Synopsis — One thing that the rise of the internet has surely succeeded in is extending the global market from the hands of multinational corporations into the hands of the average person. Consumers can search for products and services they want in a global marketplace from the comfort of their homes, and small businesses can compete with large corporations on a much more level playing field than they ever dreamed of. But with this greater freedom comes a plethora of challenges, one of which is the privacy of data. With the onslaught of social networking and marketing, the situation has become even more complex and open to interpretation.
In his article, “Privacy and Permission: Data Protection In A Global Market,” Christian Arno discusses the situation from the point of view of an online marketer, faced with not only legitimate privacy concerns of customers he is used to dealing with in a brick-and-mortar setting, but also how to deal with the added layer of privacy and permission subject to international legislation. Parts of the world do regulate online privacy, and even with the overarching US-EU Safe Harbor Framework, individual countries may add on their own individual laws. Christian provides examples of specifics from various countries in addition to his discussion of the general idea of global data privacy, as well as including the seven principles of the Safe Harbor legislation, to help you navigate these waters.
The complete article follows …
Privacy And Permission: Data Protection In A Global Market
Privacy is perhaps one of the hottest talking points for any business engaged in any marketing activity, whether domestic or international. Indeed, privacy concerns arise wherever personally identifiable information is gathered and stored, and the advent of the digital age has only increased such concerns.
People have always been interested in how their healthcare, educational, financial, criminal, and other personal data is used, but the Internet’s global nature multiplies the potential problems if data is unwittingly divulged to the wrong people. For consumers, it is incredibly difficult to know whether sensitive information is being used for sinister purposes, not-so-sinister purposes, or not at all. Ultimately, this is the crux of the issue for many — the difficulty of knowing what information is being stored, where, and by whom.
For example, back in April of 2010, Facebook made its Open Graph announcement — essentially, developers can now add a “like” feature for any subject or item on any website. If an individual chooses to “like” something on a site, this data is passed to Facebook. The result? You can bet you’ll soon be receiving ads that correspond to whatever you chose to “like.” A Facebook user who changes their relationship status to “single” can expect to shortly be inundated with ads for dating websites.
The point to all this is there is a very fine line between data mining (i.e., the process of extracting patterns from data to gain an informational advantage) and making consumers feel as if they’re living in a real-life version of the world in George Orwell’s novel 1984.
As a marketer, how do you walk this fine line? The answer can be summed up in one word — a word which marketers the world over should bear in mind before launching any initiative — permission. Power ultimately lies with the people. If they don’t want to shop with you, they won’t. If you market your wares too aggressively, then you may achieve the opposite effect of what you really want.
“Permission marketing” is a term coined by entrepreneur and marketing guru Seth Godin. The term is self-explanatory — you seek permission from the user before proceeding to the next stage of the buying process, such as sending newsletters or cross-selling additional products following a sale.
A layer of complexity is added when international legislation is brought into the equation. As with most laws, data protection and privacy legislation can vary from country to country, and knowing what you can and can’t do across the world can be tricky.
In the US, for example, data privacy – in general – isn’t heavily legislated or regulated. There are regulations in place, but no overarching governmental law exists stipulating how data can be acquired, stored, and used. In 1997, then-President Bill Clinton and Vice President Al Gore even went so far as to recommend that private companies should ”self regulate” in “A Framework for Global Electronic Commerce.”
Europe, on the other hand, heavily regulates and rigidly enforces laws to protect a person’s “family life, his home and his correspondence,” as outlined in Article 8 of the European Convention on Human Rights. To ensure that data flows freely across the EU zone, the various data protection regulations from the member states were harmonized under the Directive on the Protection of Personal Data, which EU states were required to transpose into their respective laws by the end of 1998.
As far as the US and other non-EU parties are concerned, this directive broadly stipulates that data can only be transferred to other countries where a similar, adequate level of data protection exists. Consequently, the US-EU Safe Harbor Framework was drawn up in 2000. US companies can sign up for the program if they adhere to the seven principles outlined in the privacy directive. US organizations must recertify under Safe Harbor every twelve months.
The seven principles of the US-EU Safe Harbor Framework are:
- Notice: Individuals must be informed that their data is being collected, how it will be used, and the types of third parties to whom it may be disclosed.
- Choice: Individuals must have the ability to opt out of data collection and the forward transfer of data to third parties.
- Onward Transfer: Transfers of data to third parties may only occur to organizations that follow adequate data protection principles.
- Security: Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity: Data must be relevant and reliable for the purpose for which it was collected.
- Access: Individuals must be able to access information held about them, and correct or delete it if inaccurate.
- Enforcement: There must be effective means of enforcing these rules and consequences for violations.
Overall, the EU legislation is designed to unify policy as much as possible across the member states, but each country within the EU still has its own individual laws.
In the UK, for example, registered voters can opt out from having their details included in a public register. The latest opt-out rate showed that an additional 1 million people chose not to have their details made public and, hence, that information can’t be used by marketers. The UK public is becoming more aware of privacy rights and increasingly does not wish to be contacted by third parties.
And in the Netherlands, a new “do not call” telephone register allows citizens to opt-out of commercial calls, which will reduce the channels available to marketers in a country where telemarketing is big business.
Broadly speaking, US companies wishing to engage EU citizens in any marketing campaign — whether it’s social media, email, or anything else — need to adhere to the rather general seven principles of the Safe Harbor directive. But in an increasingly competitive global market, businesses must go over and above that and earn the trust of consumers. If a customer buys a product from you and then ticks the “I do not want to receive any further communications” box on the order form, this must be respected.
As with any marketing decision, you need to listen to what customers want, rather than telling them what they want. If they don’t want to receive unsolicited communications, then you shouldn’t send them any, regardless of what the legislation says you can or cannot do. Going against such wishes is counterproductive in the long term and can drive business away. Privacy, at the end of the day, is all about permission.