How to navigate customer data and privacy
Last week I was asked to participate in a discussion for the University of Chicago GSB Marketing Forum. The panel consisted of a staff attorney from the FTC, and a well known litigator specializing in direct and interactive marketing litigation, and me. You can imagine my fear! As a lowly marketing gal, how am I ever going to hold my own between the regulators and the litigators?
As marketers we are sometimes overwhelmed with the dizzy array of rules, both implied and implicit, in using data for our communications. We can feel stuck between a growingly interested regulatory body such as the FTC and the costs and fall out from litigation. This sometimes makes us stick our head in the sand, or defer to the “chief legal counsel” in our companies to help sort through our risks and obligations. While the door to the legal department may be open, you need to be manned with knowledge before you enter, and it is increasingly the role and the obligation of marketers to know what your risks and liabilities are.
Ignorance is not bliss. Knowing what the FTC is watching and monitoring, and knowing what your potential legal risks are will enable you to create sustainable and successful multi channel direct response campaigns that “stay within the lines” and minimize – but do not mitigate – your risks.
There is also the hidden cost of non compliance that must be considered in the equation as it relates to customer value. While fines may be onerous and the legal fees may seem high, the costs associated with customer defection and lost credibility in the marketplace are much, much higher.
Let’s take a look at some of the recent 2010 statistics regarding security breaches. Based on the 2010Symantec/Ponemon study, the average cost per record of a security breach averages $214, and the average total cost/breach tops $7 million dollars. But let’s dig into these numbers further:
1. For the fifth year in a row, data breach costs have continued to rise: Data breaches continue to cost organizations more every year. The average organizational cost of a data breach this year increased to $7.2 million, up 7 percent from $6.8 million in 2009. Total breach costs have grown every year since 2006. Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year. 2. Customer turnover in direct response to breaches remains the main driver of data breach costs: Regulatory compliance contributes to lower churn rates by boosting customer confidence in organizations’ IT security practices. Average abnormal churn rates across all incidents was 4 percent. What is the cost to your organization in terms of lifetime value of losing 4% of your customers?
3. The industries with the highest 2010 churn rate remained pharmaceuticals and healthcare (both up a point to 7 percent). The industries with the lowest abnormal churn rates were public sector (less than 1 percent) and retail (1 percent). Sectors with the highest 2010 average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). Those with the lowest costs were media ($131), education ($112), and public sector ($81).
4. Training and awareness programs remain the most popular post-breach remedies, but encryption and other technologies are gaining fast: Training and awareness programs barely stayed in first place with nearly two-thirds (63 percent) of respondents using them. Expanded use of encryption stayed the most popular technology solution and, with 61 percent took sole possession of second place this year.
5. Lastly, the 3rd most costly breach type was caused by a 3rd party mistake!
SO WHAT IS A MARKETER TO DO?
The FTC and the litigators actually agreed on these key takeaways that can help us with data breaches, privacy compliance, and potential suits.
Capturing and maintaining “Personal” dataThe proliferation of database systems has made memory and storage cheap. We can collect and store vast amounts of information without regard for how to use it or the risks involved. It is like the basement of your house – you can keep throwing stuff down there, but sooner or later it gets cluttered and you no longer know what you have or where it is. Now all of a sudden you have a flood and you have to face the clean up and damage. Don’t let this happen to your customer data. This includes transaction history (behavioral data) as well as marketing data.
In addition, not all customer data is alike. Your first step is to determine what type of data you have stored and what your goals are with this information. Once you have that figured out, you need to establish guidelines for eliminating sensitive information, for archiving data, and for protecting what is sensitive and critical.
Providing Choice
Providing customer choice regarding channel preference and data collection is paramount - so is complete transparency into what you plan to do with their data. And this doesn’t mean putting it into the small print at the bottom of your privacy policy, or hiding it in your disclosure statements just to meet regulations. Choice is a fundamental pillar of customer and prospect relationship management and can be a marketing, branding and public relations tool that builds credibility and trust. Instead of thinking of disclosure as a compliance-only issue, think of the marketing benefits you can achieve through enhanced trust and transparency with your audience. Maintaining choice across channels, divisions, countries
The proliferation of marketing and media channels has created a challenge for obtaining and managing multiple opt out choices by media and by country. As we know, U.S. laws tend to be much more forgiving with regards to opt in/opt out and data capture. Rules and laws change throughout the world and it is our obligation to know them. There are qualified legal firms that spend enormous amounts of time keeping up with the changing landscape and they can help you understand the legal requirements for your marketing campaigns. In addition, the rules are different for email, mobile, and web. You must figure out ways to ask, capture and respect channel preference and choice for your customers and audience. If you cannot establish the technology or database logic to capture variable opt in information by channel, then I recommend taking a very conservative. Something that marketers hate to hear, but you may have to consider is treating everyone who opts out as a universal opt out until you can capture, control, and manage individual channel, country and/or communication preferences.
Self regulation
The DMA has been trying to beef up the self regulation aspect of compliance among its members in the direct and interactive industry and is using the FTC as the “boogey man” to scare companies into adopting their self regulation standards. They have implied that if you we do not comply and keep our own house in order, the FTC is going to step in and over regulate us, take away our commercial rights, and mandate it. So, does the FTC actually have a bazooka and can they use it? According to the FTC, they want the industry to self regulate and would prefer to focus their efforts on going after the true offenders. The FTC spends a large percentage of their time on awareness and education, and their primary mission is to protect consumers and businesses. Check out www.business.ftc.gov for some outstanding and helpful information from the FTC on privacy and protecting personal information for businesses. The FTC believes that most people want to do the right thing and are trying hard to comply with the regulations. They feel that their enforcement efforts should be focused on getting “the real bad guys”, so if we self regulate, we are in better shape.
1. Make legal counsel your friend
2. Understand the regulatory environment
3. Be transparent all the time with your audiences – what do you have to hide?
4. Work with your teams on capturing choice options across countries, media and products
5. Audit your databases and work with your IT and database teams to establish parameters on data capture, hygiene, and archiving
6. Clean out your basement – use it, justify keeping it, or get rid of it securely
While privacy and compliance will continue to be a very important debate in the halls of congress, it should also be part of every company’s strategic plan. This is no longer the purview of only the legal or IT department, but it is now firmly on the agenda of every CEO.
If you want to have a seat at the strategy table of your company, then becoming the expert in this area could add to your credentials and make you an even more valuable member of the leadership team.
In the end, we as marketers are not between a rock and a hard place, we may actually be in the driver’s seat.
