private property sign.
PHOTO: Alan Levine

Marketers and brands have officially rolled into the first full business week of 2020. And if their concerns over customer data privacy practices from reports last year are any indication, it should be top of mind again.

For instance, PwC reported in its Top Policy Trends 2020: Data privacy report that 69% of respondents are “very actively” looking to shape data privacy policies. With that in mind, we reached out to privacy experts to discuss best practices for crafting a strong data privacy program.

Recognize Influencers in Privacy

The first step may not only be getting intimate with existing privacy laws like General Data Protection Regulation (GDPR) in the EU or just-enacted laws like the California Consumer Protection Act (CCPA, put into effect Jan. 1) but also recognizing other key influencers in data privacy, according to the PwC report. 

In addition to citing the EU (because of GDPR) and California (because of CCPA), PwC researchers reported the following influencers that should also be on brands’ radars:

  • State Attorneys general: The top law enforcement official in each state in the US will likely have the biggest impact on privacy law enforcement this year than any federal agency, according to PwC. Privacy laws in 18 states and Puerto Rico were pending in 2019. Google and YouTube had to pay New York $34 million for violating the Children’s Online Privacy Protection Act (COPPA). It was part of a $170 million national settlement.
  • Congress: The US Congress is not sitting idle. PwC noted the Senate Commerce Committee’s Chairman Roger Wicker (R-MS) and Ranking Member Maria Cantwell (D-WA) have been working on legislation since last fall, and Senate Banking Committee Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) have been drafting their own version of privacy legislation. Representatives Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) in November introduced the Online Privacy Act of 2019 (HR 4978) in order to create an independent federal agency to enforce privacy protections and investigate abuses.
  • Business advocates of federal privacy law: PwC cited business leaders and groups such as The Business Roundtable’s 2020 American innovation agenda and Apple CEO Tim Cook as some of the leading voices in pushing for unified privacy laws in the US.
  • Citizen advocates: PwC researchers reminds brands that even private citizens can be powerful influencers in the world of data privacy. Alastair Mactaggart, Rick Arney and Ashkhan Soltani spoke up with concerns in California about businesses being able to make “increasingly precise guesses about what you wanted, what you feared, and what you might do next.” That led to a state ballot initiative and ultimately played a part in the drafting of the CCPA.

Related Article: Examining Where 8 US States Stand on Consumer Data Privacy Laws

Invest in Data Discovery, Tagging

As organizations are thinking about implementing a privacy program in 2020, the first problem they face is data discovery, according to Satyen Sangani, CEO of Alation. They need to understand the data they have and which data contains sensitive or personally identifiable information, he added. Further, brands need to appropriately tag their data for compliance with internal policies and regulations.  

Get Strong Handle on Privacy Requests

A big part of laws like GDPR and CCPA is putting power in consumers’ hands to make requests related to the use of their data. With CCPA, for instance, California consumers can now request access to their data, request to delete their data and ask you to “not sell” their data.

With this in mind, make sure your business has the infrastructure in place now to support and manage the scale of consumer privacy requests that can flood in with the CCPA, according to Daniel Barber, CEO and co-founder of DataGrail. “Human error is another enormous challenge facing companies when processing privacy requests,” Barber said.

Related Article: How US Organizations Are Responding to GDPR and the Need for Data Privacy

Manage Customer Data Requests in Multiple Systems

Marketers must also be aware of respecting customer preference requests across multiple systems. It’s inevitable marketers will be dealing with multiple marketing technologies. They average close to 100 marketing clouds, according to the Chief Marketing Technologist blog.

If a consumer unsubscribes from a promotional email, do they still receive a customer experience survey? “Consumers don’t recognize the messages as originating from two different systems — rather just that Brand X isn’t respecting their preferences,” Barber said. Marketers must have a solution in place that integrates all end-user facing, so when a preference change is made, it takes effect throughout the entire company, he added.

Create a Culture of Privacy Awareness

A large aspect of building and managing a privacy program successfully is first creating a culture of privacy awareness, according to Mark Kahn, general counsel for Segment. “A powerful way to do this,” he said, “is by connecting privacy to the organization's existing values and where possible, making it a natural fit.”

Part of building this culture having an internal champion of all things privacy. This will keep the organization accountable, Kahn said, adding, “You can set the foundation for awareness by establishing a privacy program lead, who can define some guiding principles. It’s important that the executive team is also involved and should ultimately sign off on these principles.”

Also, independent of laws, you need to take a hard look at your practices, Kahn added. Only focusing on legal compliance, he said, may result in you missing the big picture. It is important to develop relationships with teams throughout the organization: HR, support, engineering, marketing, etc.

Build Out a ‘Privacy Program Multi-Quarter Roadmap’ 

Companies should expect a federal privacy law will be enacted. Therefore, a privacy multi-quarter roadmap is a good step to ensure companies are on track, Kahn said. “Start by looking at the privacy laws in the jurisdictions where you have a physical presence, and then where your customers are and focus on those,” he said. “Then you can build out your roadmap from there. Privacy, like many initiatives in startups, is a journey. Achieving 100% compliance doesn’t happen in a quarter, and it’s something that companies should constantly strive for and evaluate.” 

Related Article: Preparing for New Data Privacy Regulations? Learn from GDPR

Say What You Do; Do What You Say

One of GDPR’s principles is data minimization, so it's crucial any data that companies process and collect is directly tied to business reasons, according to Kahn: e.g. if you can’t explain why you have certain data, then you probably shouldn’t have it. “Setting retention limits on that data is another best practice,” he said. “Additionally, companies should follow privacy-by-default principles, setting strict privacy settings by default for the end-user.”

Get Creative in Your Data Collection Practices

Do away with things like formulaic and rote data consent request banners on your website, said Tim McCormack, VP, media and analytics, at Bigeye. “Many successful businesses are making lemonade from what just a year ago seemed like a very unlikely touchpoint by handling data consent requests in a creative, brand-focused way,” he said. 

Users, McCormack added, have quickly shown that they are more than willing to provide information about themselves in exchange for content or services that they deem worthy. “Creating a campaign encouraging email submissions, survey answers, and more valuable information,” he said, “allows companies to create a connection with their consumers and see an increase in the quality of the first-party data they are able to leverage.”  

Consider Change-Management Policies 

Businesses must put into place adequate change-management policies to safeguard employees and ensure organizational compliance when it comes to data privacy, said Jean-Marc Chanoine, global head of strategic accounts at Templafy. “Successful change-management teams must have the right people and processes in place to educate teams on new policies, adequate technical training that ensure compliant workflows and controls in place to streamline the removal of consumer data upon request,” Chanoine said.

Change starts at the top. When it comes to customer and prospect data in 2020, monitoring is key, Chanoine said, adding that leadership needs to first ask themselves if their organizational structure is designed to follow applicable laws. “In other words,” he added, “are you able to effectively monitor the collection and utilization of information with your current people, processes and technology? Often there is a disconnect between what leadership believes is happening and what is happening on the ground.”