Why so many privacy policy updates? Part 2 of 2

This week, we’ll continue discussing why you’ve received so many privacy policy updates lately.

Over the last decade, the trifecta of poor security controls, poor user-behavior controls (ie: can you bring a USB drive to work and plug it into a cash register?), and criminals crossed paths to produce repeated data breaches. You’ve heard of the big ones like Sony, Home Depot, Target, and Equifax. Naturally, there are many more. We rarely hear about the ones at small local businesses.

While the Feds have done little to require businesses to strengthen data privacy & security, some companies have voluntarily raised their security efforts. Many didn’t. It’s a broad global issue.

For example, you never give your credit/debit card to a clerk, waiter, or bartender when traveling outside the US. They bring the card machine to you. You insert the card, ok the amount & pocket the card, then hand the machine back to the clerk. US cardholders control the card like this only at big box retail & grocery stores. This process reduces the possibility of people stealing card info because employees never get possession of the card.

The other shoe drops

Two years ago, the European Union decided they’d waited long enough for companies to use consumer data carefully & properly protect it. They created the GDPR – or “General Data Protection Regulation“.

The GDPR gives control of a consumer’s personal data back to the consumer, requires clear privacy policies, and sets rules for how opt-ins are offered / used. But that’s not all.

It also has a few other items of interest:

  • Ever been frustrated that a company has as data breach and doesn’t report it for months or even years? GDPR requires providing the EU authorities within 72 hours of determining that a breach occurred (there are more details about what breaches require this, but I’ll leave that investigation to you).
  • Ever installed software, installed a phone app, or accessed a website that asked you to agree to 42 pages of terms and conditions written in legalese? GDPR puts a stop to that, which is why you’ve been getting all those privacy policy update emails.

First, I don’t recommend reading the GDPR reg on the EU website unless you’re an attorney. Maybe not even then. There are plenty of good, detailed explanations about what it means to companies based in the EU, companies with offices in the EU, and companies that do business with EU residents.

That last part is why US companies have to pay attention.

Why does a US business care about GDPR?

First off, this is not legal advice and I am certainly not an attorney, nor do I play one on TV. You need to discuss this stuff with your legal counsel, mostly because getting caught playing this game wrong can get really expensive.

You may think this doesn’t matter because it’s an EU regulation. You might be right, particularly if you only serve local customers. However, if you have an online business that serves customers in the EU, a closer look is merited.

This isn’t solely an EU problem. This change had to start somewhere and most of it is necessary. I suggest that you look at GDPR with your team. There are numerous “GDPR for Americans” explainer pages to help you decipher it.

For example: There are exemptions (perhaps not the right word) for data collected when the EU person is not in the EU, or when you don’t advertise in the EU, target EU prospects in your ads, or have EU languages / currencies as part of your website.

Even if exempt, we need to look forward

Companies need to take more responsibility for protecting they data they collect than they have previously done. Likewise, they will eventually need to give consumers better access/control of the data collected about them. Failing that, it will be forced upon them.

Why? Because Congress will eventually be forced to implement something & they have routinely shown a lack of ability / desire to understand how US businesses use technology.

Imagine how “the Patriot Act for business” and “TSA for data” might look like if written in a fear-based mindset after a “bad actor” gets an IRS database. If history teaches us anything, it’s that they’ll overreact.

Another angle: Companies that are ahead of the curve are going to be more attractive to consumers and prospective buyers.

The GDPR is enforceable as of May 25, 2018.

Why so many privacy policy updates? Part 1 of 2

If you buy stuff, do business, and/or take courses online, you deal with someone who collects your email & other personal info. Recently, you’ve probably received numerous emails regarding changes in their privacy policy. A privacy policy documents how a company uses the data they collect during the process of selling something or providing content to you.

A little backstory is necessary to paint a picture of why data privacy has gained recent attention & how recent changes could affect your business.

Why the data is important to businesses

If you’ve gotten a credit card offer in the mail, credit card / bank / credit bureau data about you was used to turn you-the-product into you-the-customer. It’s easy to buy a list of mailing addresses of people who make more than $75K a year, live in upscale neighborhoods, & own their own homes. This is not new in the Facebook era & they aren’t the first company using this data. It’s been happening for decades.

Some of this use is wise. Advertisers want the best return for their investment & businesses want the advertisements they offer to be effective so that advertisers keep advertising.

When we see out of context ads, they seem stupid & annoying. You may wonder if the advertiser (and the company displaying the ad) know what they’re doing. Effective advertisers don’t make money being stupid, and annoying. They like putting stuff in front of you that you’re inclined to buy.

Retargeting, not Big Brother

Advertising effectively includes using what you know about a prospect to show them ads for things they’ve previously shown interest in.

Perhaps this morning you looked at baby clothes on Amazon. This afternoon, you might have been weirded out to see an Amazon baby clothes ad in the Facebook sidebar.

This isn’t Big Brother.

It’s the smart (and sometimes obnoxious / overbearing) re-use of data collected when you were shopping. It’s called behavioral retargeting. When you visit Amazon.com, a blog, or Pinterest, your browser stores info about what you viewed.

Amazon advertises on Facebook. When they do retargeting, their dynamically generated Facebook ad has the ability to re-use the data your browser stored on their behalf while you were at Amazon, but they can only see the data they stored. Other sites you visit can also buy Facebook ads pointing at Amazon-offered (and other) products based on what you viewed when on their site, but they can’t see what Amazon stored.

Circling back to privacy policy

The value of this data grows as you collect more of it. When value is developed, there will be people who want to abuse it. Likewise, there will be people who want to steal the data and misuse it.

For years, the Federal Trade Commission has been tightening up monitoring and enforcement of advertising & (particularly) testimonials posted by US-based online businesses. This happened because of poor behavior by a small percentage of people. They made up testimonials, paid for testimonials (without making it clear that they were paid for), and/or sold their contact list to other businesses without telling customers they’d become their product, etc. While not all paid testimonials are a bad thing, misuse & less-than-ethical behavior was going on. The volume of complaints to the FTC was increasing.

Originally, there weren’t many rules about how the data could be used because the companies with this data treated it as a trade secret. Before company networks connected to the internet, data was easy to protect. Obviously, being connected to the internet changed that.

The FTC hasn’t taken the next step regarding the contents of the privacy policy. By requiring businesses to state how a person’s data would be used, they left action to the consumer by allowing us to choose businesses (in part) based on their stated privacy policy.

Brick and mortar businesses and organizations like Equifax haven’t been held to the same standards as online businesses, probably because they’re easier for the consumer to find & confront. However, businesses like Equifax are under no regulatory requirement to adhere to your requests about the data they collect about you. For example, when you ask them to delete your personal data from their systems, they don’t have to do it (and probably wont). You’re the product they sell, remember? More specifically, data about you is the product.

The misuse & lack of consumer control provoked what happened next. We’ll cover that next week.

Photo by stockcatalog