Marketing Data Protection and Privacy Guidance

Transcription

1 Marketing Data Protection and Privacy Guidance An international compliance guide for UK companies April 2013 Version 2.3 Steve Henderson

2 Contents Introduction Marketing Regulations... 4 Why you need an international view of consent, privacy and data protection... 5 Why you need a defensive approach to consent, privacy and data protection... 6 Guidelines for international marketing data protection and privacy compliance... 7 Summary and Takeaways... 8 Glossary... 9 Further Reading and Useful Links

3 Introduction In the UK, across the EU and further afield, data protection and privacy laws are changing rapidly to keep pace with emerging technology and the way that we share and use our data online. Every campaign you send has the potential to cross international boundaries and there is growing international co-operation and enforcement, so we need to look beyond the UK to ensure our campaigns are compliant. This guide is intended to be a starting point to help companies achieve basic legal compliance with existing and emerging data protection and privacy regulations. and digital marketing is subject to a number of different acts, regulations and codes beyond the scope of this document. For advice in these matters and to discuss any questions raised by this guide you should consult your legal adviser. 3

4 Marketing Regulations Proposed changes to EU data protection regulations, if implemented and enforced, will result in stronger permission and privacy standards with increased financial penalties for non-compliance and easier access to compensation claims for claimants. The proposals mean that data protection and privacy will become a priority for all companies who rely on sending digital communications to customers and prospects in order to generate sales and support their business. UK companies should make themselves aware of the proposed EU changes and review current practices to ensure compliance with regulations outside of both the UK and the EU. EU Data Protection Regulations The proposed changes to EU Data Protection Regulations are designed to improve trust between consumers and businesses in order to improve trade. They build on existing regulations with the following changes: Cross-border (international) spam enforcement Consolidation and simplification of rules making rights easier to understand, bringing together privacy and data-protection Application of the marketing transparency, simplicity and choice requirements to all types of digital information processing Strengthening of rules and closing of loopholes which have been abused Stronger enforcement and easier access to compensation claims At the time of writing, the two most contentious proposals ar 1. Permission rules which require data processors (companies) to obtain permission to use personal data for anything which is not expected or required by the data subject (customer) 2. To classify IP address as personal data Highligh These proposals will not have a big impact on most businesses: Under current UK Data Protection regulations you can only collect, store, and use data for the purpose for which it is intended; and current privacy regulations say that you should obtain permission before using data for marketing, processing or profiling. The majority of UK companies will already doing most of this. 4

5 Why you need an international view of consent, privacy and data protection Multinational campaigns campaigns sent to a consumer or business mailing list may involve international ISPs and organisations or recipients that are located outside of the target country. UK-based recipients may use a US-based provider, may work for a company with offices outside of the UK and may travel outside of the UK and still pick up . Almost every campaign is a multinational campaign and may be subject to international regulations. Every country is different but standards are converging In the US, CAN-SPAM permits a range of digital marketing processes which do not require explicit, opt-in consent. In the UK, despite having higher permission and data-protection standards than CAN SPAM, self-regulation with a soft-touch approach to enforcement means that and digital marketing often uses implied consent or is opt-out. Ireland, Germany, France, Spain, Italy and the Scandinavian countries all have different specific rules, regulations and required standards. Across the EU there is even more variation. Further afield, for marketers in the US, Canada s CASL is a genuine game changer. Canadian permission standards are similar to current EU standards, but grant easier access to damages. The Canadian regulators have a team of people responsible for identifying abuse and have reportedly set up their own net of spam traps. Highligh International Data Protection and Privacy rules are going to be in a state of flux for a number of years. Even if you could map out every regulation for every country you knew you were going to reach, pass through or send to, the information would soon be out of date. Instead, marketers should understand that while each country has unique implementation and enforcement rules, the concepts of Data Protection and Privacy are universal. A customer-focused view of customer privacy, data protection, choice, consent and transparency will fulfil the guiding principles behind almost all of these new and existing laws. 5

6 Why you need a defensive approach to consent, privacy and data protection Damages and financial penalties for non-compliance The proposed EU regulation changes clarify, simplify and consolidate existing rules; but also introduce a requirement for stronger enforcement. Companies in the UK are accustomed to operating in a largely self-regulating industry. This is already changing: the ICO recently fined one set of UK spammers almost 500,000 and another 90,000. However, potentially the biggest risk to most companies will be professional or opportunistic claimants seeking out websites and companies which have sign-up and marketing processes which are unclear, ambiguous or inadequate. UK companies need to refocus; instead of looking at what is necessary to fulfil consumers' rights, you need to look at processes that prove that you have obtained consent, so that opportunistic claims can be quashed immediately. International co-operation and cross-border enforcement International borders mostly protect companies from legal and financial claims, but this is changing. US companies are already being levied financial penalties in Canadian courts which US states are upholding and enforcing. There is now a joint EU-APEC (Asia-Pacific Economic Cooperation group) committee to facilitate data protection compliance for international businesses operating in the EU and the APEC region and country-by-country, region-by-region, data protection and privacy is becoming universally expected and enforced. The proposed EU regulation changes introduce a requirement for member countries to implement simple and effective cross-border enforcement. Highligh Basic legal compliance is your priority, but once this has been achieved look at ways to simplify your wording and sign-up processes and put in place a simple process to record and prove that consent has been obtained. 6

7 Guidelines for international marketing data protection and privacy compliance Simple first steps If you focus on privacy, data protection, choice and transparency for your customers and subscribers then you will be adhering to the principles behind almost all existing, new and proposed UK, EU and international data protection and privacy legislation, rules and standards. Consider these simple, small steps. 1. Review your data collection processes: What data do you collect, where and how do you collect that data? What are the circumstances leading up to the data collection and the supporting wording which you show to your customers? What expectations do the above create from the perspective of the customer? 2. Review your data storage and usag How do you use that data initially? What data do you choose to store after you have initially used it, how do you store that data and how do you use that data at a later date? Considering the expectations set, consider whether it is appropriate and necessary for you to do the above and question whether what you currently do would fit in with what your customers expect of you 3. If there is anything which would not be clearly expected by your customers, inform your customers what you are doing and why it benefits them. Wherever possible, use simple language, educate your customers and give them choices Next steps Once you understand your own data collection and storage processes and are confident that you have covered the basics consider the following suggestions: When you create an account or someone subscribes, make it clear at that time why you collect certain pieces of information and explain why it benefits the customer, providing a link to a more detailed section in the privacy policy In your privacy policy include additional detail of what data you collect, how it is stored, how it is used to benefit your customers and what their options are for querying, amending and deleting their data. While this should be more detailed, the language should still be simple, avoiding jargon 7

8 Provide a variety of contact methods, ideally including a postal address, telephone number and an address which is monitored Allow people to purchase without creating an account - but give your customers compelling reasons to create an account by explaining the benefits of having an account with you Provide customers with 'the right to be forgotten' by allow customers to delete/obfuscate (replace their customer details with dummy data) their account history - but give them reasons NOT to do this Give your customers a choice to NOT be tracked, recorded and profiled. But give them compelling reasons why trusting you with their data is a good thing for them to do Highligh A customer-focused view of customer privacy, data protection, choice, consent and transparency will fulfil the guiding principles behind almost all of these new and existing laws. Sell the benefits of what you do rather than trying to hide behind complicated signup processes and unreadable privacy policies. Summary and Takeaways Every marketing campaign has the potential to cross international boundaries, so an international view of privacy and data protection is needed By focussing on customer privacy, data protection, choice (consent) and transparency you fulfil the guiding principles behind almost all of these new laws You should guide your customers towards informed consent with simple information Informed consent should be obtained for any types of data 'processing' which is not strictly necessary or expected by the customer That consent should be recorded in a way that you can easily retrieve to prove that consent was provided and was 'informed 8

9 Glossary Term Definition Data Subject Data owner Data user Data controller Data processor Personal data Third Party Advertisers A living individual who is the subject of personal data. An organisation responsible for the collection, storage and maintenance of address and personal data. An organisation that uses data either its own data or data from other sources for any direct-marketing purpose. A person or organisation that, either alone or jointly, decides how and why any personal data is to be processed. List brokers/managers come under this definition. A person who collects, stores, or deals with personal data on behalf of a data owner or data controller. Information from which a living individual can be identified either on its own or combined with other information which is in the possession of, or is likely to come into the possession of, the data controller. A person or organisation that uses rented data for direct marketing. 9

10 Further Reading and Useful Links ICO guidance on the Data Protection Act 1998 and the PECR 2003: Data Protection Ac Privacy & Electronic Communications Regulations 2003: Consumer Protection (Distance Selling) 2000 regulations: Guide to Businesses on Distance Selling 13BE20F010 Office of Fair Trading Guide Distance Selling Explained: Committee of Advertising Practice Cod DMA advice on cookies and their usag ICO guide to the collection and use of personal data onlin on/detailed_specialist_guides/personal_information_online_cop.ashx This guide is intended to be a starting point to help companies achieve basic legal compliance with existing and emerging data protection and privacy regulations. and digital marketing is subject to a number of different acts, regulations and codes beyond the scope of this document. For advice in these matters and to discuss any questions raised by this guide you should consult your legal adviser. 10