Effective cross-channel marketing requires data. You need data to respond more quickly to changes in demand patterns, to reduce out-of-stocks, to match product offerings to the right customer, and to improve customer service. Aggregating and integrating all this information, however, is complex and even risky. The numerous data breaches of the past several years have demonstrated the risk and economic cost associated with collecting greater amounts of electronic data.
The complexity results from both state and federal laws. If information is obtained from the issuer of a retailer’s private-label credit card, the Gramm-Leach-Bliley Act comes into play. For example, how is the source of the data designated in a database? Given that the data can be used only in the manner that the financial institution can use the data, there must be some means to designate that in the database.
At the state level, Massachusetts has imposed very detailed data security requirements that must be addressed when storing and transmitting data. These rules, which went into effect on March 1, require implementation of a comprehensive information security program covering access controls, encryption, up-to-date software and patching, firewalls, monitoring of systems, and training. Washington, Minnesota, and Nevada have implemented data security requirements linked to an industry-imposed standard, the Payment Card Industry Data Security Standards (PCI DSS), resulting in a need to continually update compliance measures.
Retailers must also ensure that their use of data is in keeping with the promises that were made when the data was collected. Doing so entails conducting due diligence, monitoring, and contractually controlling the third-party vendors who run the gamut from providers of applications for smartphones to database management suppliers to providers of text-message marketing campaigns.
There must be, from the outset, a privacy professional involved in each aspect of planning who fully understands how the technology will work. Without this knowledge, it is not possible to accurately disclose data uses at the time of collection. There must also be oversight of what will be collected, who will retain and/or own the data (including evaluation of whether the retailer is merely building its vendor’s database), how the data will be stored and secured, due diligence with vendors, and finally, the end of the life cycle of the data—its destruction. It is too difficult to reverse-engineer the process later to implement these privacy protections; they must be built in at the beginning.
As a result of the complexity and the need for greater oversight, "privacy" as an isolated consideration has transitioned to a broader information governance or information risk management in more-progressive companies.
This is all while keeping in mind that privacy is not simply excluding or not collecting data. Rather, privacy is a matter of understanding the desires and boundaries of the retail customer. It means developing trust and having a conversation with the customer through the channels selected by the customer and providing the information the customer wants to hear.
To attain the goals of data security, vendor management, oversight, and trust needed for a cross-channel strategy, an organization need to make privacy an enterprise-wide focus. Policies must be driven from the top. Accountability must be defined, and then processes must be put into place to communicate and implement the policies and to train employees on what is proper and what is not. The enterprise-wide policies should allow for privacy by design, bringing in at the front end of a marketing project all the necessary players, such as marketing, information technology, information security, finance, risk management, and legal.
The shifting regulatory focus
Over the past 5-10 years, data breaches have forced regulators to focus on data security. Recent Federal Trade Commission (FTC) workshops and proposed privacy legislation indicate a shift back to a focus on privacy.
Concerns are being raised relating to new risks to privacy management, the user-generated nature of the Internet, and the transition to ever-expanding marketing through mobile-based communication channels. Regulators and legislators are looking at the need to new requirements concerning, among other aspects, notice and consent and the concept of personally identifiable information and what that includes. At the same time they want to maintain the longstanding privacy principles of fair information practices: notice, choice, access, redress, accountability.
Currently there are more questions than solutions. There is definite chatter that the concept of notice and consent, and particularly privacy policies for the notice, may have outlived their usefulness. The settlement approved by the FTC for asserted deception and unfairness violations by Sears Holdings Management Corp. has provided additional support to question the validity of notice and consent.
The problem with eliminating notice and consent is that no obvious replacement has yet to appear. There are, however, some consistent themes appearing. Regulators believe that privacy policies are too complicated, too vague, and too long for consumers to understand. Further, if there is to be consent, it must be informed consent. As implemented in the Sears consent decree, this requires disclosure of uses of data and whether such data will be shared with third parties in a manner that is clear, conspicuous, and unavoidable when considering size, color contrast, location, and duration, and the notice must be readable and understandable.
The task ahead is how to make disclosures clear and conspicuous when moving from a 17” computer screen to a 2”-4” screen on a smartphone. As important will be how to make disclosures clear and conspicuous prior to a consumer’s downloading an application that collects and uses data about the consumer through the smartphone. Suggestions so far include replacing privacy policies with a nutrition-type disclosure or a recognizable icon to scroll over.
Another approach being discussed is proportionality. This would suggest limiting the amount of data collected to avoid nefarious uses later. Limited collection would mean limited use, limited need for retention, and shorter notices.
Also at issue is the need for policies and notices to consumers to cover all information collected, whether online or offline. Historically it has been possible for retailers to limit privacy policies to only the information collected online. But with the merging of offline and online through cross-channel marketing, regulators are considering whether this still works. This in turn raises the question of how retailers will have meaningful conversations with customers about these issues at their stores. For instance, with the disclosures required for credit, the various state requirements for disclosure on return policies, tax issues, and contract issues such as posting pay-card association logos, there is little space left at the point of sale to disclose anything else. And with all the other disclosures, it is unlikely that customers will read the postings.
The concept of personally identifiable information (PII) compared with nonpersonally identifiable information has garnered regulatory attention as well. There is debate as to whether PII can continue in a world where even anonymous information can be combined with enough other data to link it to e-mail addresses, postal addresses, names, and other information to initiate targeted marketing.
David Vladeck, the director of the Consumer Protection Bureau at the FTC, stated at the recent FTC privacy workshops that the distinction between PII and anonymous information is a thing of the past. As a result, the FTC appears to be moving away from PII and toward requiring disclosures when it appears that anonymous data can be tied to a person or device. This may lead to the possibility of including IP addresses as data that should be included in disclosures.
What this means to you
Marketers should take away four key messages with respect to privacy going forward:
• privacy by design. The Facebook Beacon and Google Buzz implementations are examples of where a company did not consider privacy issues sufficiently before going public with a new function. Privacy groups and legislators insisted that the FTC investigate the privacy gaffes that occurred when these were introduced. This has led to an emphasis by the FTC on privacy by design—in other words, building privacy into the development life cycle at the outset.
• accountability. Someone in the organization must have a 360-degree view across all channels and all brands. Privacy governance models must reflect the new cross-channel world and include understanding the technology being used by the company and its vendors and administering the needed controls.
• data minimization. This has been a longstanding principle, but the business imperative to enhance the economic incentives will turn it into a push/pull conversation. Someone will need to be there to make the correct decisions for the retailer.
• transparency. Keep in mind that the privacy professional will have a different understanding of this term than the marketing professional. The privacy professional’s view is to have policies regarding collection and use visible, clear, and conspicuous. The marketing group’s understanding of transparency translates to making it nonintrusive. Someone must moderate the debate about these differences and apply the risk/reward continuum to the conversation.
All of this means that the “simple” job of privacy compliance is becoming more complex. Not only is there a continuing need to understand and comply with the numerous privacy obligations, but it is now be necessary to build a stronger relationship between marketing and privacy.
With data security their focal point during the past decade, privacy officers worked closely with the information security professionals in their company to protect the confidentiality of data collected. They must now build relationships with additional departments and staffers. Retailers are beginning to recognize that growing the brand through a cross-channel strategy requires that privacy has an important seat at the table. It is the privacy professional who will need to act as the liaison among marketing, finance, compliance, and technology.
Benita Kahn is a partner in the law firm Vorys, Sater, Seymour and Pease and an expert on privacy laws.
