Why is privacy the word on everyone’s lips today? Perhaps because according to the Kaspersky Global Privacy Report 2020, a third (34 percent) of consumers have had someone access their private information without consent. And that’s just those who know it happened.
Governments around the world – including in Europe, the US and Brazil –have brought in new personal data protection laws. Others, like Japan, are being revised. Regulating new technologies, like biometrics and facial recognition, is controversial because it extends the fine line between privacy to protect society and state surveillance. Data breaches are becoming more common and more expensive. In 2019, the average data breach cost the affected business 1.4 million US dollars.
The new rules of marketing
Marketers now have new rules to follow when collecting data about website visitors, sending marketing email and using customer relationship management (CRM) software. Not complying means hefty fines and reputational damage. In 2020, the Italian Data Protection Office fined a telecommunications company over 27 million euros for making marketing calls without consent.
On the bright side, we may be increasingly trusting and engaging with businesses that respect our privacy. A 2018 Harvard Business School study found customers were 40 percent more likely to visit a website’s recommended products when wording made clear the recommendations were informed by their browsing behavior. Similarly, in a 2020 study by Cisco, three in four companies said complying with data protection laws had increased their customers’ loyalty and trust.
Marketing must adapt to new regulation, but it looks like there is potential for this change to make marketing better.
Laws marketers should know about
As privacy legislations cover more of the globe, it’s challenging to keep up with what applies to your company. Here’s a primer on legislation already out there or coming soon.
Europe: General Data Protection Regulation (GDPR)
The GDPR applies to all organizations in the European Economic Area (EEA) or that process its citizens’ personal data.
Data protection authorities for different countries in Europe regularly publish clarifying guidelines, such as the Irish Data Protection Commission’s 2020 guide on how and when websites may use cookies – text files containing users’ data downloaded onto their device, used for personalizing content.
Brazil: Lei Geral de Proteção de Dados (LGPD)
Like GDPR, Brazil’s new data protection law (going into effect in 2021) applies to all organizations operating in Brazil, offering services or goods to the Brazilian market or processing data of those living in Brazil.
Unlike GDPR, LGPD does not explicitly address marketing. Nonetheless, marketers with Brazilian customers should understand it, because it directs how they should handle customer data, including sensitive personal data, such as health or political preference.
California Consumer Protection Acts (CCPA)
California’s new data protection law came into force on in January 2020. It applies to companies that operate in California, US and make 25 million US dollars, make more than half their money selling user data or gather data on more than 50,000 consumers, households or devices.
It regulates some marketing activity. For example, companies must let users opt out of sale of their data with a clear “do not sell my personal information” link. It also sets out rules for how companies may store and handle customer data.
When marketers don’t follow the rules
While making your marketing privacy-friendly could improve customer loyalty, failing to comply with data protection laws can be costly.
Heavy fines
Most famously, French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL) fined Google 50 million euro. According to CNIL, Google didn’t give users clear enough information about how their data would be used and didn’t give them enough control over its use.
The cost of non-compliance varies. Under GDPR, the maximum fine is 20 million euros or four percent of your total worldwide annual turnover, whichever is higher. Under the new Brazilian law, the maximum fine for each violation is 50 million reais (nearly US$1 million), plus daily penalties for not stopping violations after an order from authorities.
Keep in mind that you can also be fined under several different regulations at once, so 20 million euros under the GDPR and 50 million Brazilian reais under the LGPD for a similar violation. Being fined in one country or region doesn’t exempt you from further prosecutions.
It’s not just big, high-profile businesses like Google getting stung either. European data protection authorities issued over 428 million euros in fines in 2019.
Legal hot water
On top of fines, companies that don’t protect customer privacy risk being sued by customers or governments. Facebook has had its revenue affected by privacy lawsuits.
Aside from financial pain, the bigger risk is damage to reputation. Despite its marketing campaigns trying to fix its tarnished reputation, many no longer trust Facebook with their personal information.
Making marketing more privacy-positive
Getting creative can make your marketing more privacy-oriented and appealing to customers. You’ll also need to watch for where others have fallen foul of the law.
Accept and follow the law
After GDPR required cookie consent from users, many turned to dark patterns: Interface designs that try to trick the user into doing something like agreeing to marketing emails or consenting to cookies. In some cases, websites use dark patterns to prevent users reading a privacy policy or opting out of sale of their personal information.
Dark pattern techniques violate data protection laws. Companies that use them can be fined or see their reputation damaged. Tumblr learned the hard way when people began Tweeting about dark patterns in their cookie consent form.
Give privacy options, even when you don’t have to
Build customer trust by giving them privacy options, even when the law doesn’t require it. For example, if you’re running a contest on social media, let people enter privately with a direct message or through a website form. While this may decrease numbers of tags and hashtags that increase your contest’s reach, it builds a privacy-friendly reputation and increases participation.
Ask for consent
Beyond cookie banners and newsletter opt-ins, ask customers for consent whenever you run a marketing campaign. For instance, when gathering feedback through a survey, ask participants’ consent to use their feedback publicly, even if it’s anonymous. Asking shows you respect their privacy and preferences.
Protect your customers’ data
To put customer privacy first and follow data protection law, you must invest in cybersecurity. Even one data breach can lower trust in your company.
Reflect on how you collect and use personal data, how it’s stored and what tools you use. Find out if your customer management system has reported data breaches recently or your email marketing platform has been fined for privacy violations.
Keep up your education about privacy
Privacy laws and industry standards will evolve. Educate yourself, constantly.
A good place to start is Undatify’s blog (a Kaspersky Innovation Hub project), for explanations of data protection law, privacy advice and monthly news roundups. Knowing what’s right will give you confidence you’re doing your job right and treating customers’ privacy with the care it deserves.