The content provided on this website is for general information purposes only and does not constitute legal advice or an opinion of any kind. Data privacy best practices and regulations are ever-changing and we always recommend consulting with a lawyer for professional advice.
There is an increasing concern around privacy as the laws and regulations are becoming stricter. New regulations are being introduced across the world, e.g GDPR, CCPA, PIPEDA, LGPD, etc. etc., and with further regulations on their way, it’s best to future-proof your business and marketing strategy in order to avoid fines and issues.
So, how can you make sure you avoid the issues? Every regulation has different requirements for compliance, but here are some key areas of consideration when it comes to data privacy and management.
1. Know what regulations apply to you
There is no single regulation that covers it all. Every region has their own. Some are opt-in, some are opt-out. It is important to know what regulations apply to you and your business. GDPR and CCPA are some of the most notable, and strictest. Even if you do not fall under any of these regulations, it is generally good practice to still follow through with the steps below to ensure clean and responsible data handling processes and to future-proof your processes in case new regulations roll out.
2. Understand what personal data is and know what you are doing with it
Personal information and personal data are generally treated similarly. It refers to information that identifies or is capable of being associated with an individual or a household. Personal information expands beyond the obvious names and emails. The following categories can be defined:
- Identifiers – this is the most standard personal information out there – names, contact information, etc.
- Email addresses and any associated engagement data – this is what you use for your email marketing, Google remarketing, or general client communication
- Hotel data and commercial info – the data you retain after you provide your services
- All engagement data, such as Google Analytics data
- Inferences drawn from personal information, so any profiles created, anything that might use the data you collected to derive additional data
- There are also all sorts of biometric, health info, and other specialized personal data.
You must account for and map out all personal data your business is collecting, storing and handling. Data mapping is a vital step in compliance with most regulations. It is a process of creating a map of how the data is collected, stored, used, processed within and beyond the organization and handled by third-party vendors. It can be done manually or via a data mapping platform. It allows more control over data and easier compliance with user data requests. It allows to ensure the data is being stored securely and minimizes the risk of breach.
3. Keep tabs on third party platforms
Oftentimes businesses use third party platforms to collect and process user data on their behalf. Under some regulations, the businesses are liable for the data collected, stored or handled on their behalf by these third parties. You have to make sure the data mapping covers that data and you have knowledge of what and where that data is and are able to access it. Some of the marketing examples below:
Advertising
Paid advertising platforms use cookies, remarketing tags and pixels to collect user data to serve personalized ads or retarget users. This data about a person’s online activity falls under personal information (PI) in most privacy regulations and use of ad platforms constitutes as sharing or selling data. Paid advertising platforms act as third party service providers for advertisers, therefore advertisers must ensure they are compliant when using these platforms. In order to ensure compliance, cookies must be set up in accordance with the regulation. In addition, if a user makes a request to view or delete their information, that request must be addressed. Note that not every platform provides an option to view/delete PI, however most have a restricted data processing setting in place for California residents for CCPA compliance, allowing to restrict the collection of personal identifiable information in the first place.
Website Analytics
Engagement data stored in web analytics platforms (e.g. Google Analytics) falls under PI in most privacy regulations. In the case of the most popular platform, Google Analytics, it assigns an ID to every user and collects information that could be identified with a specific user or household. In order to ensure your Google Analytics is compliant, the Google Analytics cookies must be set up in accordance with the regulation. In addition, if a user makes a request to view/delete their PI, you will need that user’s Google Analytics ID to retrieve it via Google Analytics API or Google Analytics User Explorer report. Other web platforms might have similar systems in place.
Email marketing and email address handling are also subject to all major privacy regulations. Processing of email addresses is only allowed if either the data subject has consented (GDPR), has been notified about the collection and its purposes, and provided a transparent opt-out option (CCPA), or if there is another legal basis. Most email platforms are perfectly equipped to handle data access and deletion requests.
4. Review your website for compliance
Cookies
Make sure you are complying with cookie tracking regulations as they can make your business liable under privacy regulations. Cookies are a widely used tracking technology for websites. Some cookies are necessary for the website core functions, others are non-essential – for analytical and marketing purposes. Regulations may require users to opt-in prior to enabling non-essential cookies (GDPR), or to display a notice of cookies and data collection and a transparent opt-out option (CCPA). Make sure your settings are in order, either manually via Google Tag Manager or using a third party cookie provider.
Speak to your Wallop Strategist or Project Manager for more on this, or speak to our Director of Sales, Linda Rohrer.
Privacy policy
Make sure your privacy policy is up-to-date. Data regulations often require to disclose the type of data being collected, how and why; and link to it from all points of data collection, e.g cookie banner or email collection box. Some regulations require additional information be included, for example referencing the option to make a request for the removal of data (CCPA).
5. Bigger picture
Privacy Management Software
Handling all of the above manually can be very complicated. It is best to consult with a legal practitioner to avoid all liability. In addition, there are multiple privacy management software solutions designed to aid companies with privacy regulations compliance. These services usually cover data mapping, data handling workflow automation and technical aspects of compliance and liability. Some examples are OneTrust, CookieBot, TrustArc, Quantcast, Secure Privacy.
Risks and Penalties
One thing regulations have in common is compliance enforcement. A failure to comply with opt-in/opt-out requirements, action on users’ requests, maintain a compliant Privacy Policy, properly configure cookies, or protect data from breaches can lead to high fines and reputational damage. Penalties vary per regulation, e.g. up to $7,500 / violation for CCPA or up to 4% of annual global turnover for GDPR. These can turn into hefty penalties if a mass breach or multiple complaints take place. It is best to invest time and resources into this to safeguard your business from risks.
All in all, we are moving to a user-centric world, where user data is respected and guarded. This will mean more and more changes to how we do–well, almost everything online. So, while we’ll continue to watch this space, we encourage you to consult a legal professional for the latest in privacy compliance.