Marketing Compliance in the Age of Data Privacy Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice. Today, we welcome back Jodi Daniels, founder and CEO of Red Clover Advisors, a data privacy advisory service that specializes in European and U.S. privacy law and other aspects of data strategy. Welcome, Jodi.
Jodi: Hi, glad to be here! Thanks for having me.
Sabrina: Thanks for coming back. Let’s start with some background on Red Clover Advisors. How do you help your clients?
Jodi: I help in a variety of ways. Some companies, they might not have a full time privacy person on staff, and they may not need one. Not every company needs a full time privacy professional. I might serve as a fractional Chief Privacy Officer for that company, or if they need to comply with GDPR or CCPA, we might start with a gap analysis and identify what are they already doing that is in good stead. What do we need to fix?
Maybe we need to help with data inventories. Maybe we need to come on site and do some training. Maybe we need to review and update policies and procedures. Or, it could entail reviewing the marketing practices and all the different vendors that we’re using and understanding what contracts we have in place. So, I really methodically go through all the different places that privacy touches, every place where we’re using, collecting, sharing and storing data and really narrowing and customizing what that particular client needs most.
Sabrina: For those who are only loosely aware of GDPR or the European privacy regulation, can you give us a brief overview of this legislation?
Jodi: GDPR is the General Data Protection Regulation in Europe. It went into effect May 25th, 2018, and it’s really an update to an existing privacy law that you already had. It is all about protecting the individual rights and freedoms of EU residents. It covers personal data, and important to this discussion is personal data is more than just what we often typically think of: name, email, address, date of birth. It also includes all those online identifiers: the cookies, the IP address, location data, all of those types of things. And GDPR also gives individuals a number of rights to the processing of their data. Some common ones that we often hear about are the right to be forgotten, the right to delete my information, the right to stop processing on me, the right to port my data in a variety of other rights as well.
Sabrina: Well, many people think GDPR is the only law to worry about in the EU. Can you describe for our listeners what the ePrivacy Directive is?
Jodi: The ePrivacy Directive is the existing marketing law in the EU. GDPR covers the processing of data. And, so, imagine you have a Venn diagram, and there’s an intersection and an overlap. The ePrivacy Directive might cover email marketing and might tell you who you can email and when. Is it opt in first, or can you just send a message to anyone? The GDPR would tell you what lawful basis you have to actually process that data. Now, the ePrivacy Directive was supposed to have gotten updated, and it will be called the “Privacy Regulation” and be a full fledged law. However, it didn’t get updated in time for May 25th, 2018. There are current drafts out there now, and we’re all anxiously waiting for that new draft to come. And, when it does, it will provide additional clarity, and there very well might be some changes that B2C and B2B marketers really need to look at.
It also covers the cookie banners that we’re seeing everywhere. Believe it or not, before the existing banners that we’re seeing there was the cookie law that kind of came out of the ePrivacy Directive years ago, and that was the first iteration of banners. Now, with GDPR requiring a lawful basis, people are relying on consent. So, you have the cookie banner, but now we have all these cookie banners everywhere. The Privacy Regulation, for example, is looking at those to determine the best way to try and address the need to have notice and informed notice and consent. So, the Privacy Regulation really has a big impact on marketers, especially from an email marketing standpoint and from a cookie consent, anyone doing text messaging. It will probably also include messages on social media. Really, almost every digital form of marketing will be covered under the Privacy Regulation.
Sabrina: So, GDPR, the ePrivacy Directive and the similar law that California has passed has really increased scrutiny on how marketers use personal data. For our listeners who are not marketers, can you talk about some of the personal information that is routinely utilized in digital marketing?
Jodi: Imagine I’m going shopping at Nordstrom or Zappos, and you’re looking at shoes, and then I decide, “I don’t really need those shoes right now,” so I go and check my news report, and then, lo and behold, in the advertising space right near my article are the shoes that I was just looking for. So, that is online targeted advertising.
It might be called interest based ads, online behavioral advertising, they’ve tried to call it a lot of things to make us feel better about it, but essentially, there’s an entire ecosystem of hundreds of companies behind the scenes allowing that targeting and advertising to happen, and so there’s a lot of digital data that is collected. There’s pixels and ad tags or beacons, and they have a variety of different names, but those are placed on a website and then a cookie is dropped. So, a cookie is stored on your browser that says, “Oh, this computer looked at these types of shoes.” And then, with all these other companies, often the dots can kind of be connected, where they might actually know that it was Jodi Daniels who looked at the beautiful pink shoes, and they might be able to figure out, “Oh, I’m Jodi in Atlanta, and I’m Jodi who’s a mom,” and all these other factors around me.
All of that data is working behind the scenes, and that’s a lot of data, and so kind of also imagine if you were going shopping and you went to Target, and then you left Target and you went to Publix, and you left Publix and you went to the movies. If someone followed you, you’d think, “Why are you following me?’ But that’s what we’re doing in the online arena. These laws are really intended to try and provide the notice to individuals of what is happening and then provide them the choice, because while it’s happening online, the view is, especially from the EU, that is my data, you’re kind of stalking me, you’re following me, and I should know what it is that you’re doing, and I should get to have some choices about that.
Sabrina: Interesting. So, marketing, which we traditionally think of as largely an area of opportunity, has an increased element of risk than was previously the case. What are the implications of these regulations on modern marketing professionals?
Jodi: There’s quite a lot that marketers have to be thinking about. The first is they have to know what data they’re collecting and which vendors they’re using. For example, who is my email service provider, and what kind of information is being collected in just an email campaign. When you open an email, depending on the email service provider and the other tools in it, I might even have a cookie basically dropped when I open the email or if I click on the link, then I know this person opens the link. So I have to know as a marketer all the different processing activities that I’m doing, I have to know what vendors are apart and what actual data is being collected. And then, I have to go and look at the actual laws that exist.
Under GDPR, I need to have a lawful basis to be able to do any of that activity. And, generally speaking, in marketing, it’s failing to consent. The actual check-the-box that says, “Yes, I’m okay with you sending me this email,” or the cookie consent banners that say, “Yes, I’m okay that you dropped this cookie.” So, I have to rely on a lawful basis. I have to provide that notice and a privacy notice and in the ePrivacy Directive or the updated Privacy Regulation, there will also be some very specific rules of when you can and can’t send an email, and that exists today. But we’ll have additional clarity on what that will look like when it’s finalized. For example, in some countries, B2B marketing is a little bit more favorable than B2C marketing, and what that means is in some countries, B2C, I can only send it to you if you opt in. And in some places, it’s okay if you’re a current customer, and then I can send it to you, but I must always make sure that you can opt out.
Sabrina: What other advice would you have for a company that’s not really been focused on compliance within marketing?
Jodi: Now is the perfect time to start. The way I look at privacy is that there are certainly these laws that we as good business citizens want to adhere to. Our customers are also getting really smart and savvy, and they’re expecting this from us. They’re either expecting it because there’s a law and they know what the law is, or because it’s really a virtual handshake every time an individual, a customer, gives our data to the company, and they’re trusting that the company is going to do the right thing with that data, that they’re not going to sell it, that they’re not going to misuse it or share it with someone that they didn’t expect. So, when I hand over that data, it’s really all about making sure that we as marketers are maintaining that level of trust.
The very first piece is to recognize that there are these laws that we need to take seriously, that our customers are expecting this of us, and honestly that this can be a competitive advantage; this can be an opportunity to really connect with the customers who truly want to hear from us, and we can create even better appropriately targeted messages to those particular individuals. Those who haven’t been focused on compliance, the very first step is to identify someone who’s going to be the point person, and then, the next step is to start thinking about, “Who are my vendors?”… and “What am I collecting?” …and “Do I need to do that? What does the law say that I can and can’t do?” Then, you kind of have to match it up against the law.
And then, my favorite piece is when there is no law. I call it the Big Gray Zone. Should you use the data? Just because you can doesn’t mean you should. And it’s really all about analyzing the information that you have and making the right decision for your customers.
Sabrina: Thank you, Jodi, for joining us again and helping our listeners better understand the new era of privacy regulation and its effect on marketing to our listeners. Thank you for joining Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.