On May 25, 2018, the General Data Privacy Regulation (GDPR) took effect. Some companies ignored it and now need to know how to proceed. Others worked quickly to come into compliance with GDPR's stringent rules about data collection and privacy; those companies are now finding ways to benefit from their status as GDPR-compliant. Whichever group you're in, you might be wondering how GDPR has changed our industry.
Don't miss a MarketingProfs podcast, subscribe to our free newsletter!
I invited Lisa Loftis, principal in the customer intelligence group at analytics software company SAS, to Marketing Smarts to talk about how GDPR has affected marketers.
We discuss whether the European Union has taken any enforcement action against U.S. companies so far, and what you need to be doing now to avoid problems.
Here are just a few highlights from our conversation:
Trigger emails might (or might not) be legal depending on whether they're considered a "legitimate use" of consumer data (03:45): "The jury's actually out on behaviorally triggered emails. There has been some guidance issued by the regulatory authorities themselves and by organizations very specific to marketing, like the Direct Marketing Association and the AMA. In both cases, the DMA and the AMA say that it's 'unlikely' marketers' triggering offers would come into play here. But they all caveat that advice with the admonition that it's really going to fall under 'legitimate use.' In other words, does the company have to do those things and collect the information to do that in order to deliver their products or services; so, there's a significant hedge here."
So far, enforcement action has focused on disclosure, rather than collection and use of data (04:45): "There haven't been too many enforcement issues yet from GDPR, but there are a few. One, in particular, is very high-profile and is against a US company—Google. The largest fine that's been levied under GDPR so far is against Google, and it's $57 million for not properly disclosing to users how data is collected across its services, including Google search, Google Maps, and YouTube. It seems as though the regulators initially are going to be focused more on disclosure and consent, rather than marketers' using that information to send solicitations."
Be transparent about any data breach and its potential impact (16:08): "I've been talking primarily about how data is collected and used, and what consumers know and have control over about that. But the other side of the GDPR and the potential bills up for debate in the US right now is what companies do from a breach perspective. the GDPR actually has a pretty stringent notification time frame. I think it's something like 72 hours.... As part of that notification they're asking companies to also say what is the potential impact, what type of information is out there, and what is the company going to do about it. That has to be something that is palatable to consumers.
"If you think about a breach that happened within the past year, the Equifax data breach, and how their initial response was, 'You can get this Trusted ID protection,' but when users went out to get that protection, they saw that it roped them into a corner with regard to any other action they might be able to take against Equifax. Eventually, Equifax had to change that. That's a pretty good indicator of what companies are going to have to do. Their behavior and their reactions are going to have to be more ethical than they have in the past. The expectations of consumers today are going to continue to increase."
If you've been waiting to see whether GDPR would actually be enforced, stop waiting (19:30): "Adopting a 'wait and see' attitude is such a serious, serious mistake. There are such significant bottom-line impacts that are going to happen because of these privacy laws, whether they come from GDPR fines or they come from actions that happen within the US.
"The FTC is investigating Facebook right now as to whether they violated their 2011 consent degree in terms of how data was collected and how it's being used and what they're doing from an ad targeting perspective, and those fines could be in the billions of dollars. And if you look at Facebook stock, that stock price was as high as $214 at one point last year. It went as low as $145. Today it's at $166. So their stock has taken a significant decline because of the continued negative publicity that they've had from mid-March last year when the Cambridge Analytica scandal surfaced through to today."
Engaged customers are more likely to opt in to letting you use their data (21:14): "Take what could be our biggest liability as marketers and turn it into our biggest strength. marketers could look at their customer experience initiatives and the analytics that fuel those initiatives and double-down on those. Because happy customers and engaged customers and customers that feel like they are known by the companies that they do business with are the customers that are most likely to give you feedback—positive and negative—as to how your initiatives are actually registering with them.... And they're the customers that are going to be the least likely to exercise those rights to say 'don't analyze me,' 'don't solicit me,' or, in the worst case, to say 'delete all the data you have about me.'
Include a human in the analytics process to make sure you're not being creepy (22:19) "Determine exactly what's happening with the personal information that's being collected. How many marketers could actually say, 'This is what we collect and this is exactly how we use it.' So...a change in the marketing analytics function in general is to start understanding that: To be able to say 'these are the analyses we're doing with this personal information and this is why we're doing this type of analytics, and most importantly, this is the value that it brings to you as a consumer.'
"That's a process change, it might be a technology change, and it's probably a change in mindset and thinking.... If you are running marketing analytics, there ought to be a step in that process where a human looks at it and applies the 'creepy or cool test': 'How would our customers react to this?'"
To learn more, visit SAS.com and be sure to follow Lisa on Twitter: @lisamloftis.
Lisa and I talked about so much more, including legal requirements vs. ethical standards, so be sure to listen to the entire show, which you can do above, or download the mp3 and listen at your convenience. Of course, you can also subscribe to the Marketing Smarts podcast in iTunes or via RSS and never miss an episode!
This episode brought to you by MarketingProfs PRO:
A MarketingProfs PRO subscription is the ultimate training program to ensure you're prepared for every stage of the marketing campaign cycle. Learn the skills to drive results from your campaigns, every single time.
Music credit: Noam Weinstein.
CCPA and GDPR Resources on MarketingProfs
- CCPA Is Here, But Not Enough Marketers Are Paying Attention
- 10 Steps Marketers Can Take to Prepare for 'California's GDPR'
- GDPR vs. CCPA: Data Privacy and US Marketers [Infographic]
- CCPA: Questions of Privacy, Compliance, and Enforcement
- What You Need to Know About GDPR and Data Privacy: Lisa Loftis of SAS [Podcast]
- GDPR Is Already Here: A Simple Marketing Guide for Compliance
- What CMOs Need to Know About the Looming General Data Protection Regulation (GDPR)
- A Marketer's Checklist: Are You Ready for GDPR Compliance? [Infographic]
- What Is GDPR, and How Can It Impact Your Business? [Infographic]
- Are You Ready for GDPR? [Infographic]
...sign up for free to continue reading
Don't miss a MarketingProfs podcast, subscribe to our free newsletter!
Published on February 28, 2019