Why so many privacy policy updates? Part 2 of 2

This week, we’ll continue discussing why you’ve received so many privacy policy updates lately.

Over the last decade, the trifecta of poor security controls, poor user-behavior controls (ie: can you bring a USB drive to work and plug it into a cash register?), and criminals crossed paths to produce repeated data breaches. You’ve heard of the big ones like Sony, Home Depot, Target, and Equifax. Naturally, there are many more. We rarely hear about the ones at small local businesses.

While the Feds have done little to require businesses to strengthen data privacy & security, some companies have voluntarily raised their security efforts. Many didn’t. It’s a broad global issue.

For example, you never give your credit/debit card to a clerk, waiter, or bartender when traveling outside the US. They bring the card machine to you. You insert the card, ok the amount & pocket the card, then hand the machine back to the clerk. US cardholders control the card like this only at big box retail & grocery stores. This process reduces the possibility of people stealing card info because employees never get possession of the card.

The other shoe drops

Two years ago, the European Union decided they’d waited long enough for companies to use consumer data carefully & properly protect it. They created the GDPR – or “General Data Protection Regulation“.

The GDPR gives control of a consumer’s personal data back to the consumer, requires clear privacy policies, and sets rules for how opt-ins are offered / used. But that’s not all.

It also has a few other items of interest:

  • Ever been frustrated that a company has as data breach and doesn’t report it for months or even years? GDPR requires providing the EU authorities within 72 hours of determining that a breach occurred (there are more details about what breaches require this, but I’ll leave that investigation to you).
  • Ever installed software, installed a phone app, or accessed a website that asked you to agree to 42 pages of terms and conditions written in legalese? GDPR puts a stop to that, which is why you’ve been getting all those privacy policy update emails.

First, I don’t recommend reading the GDPR reg on the EU website unless you’re an attorney. Maybe not even then. There are plenty of good, detailed explanations about what it means to companies based in the EU, companies with offices in the EU, and companies that do business with EU residents.

That last part is why US companies have to pay attention.

Why does a US business care about GDPR?

First off, this is not legal advice and I am certainly not an attorney, nor do I play one on TV. You need to discuss this stuff with your legal counsel, mostly because getting caught playing this game wrong can get really expensive.

You may think this doesn’t matter because it’s an EU regulation. You might be right, particularly if you only serve local customers. However, if you have an online business that serves customers in the EU, a closer look is merited.

This isn’t solely an EU problem. This change had to start somewhere and most of it is necessary. I suggest that you look at GDPR with your team. There are numerous “GDPR for Americans” explainer pages to help you decipher it.

For example: There are exemptions (perhaps not the right word) for data collected when the EU person is not in the EU, or when you don’t advertise in the EU, target EU prospects in your ads, or have EU languages / currencies as part of your website.

Even if exempt, we need to look forward

Companies need to take more responsibility for protecting they data they collect than they have previously done. Likewise, they will eventually need to give consumers better access/control of the data collected about them. Failing that, it will be forced upon them.

Why? Because Congress will eventually be forced to implement something & they have routinely shown a lack of ability / desire to understand how US businesses use technology.

Imagine how “the Patriot Act for business” and “TSA for data” might look like if written in a fear-based mindset after a “bad actor” gets an IRS database. If history teaches us anything, it’s that they’ll overreact.

Another angle: Companies that are ahead of the curve are going to be more attractive to consumers and prospective buyers.

The GDPR is enforceable as of May 25, 2018.

Rhetoric, “privacy” and those Presidential campaign email lists

About a year ago, I ran some tests to see how clued in re: email use and mobile/internet marketing each Presidential campaign was.

Each campaign got an email address all to themselves, one that I use for no other purpose so that I could track what their campaign did. In fact, the candidate name was the part before the @ sign in the email address – hard to mistake for another campaign:)

One of the reasons I didn’t leave the lists after the election: I wanted to see what they did with the lists after the campaign – something you should be very aware of as you build an email list in your business.

Here’s a summary of what happened:

Ron Paul

The Ron Paul list ended up in the hands of a number of what I would categorize as “freedom fighter” lists as well as on Mr. Paul’s fundraising list. The email from this list was of such volume and high rhetoric that I finally had to unsubscribe out of annoyance: the interruption factor was just too high. Examples include the “Free Foundation” (Mr. Paul’s Foundation for Rational Economics and Education) and “Campaign for Liberty”.

I wasn’t asked to opt-in, they simply included me on their list because that email address specific to Ron Paul’s campaign was on Paul’s Presidential campaign list. They had it, they used it. I suspect someone there simply hasn’t taken the time to understand the written (and unwritten) rules/laws about email marketing, opt-in, etc.

Hillary Clinton

Hillary’s list ended up in the hands of HillaryPAC (which may be on hiatus now that she is U.S. Secretary of State) and while I was sent an email from Hillary’s list asking me to sign up for the “American Democracy Institute” (EmpowerChange.org) list, I wasn’t added to it without permission. The same type of attempt was made by MediaMatters. Since she was named SoS, no emails have been sent by anyone to this Hillary-specific address, which makes sense:)

John McCain

McCain’s list ended up going to the Republican National Committee (RNC). That one probably annoys me the most because it is most like the lists related to Mr. Paul’s original campaign email list. I now get emails about Norm Chapman and any other issue RNC Chairman Richard Steele thinks I simply must know about – and in a tone that is just about unreadable. Think “National Enquirer” with a little Rosanne Rosannadanna added in, along with an Obama-esque donation button at the bottom.

Barack Obama

Obama’s list appears to still be in the campaign’s hands (yes, he’s still campaigning, but that’s a post for someone else’s blog), as I’ve received nothing from other lists to that address.

Mitt Romney

Last but not least, the list from Mitt Romney: Amazingly, I havent received a single email from his list since he quit the campaign and it appears that his campaign didn’t give the list to anyone else.

Treat them like customers, not list members

With the exception of Mr. Paul’s list (primarily because of the volume), I’ve decided to remain on these lists to see what happens to these specific-to-the-campaign email addresses as time moves forward.

How you treat your customers’ email addresses will reflect back upon you. Stay on topic, stay on message and NEVER, EVER give your list to another vendor, business or associate.

What Hillary did (sending an email to her list, suggesting that you might check out another entity) is somewhat common – and still acceptable – business practice, but automatically signing up your customers to umpteen other lists as Mr. Paul’s campaign people did is not.