Due in part to a recent series of unfortunate events playing out in the headlines, we’re temporarily disrupting our standard formula of quirky, offbeat marketing advice for the everyman with a bit of solemn self reflection. We’re asking not what your data can do for marketing, but instead what marketing really ought to do for your data.
1. Don’t be Evil
There's no doubt the laws have some catching up to do, but there are laws. And if you’re in the data game, you should have more than a cursory idea of what they are. In the U.S. the primary legal driver for data protection is the Federal Trade Commission. Specifically, Section 5 of the FTC Act which states "unfair or deceptive acts or practices in or affecting commerce...are...declared unlawful." Basically, don’t be evil.
2. Get Clear Consent
Data doesn't magically make its way into a company's servers, they actively collect it. In order to do so, they typically get their users permission first. Which is great, really, keep it up. But! Do users know they gave such permission? Do they know what permissions they gave? Is that even explained? Is it explained clearly? Is it explained in such a way that the companies’ primarily under aged users and their parents can understand it? Let’s be honest, probably not. Oh yea, lets not forget, users should not be able to consent to data collection on behalf of other users, just their own data. The legal-ez can stay, it’s important, but it’s not there to help the user, the people whose data is being collected - for profit.
Then there’s the the buyers: market researchers who collect first party data to turn it into insights, actionable information for others to use in the pursuit of sales. When users data is sold to one of these firms, the user should know about it. Ideally users should have the ability to dictate who can and cannot buy their data. To opt in and out of firms whose practices do not align with the user's own beliefs.
Then there’s us, the marketers, the companies whose insatiable appetite for insight creates the market for data in the first place. We’re the ones who make this information valuable. Users should have the option to tell us no, shoo, go away, not today Satan (to be clear we’re not saying all marketing is the work of the devil, this is just an innocent bit of self deprecating humor).
Take Google for instance. They’re looking at requiring their advertisers to ask users before implementing target ads. Or Facebook’s “Why am I seeing this” button, which if you didn’t know, lets you see how advertisers targeted their ad at you specifically.
Hot take: users’ data should be anonymous by default. This goes hand in hand with our last point but it deserves a section of its own. If for no other reason than the last one went a bit long. Protecting users privacy is not an easy task, but we’d like to propose two possible solutions.
First, to protect your privacy, its standard practice for most websites not to save your actual password, instead they encrypt your password and save that bit of information instead. Personal data could be saved in a similar way. It isn’t already primarily because it’s expensive, but personal data is valuable, even if the price goes up, there will always be demand. Encryption would also provide a way to keep data anonymous but still allow for targeted advertising.
Alternatively, it could be the responsibility of the data buyers, the market researchers who turn a person's perfectly reasonable interest in Bon Jovi, into an entire psychographic profile. These companies can make a valuable contribution to the process, when they aggregate and, most importantly, anonymize the information. Which, to be fair, is an industry “best practice,” but best practices are, at best, guidelines with little to no regulation. We can do better!
4. Limited Use
Data is useful and how its used matters. Simply telling people how collected data will be used really isn’t enough though. Putting limits on what data is collected, how its used internally, who it’s sold to, and when it expires (oh yeah, and it should expire, we’ll get to that later) builds trust and confidence with users. Collecting first person data is sensitive business, especially if it’s personally identifiable information (PII).
Essential PII is the information criminals need to open fraudulent bank accounts. The collection of PII is a privacy issue, and if a company doesn't need it for specific transactions with their customers, they shouldn’t be collecting it. They absolutely should not be selling it to others. Anyone collecting data should be clearly explaining why they need it and how they’ll use it. If the data collected isn’t already anonymous, they should be explaining all that, to the people who’s data they’ve collected.
Time is another reasonable limit to put on data use: how long will the data collected be used for. How long is it reasonable for advertisers to remember that one time you uploaded Hollaback Girl to your myspace page playlist? Tastes change, but as data collection gets more and more sophisticated, its possible for our digital profiles to continue to follow us, long after they’re meaningful or even useful.
Basically, there should be more of it. How fortuitous it is then that we would be publishing this only four days after the EU mandated all companies collecting data from their citizens comply with The General Data Protection Regulation. While companies in the US are only required to comply when collecting data from EU citizens, there are certainly some common sense regulations Marketers can take away from the GDPR, even if they aren’t practicing in the EU. Many of them have already been listed above.
In the U.S. if companies collect or use data in a way users did not consent to, well, in a handful of cases the FTC has prosecuted business for the aforementioned unfair or deceptive acts or practices. However most disputes are settled through class action lawsuits. So who watches the watchmen? As long as the U.S. relies primarily on a system of self regulation, we’re left to regulate ourselves.
As a community we must put policies in place, communicate best practices down to the lowest level, and make the whole process auditable, it the hopes that one day we won't be doing this alone.