities."

Not only do companies have to worry about hackers breaching a cloud platform like what happened to Epsilon and its customers in March 2011 (Kroger, JPM Chase, and a long list of others), but now your data could be seized at any moment without due process by the US government, regardless of where that data is if it is managed by a US-based company.

Read more?

Microsoft's whitepaper on the data protection policies of Office Live 365
PC Mag's article on "Epsilon Data Breach: What Can You Do to Protect Yourself?"

Update and clarifications - Email CAN-SPAM

Here's a cheer for all the consumers out there. *Yay!* Finally, it seems that someone has been reading all the FTC complaints and companies will have to comply if they are to stay compliant with these new proposed operating rules with regard to how a customer unsubscribes from a list. I'm sure at least one of these scenarios has happened to you when you tried to subscribe from that bacn list.

The new rule provisions address four topics:

(1) an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender;

(2) the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements;

(3) a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and

(4) a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons.

More details - http://www.ftc.gov/opa/2008/05/canspam.shtm

Serena Y. Hsi, MBA

Welcome to my ramblings about marketing techniques, insights, business models, and perspectives on what companies do to bring products and services to market. My marketing work encompasses corporate and agency marketing handling many aspects within the marketing discipline: competitive intelligence, market strategy, market research, consulting, customer segmentation, database marketing, and identifying better customer acquisition methods and cross-sell opportunities.

The strength of a company's product or services should be as strong as its business strategy and marketing insight into its own industry. My passions are marketing and technology, which just happens to also be my career path.