Insights
Privacy Policies and Data Collection: Top 10 Steps to Take in 2011
February 15, 20112011 will test the boundaries of personal privacy in marketing. Consumers share their personally identifiable information (PII) on social media networks with little understanding that marketers silently track their preferences, their dislikes, and their PII. In many instances, marketers store the information and even resell it to third parties. The conflict between marketers’ targeted use of personally identifiable information (PII) and respect for consumers’ personal privacy will be at the forefront of regulatory efforts this year.
At the end of 2010, the FTC released its preliminary staff report entitled “Protecting Consumer Privacy in an Era of Rapid Change”. The report acknowledged that consumers want innovative new products and services that often rely on their PII. At the same time, the report cautioned that there is a need to balance technological advances in marketing with consumers’ desire for privacy. The report endorsed a “Do Not Track” mechanism that would allow consumers to opt out of marketers’ invisible tracking of PII. The FTC also announced that it will be monitoring the marketplace carefully and taking enforcement action against companies that violate consumer privacy or use PII indiscriminately. The FTC is accepting public comments until January 31, 2011 on its report.
At the same time, the advertising industry announced its self-regulatory program for online behavioral advertising. Atwww.aboutads.info, the nation’s largest media and marketing associations provide detailed information to consumers about behavioral advertising and how to opt out of targeted marketing techniques. In addition, the website announces an industry wide initiative to use an “advertising option icon” on websites. The icon launched on Jan 1, 2011. When a consumer sees the icon displayed on a website, he will know that the website owner is using best practices in behavioral advertising to protect privacy. The icon also indicates that the consumer can exercise choice about the tracking of his data at website he is visiting.
If you are doing any marketing on social media in 2011, it is likely that you will want to keep a close eye on legislative developments in the area of privacy. It is likely that Congress will jump into this conversation. The following principles should guide your company’s data collection practices in the coming year:
1– Privacy Policies: Do you have one? If you do not, now is the time to engage legal assistance to help you draft a policy. If you already have a policy, you will want to ensure that its language is comprehensible to the average consumer.
2– Informed Consent: Be sure that consumers have full access to your policy. Consumers should understand how you are aggregating their data before they share information with you on social media or your website. The privacy policy should have a prominent location on your website and be clearly and conspicuously disclosed. A check off box indicating that consumers have agreed to the privacy policy may no longer be sufficient to protect you. In addition, you should simplify the choices consumers make when opting into data sharing. Remember Facebook had to revamp its privacy settings in 2009 when users rebelled against a complicated platform that was difficult to navigate.
3– PII: There is an increasingly blurred distinction between PII and non-PII data. Technology has advanced to the point where even non-PII data can be used to identify individuals, and even when PII has been rendered anonymous, the technology exists to reconstruct the person’s identity. It is advisable to start protecting all data, whether PII or non-PII.
4– Data Collection: What is your data collection policy in social media? What are you asking consumers to share? Think carefully about whether you need all the data you are requesting. Once you have collected the personal data, consider what you are doing with it. How long are you storing the data? Are you safeguarding its privacy? Are you sharing the data with any third parties? If so, is it encrypted and are you sharing only what is absolutely necessary?
5– Transparency: Have you shared details of your data practices with consumers? Are you honoring consumer’s choices? If the data was transferred to you from a third party who did the collection, are you disclosing how you are using consumers’ information once they arrive at your site?
6– Medium Driven Concerns: are you collecting data through mobile devices? If so, how will you make your disclosures? At a minimum, provide a link to your website, but that may not be sufficient. Think about follow up texts, assuming the consumer has consented to receive them, that explains why you are directing them to your privacy page. Are you co-marketing with another party? Have you coordinated your data collection policies and privacy disclosures?
7– Sensitive areas: Certain areas require special handling. Any kind of data regarding children, health and medical status, or sexual preference needs extra security. Consider whether you really need this information. If you are retaining such data, create multiple layers of protection. If dealing with children, be sure you are COPPA compliant.
8– Material Changes: The days of quietly changing your privacy policy and relying on a disclaimer that allows changes are over. If you make a material change in your privacy policy, publicize the change. Be sure consumers are informed of the changes and have consented.
9– Security Breach Policies: Have a policy in place for handling security breaches. The policy should outline circumstances for internal notification and notification of third party affiliates, vendors, and users of the secure data. It should require internal tracking of company responses to the security breach and investigative procedures. The policy should also outline how to handle media inquiries. Furthermore, be mindful that some state laws may require notification of consumers, credit bureaus, and state regulators. Even if state law is silent, consider whether it is prudent from both a legal and public relations standpoint to notify local authorities and work with them to contain the breach.
10– Opt-out Mechanism: With “Do Not Track” lurking in the not so distant future, it would be wise to consider implementing a “do not track” option of your own and publicizing it on your social media platforms.
© Kyle-Beth Hilfer, P.C. 2010.