You’ve seen the headlines on mobile apps spamming, social networks doing about-faces on how they use data, and display advertising services leveraging CRM data attributes. Now that all of this formerly channel-specific data can be optimized through a single toolset, it’s important to learn how you can leverage the disparate data without compromising deliverability, privacy or regulatory compliance. To borrow a premise from Seth Godin, your marketing is broken if you wind up spamming to sell your product, or if you run afoul of wireless carriers, social network hosts or international regulators.
In part one of this three-part series I will summarize best ways to get proper consent through your various data acquisition efforts so as to maintain compliance with U.S. and international electronic communications laws.
Collect data for specific purposes
Great relationships with consumers begin at the point of collection. In the world of “Big data,” risks are tied to collecting more data than you know what to do with and in a way that doesn’t respect consumers’ right to privacy.
Case in point, Google is still dealing with the consequences of collecting unnecessary and miscellaneous data through their Street View program. As brands and data companies continue to experiment with new technologies to gain greater insights into and access to consumers, it’s more important than ever to ensure you only collect data that you actually need or that benefits consumers.
Request consent for each channel separately
Beyond ensuring that your collection efforts are purposeful, it is also important to get unambiguous and direct consent from the consumers for each specific use of their personal information.
There really is no effective single sign-on version of consent that can bridge different communication channels. For example, consent to receive email marketing does not mean consent to receive commercial text messages. If low website traffic is a concern, use your primary communication channel, like email, as an anchor to help your customers connect with you in other ways. One common example is integrating Facebook Likes into email or inviting recipients to subscribe to your marketing SMS program.
Seek an overt act of permission from the individual
Consent based on a pre-existing business relationship may be OK in U.S. commercial email, but it no longer satisfies the Telephone Consumer Protection Act for text messaging or teleservices. Pre-existing business relationship consent may put you at odds with other industries’ self-regulatory guidelines and various international laws. The SMS industry in the U.S. is one such example where confirmed or verified opt-in (a.k.a. double opt-in) is an enforced self-regulatory standard.
Across the Atlantic, the UK Information Commissioner has recently issued guidance to clarify existing compliance obligations pertaining to electronic marketing. Specifically, the guidance reiterates their position that consent should be ‘extremely clear and specific,’ is not transferrable and cannot rely on implied consent ‘as a euphemism for ignoring the need for consent, or assuming everyone consents unless they complain.’ Furthermore, the ICO has reminded marketers that a consumer must intend for their consent to be passed on to a third-party, meaning that ‘generic or non-specific’ third-party (a.k.a. indirect) consent may not be valid for electronic marketing.
At least in spirit, the UK ICO’s position on overt consent appears to be similar to that of the Canadian Radio-television Telecommunications Commission (CRTC). According to the Canadian regulator, to be compliant with the new Canadian Anti-Spam Law (CASL), permission must be expressed, unambiguous and separate for each specific purpose.
Mind social networks’ terms of service
While there are few laws explicitly governing social media, social networks impose their own terms and conditions and software rules. These should be considered along with overlapping existing laws.
Social network rules fall in three key areas: marketing integration, applications and advertising. Most social networks make some of their user data ‘public’ to all website visitors, and often include the capability to collect some information by application programming interfaces (APIs).
One common rule is the prohibition on automatic collection of user information through spiders, exploits or other privacy-infringing methods without the express consent of the social network. As an example, Facebook, while making some PII available for public viewing, prohibits straight collection of PII unless the user provides consent through a TOS agreement or an app download screen. And even when social data is properly integrated, Facebook places some restrictions on the use of unique user data for online advertising or email marketing purposes. The general principle is that social user data is intended to benefit the social experience and not outside marketing.
Pre-empt point-of-sale hazards
A poorly implemented ‘eReceipts’ program at brick-and-mortar locations can lead to inadvertent compliance violations and deliverability problems. In the U.S., marketers should be aware of restrictions set by California’s Song-Beverly Credit Card Act of 1971, which prohibits businesses from collecting “personal identification information” during offline credit card transactions. And while it is possible to offer eReceipts internationally under applicable ‘soft opt-in’ allowances, there must still be an effort to provide adequate up-front disclosures to consumers.
Putting it together to strengthen, not break your marketing
- Constrain collection of other data to only specific purposes.
- Ask for unambiguous consent up-front. Mind industry-specific guidelines.
- Record ‘overt acts of permission.’
- Audit your database and practices to gauge international compliance risk.
In part two of the optimizing for compliance series, I will cover how to best integrate personal and non-personal data, and improve your brand and email reputation by leveraging cross-channel intelligence.