You’ve seen the headlines on mobile apps spamming, social networks doing about-faces on how they use data, and display advertising services leveraging CRM data attributes. You heard today about regulatory and self-regulatory fragmentation, all the various types of 1st party and 3rd party data being collected. And now that all of this formerly channel-specific data can be managed through single toolsets, it’s more important than ever to do so without running afoul of the various deliverability, privacy, or regulatory compliance risks.
To continue our summer theme of cross-channel integration, let’s shift focus to cross-channel privacy. In this presentation I’ll be reiterating some key facts and showing you ways to avoid brand-breaking hazards.
To kick things off, I want to borrow a basic premise from Seth Godin:
FACT: Your marketing is broken if you wind up spamming to sell your product, or if you run afoul of wireless carriers, social network hosts, or international regulators.
FACT: In the world of “Big data”, risks are tied to collecting more data than you know what to do with. Google is still dealing with the consequences of blindly collecting miscellaneous data they had not specific purpose for collecting and using over in the EU!
As brands continue to experiment with new technologies to gain greater insights into and access to consumers, it’s more important than ever to ensure you only collect data that you actually need.
Beyond ensuring that your collection efforts are purposeful, it is important to get appropriate consent from consumers for specific uses of their personal information. Here’s why:
FACT: Consent is NOT transferrable between messaging channels. The UK ICO says so too!
Even though it’s possible to manage cross-channel campaigns centrally, the fact remains that email, mobile, and social spaces are walled off from one another. Various legal, contractual and acceptable use rules, and a variety of self-regulated requirements further sandbox these messaging channels from one another.
COMMON HAZARD. If Email gets into trouble by staying in the direct marketing headspace, other messaging channels get into trouble by staying in the Email headspace.
To succeed, we need to understand the obligations and restrictions for using these other channels. One such obligation may be a form of consent and disclosure that goes above and beyond what is typically permitted for email marketing. Or even what is typically allowed within the US….
As you can see from this graphic, consent standards differ from channel to channel let alone country to country.
ANNOYING FACT: There really is no effective Single Sign-On version of consent that can bridge different communication channels. There could be with bio-metric sensors but even this technology has drawbacks that became apparent with iPhone 5C.
And it only gets more complicated in certain channels. Self-regulation in these spaces typically go beyond applicable legal baselines, one outlier example being commercial SMS space where a handset based Double Opt-In is an enforced practice. In the social and ad serving channels where there is no direct regulation, terms of service and industry best practices become the de facto rules of the road for legitimate marketers.
COMMON QUESTION. How can I drive engagement with my new app or SMS program? if you’re primarily an email marketer, one of the best ways is to spice up your emails by evangelizing your other communication channels. Some common examples are integrating Facebook Likes into email, inviting recipients to download your mobile app, or promoting your SMS Coupon program within your eReceipts.
Here’s a common privacy Hazard observed in the Email space. We see many retailers rely on ‘auto-consent’ while asking for multiple contact points. And while this method may be legal in the US for email, it may not be internationally, and is no longer legal for SMS and auto-dial telemarketing. Equally as important, auto-consent starts email engagement on the wrong footing by neglecting to socialize marketing intent. It’s a best practice to not do this at all, but if you must, send a welcome series to socialize the brand, provide an opt-out mechanism and collect user open/click engagement from get-go. Otherwise, consider Confirmed Opt-In. It’s still a hotly debated topic but is a powerful tool for marketers more interested in data quality rather than data quantity. Ken Magill does it….
NEW HAZARD! On October 16, 2013 new rules will go into effect for companies sending marketing text messages to cell phones. These rules require the prior express written consent for marketing. Prior express written consent is obtained through a signed written agreement that clearly and conspicuously discloses to the consumer that:
By signing the agreement, he or she authorizes the seller to deliver marketing text messages to a designated phone number The consumer is not required to sign the agreement or agree to enter into it as a condition of purchasing any property, goods or services The required signature may be obtained in any manner that complies with applicable state or federal law including via e-mail, Web site form, text message, telephone key press, or voice recording
OLD HAZARD and FACT: Even if a consumer volunteers their mobile number along with their email address, it doesn’t mean you can begin to message them right away.
In the mobile space, specific procedures and authorizations are required to implement a commercial SMS program. These controls were created to combat historic abuses in the industry and are encoded into the industry’s self-regulatory framework. For example, SMS content providers are required to provide specific disclosures to consumers adjacent to all Calls-To-Action.
Speaking of consent, Double Opt-In for SMS is a bit different that Confirmed Opt-In for email. It’s like subscribing to a mailing list using your email address and then confirming your subscription with your laptop’s MAC address which is registered with your ISP.
FACT: While there are few laws explicitly governing social media, social networks impose their own terms and conditions and software rules. These should be considered along with overlapping existing laws.
Social media rules are best summarized in three key areas; (i) marketing integration, (ii) applications, and (iii) advertising. Most social networks make some of their user data ‘public’ to all website visitors, and often include the capability to collect some information by application programming interfaces (API’s). There are a new host of startup companies and others who are providing integration and reporting services that enable marketers to know more about where their customers are on social media, and in some cases, what they are saying. There are also many mobile app developers adding geo-location and other mobile data access capabilities into the mix. HAZARD. One common social network rule is the prohibition on automatic collection of user information through spiders, exploits, or other such tools. Networks like Facebook, while making some PII available for public viewing, prohibit straight collection of PII unless the user provides consent such as through a TOS agreement or an app download screen. And even when social data is properly integrated, there are some restrictions about using unique user data for online advertising or email marketing purposes. The general principle is that social user data is intended to benefit the social experience and not for outside marketing.We’ll touch a bit more on data integration later.
FACT: The sectorial approach to privacy in the US doesn’t mesh well with channel-agnostic privacy legislation elsewhere. In the US, SMS and telemarketing regulations may have gotten up to speed, but email is still behind the times.
In recent guidance covering direct and electronic marketing, UK Information Commissioner’s Office reiterated its position on acceptable consent, stating that: "Implied consent is certainly a valid form of consent but those who seek to rely on it should not see it as an easy way out or use the term as a euphemism for “doing nothing”... - UK ICO guidance The ICO commented that consent must be very specific whereby the concept of an “overt act of permission” becomes that much more important. Frequent Question. One of the most frequently asked questions is whether pre-checked boxes are allowed outside of the US. The truth is that certain countries like Australia, Germany, Japan, and soon to be Canada prohibit pre-checked boxes.
Here’s a great example of an EU- and Aussie-friendly page that gets rid of checkboxes altogether by focusing on an overt form of permission: If you don’t agree with how your data will be used, don’t hit the Continue button!
FACT: If regulators don’t ding you, consumers may. This is because Canada’s still-delayed Anti-Spam Law grants private right of action to covered consumers.By way of background, CASL was passed in December 2010 but its implementing regulations are not finalized and it does not yet have a “coming-into-force” date. We expect that regulations will be finalized by the end of the year. We expect the Canadian government to provide at least six months after publishing the final regulations before bringing the law in to force in order to allow everyone to prepare.
BIG HAZARD! One onerous aspect of the law is that senders are expected to have reasonable prior ‘knowledge’ that they are emailing to Canadian recipients, or that their recipients consistently access electronic messages though Canadian systems, As such, any non-Canadian sender could also be subject to CASL liability, including the risk of civil lawsuits.
HAZARD CONTINUES. Considering the prior knowledge requirement and the difficulty in distinguishing North American recipients by email address alone, many companies are evaluating the cost of applying the higher-bar Canadian requirements to their US operations irrespective of whether they have a physical presence in Canada. This assessment begins with an audit of existing database systems and acquisition practices to identify potentially covered recipients. If you don’t already collect geographic information form your recipients and its not clear where they are from the email address (e.g. a generic @gmail.com), consider asking your email recipients to self-identify in a compelling campaign.
As mentioned previously, one of CASL’s regulators has taken a hard-line position on permissioning, saying that (i) consent has to be opt-in, and that (ii) checkboxes cannot be pre-checked. However, from other examples provided by this regulator it is possible that EU-style Unambiguous Informed Consent may satisfy Canadian opt-in requirements.
Unfortunately, without further guidance from Canadian regulators, it’s still unclear how all of these considerations will be implemented and enforced, and what business-friendly exemptions will make the final cut.
FACT: One of the largest sources of bad data is the brick-and-mortar checkout counter.
A poorly implemented ‘eReceipts’ program can lead to inadvertent compliance violations and deliverability problems.
In the US, marketers should be aware of restrictions set by California’s Song-Beverly Credit Card Act of 1971, which prohibits businesses from collecting “personal identification information” during credit card transactions. It’s possible to offer eReceipts internationally under applicable Implied Consent exemptions, but there must still be an effort to provide up-front disclosures to consumers.
Beyond legal compliance hazards, POS carries a very tangible risk of providing you with inaccurate and fraudulent data. Don’t break your brand by emailing to bad data and spamtraps. Use kiosks and other input devices instead of asking consumers to dictate or write down their email address. Have hygiene tools on standby to check submitted data for known errors and other deliverability hazards.
For more information, please visit the Experian Marketing Services website and search for our Point-of-Sale compliance white paper.
FACT: Confirmed Opt-In is a great tool, but your COI requests can still hit spamtraps. You may not get dinged for it but Mainsleaze.com and SpamHaus can pick up on a COI request going out to a spamtrap account and issue a warning. It’s possible to warn SpamHaus ahead of time that a COI campaign is going out to inactive users, but the fact remains that your acquisition source is generating low quality data for one reason or another.
HAND OFF TO DELIVERABILITY COLLEAGUE.
FACT: An Open is a poor sign of life and is certainly not an indication of permission
A rule of thumb is that an Open is a sign of potential interest while only a Click is a sign of behavioral engagement. I’m yet to see a COI scenario where an Open is a good way to verify consent.
Monitoring for signs of life may also serve a regulatory compliance purpose. For example, under CASL, Implied Consent is set up to expire in 2 years if the marketer does not obtain express consent or if the consumer does not reset the clock with some concrete transaction. Being able to integrate offline & online transactional activity into your marketing database can help with compliance. In the CASL example, if on the 23rd month you see that a consumer makes a purchase or calls customer support about their account, you may have another 24 months to obtain their express consent.
FACT: Personal information combined with non-personal behavioral data creates personal information There are currently so many opportunities to integrate social and display into existing marketing programs, and to make consumer engagement more personalized and relevant than ever.
However, when integrating across channels you want to make sure that the mix of personal and non-personal information at play is adequately discussed in your privacy policies. One difficult topic that deserves discussion is the question of anonymity. It’s true that historically display ads have been mostly anonymous, but with social integration and proliferation of web tracking technologies the term “anonymous” can’t always hold true. Common examples are email-to-web clickthrough tracking and shopping cart abandonment scenarios where cookie-tracked web behavior is attributed to a unique email address.
ANOTHER FACT: First party behavioral tracking and advertising is exempted by FTC in the US, but sharing such data with third-parties is a completely different ball game that may require enhanced notice and the ability for the user to opt-out.
As more websites integrate with third party advertising services, it is increasingly important for publishers, advertisers, and service providers to participate in, or adhere to, the cross-industry Digital Advertising Alliance (DAA) principles (Self-Regulatory Principles for Online Behavioral Advertising). Adhesion to the DAA displays a commitment from the online advertising industry to increased transparency and choices for consumers with interest-based tracking and advertising.
However, not all publishers participate or bother to disclose tracking of less commonly known elements such as mobile device IDs for marketing purposes. Even if they disclose tracking in web-based privacy statements, some do not make privacy policies accessible from within an app, which is now a California compliance risk.
The DAA is also now mandating that some transparency for targeted advertising is included in publishers’ privacy policies. This includes enhanced notice and consent for location-based services, cross-application collection, and other mobile tracking mechanisms. New guidelines would also require user permission to access directory data such as contact lists and photos.
Here’s an example of a UK-friendly enhanced notice about cookies.
In October of last year, the California AG warned companies about making their privacy policies “readily accessible” to consumers of their online services. In January the AG issued privacy best practice recommendations to app developers, stressing the need for privacy by design.
On the heels of these warnings, the AG filed suit against Delta Airlines, asking for a court order that would force Delta to post a policy on the app, and pay $2,500 for each violation demonstrated at trial.
If the goal is to inform consumers about everything that you do with their data, it should be done in a way that they can read and understand.
There are numerous creative efforts underway to develop consumer-friendly privacy policies. One popular approach is the short form notice (click animation) where top level categories are provided for at-a-glance viewing with an opportunity to read further. If you’ve ever browsed Wikipedia on your smartphone you’ll know what this layered approach looks like.
FACT: You CAN optimize cross-channel marketing to avoid hurting your brand across channels and geographic regions.
If you’re primarily an Email marketer, it’s important to think about how to get to contact the consumer through mobile and social channels and how best to integrate personal and non-personal information in a responsible manner. If you mainly operate in the SMS space, the blogosphere or social media, there are plenty of opportunities to enhance engagement through adjacent channels.
The key to bridging these channels is to not break your brand and your marketing from the get-go. To summarize;
2013 ESPC Annual Meeting - Top Ten Ways To Optimize Cross Channel Marketing (2013)
to optimize cross-channel marketing
without hurting your brand and reputation
Top 10 ways
Learn to get proper consent
through various data
Understand compliance with
U.S. and Int’l laws
Integrate personal and non-
personal data while
Avoid brand and deliverability
Avoid arrested development…
with purposeful collection
Optimize consent for each channel
…they’re still walled gardens
Collection is part of a TRANSACTION, but
no disclosure of marketing intent or opt-in request
EMAIL ‘AUTO-CONSENT’ IS NOT PERMISSION
Legal in US but is a poor privacy practice and increases
Mitigate with welcome emails.
UPDATED TCPA OPT-IN RULES
OCT 16: Prior “express written
be overt, specific
to marketing SMS,
of any other
Cannot send more
than 1 Opt-Out
Is the above compliant??
BY THE GRACE OF THE WIRELESS CARRIERS
Include industry-mandated essential terms and
how to opt-
BE AWARE OF SOCIAL NETWORK TOS
Make permission statements clear
Mind restrictions about using data off the platform
Consent optimized for the US…
may not be adequate in Int’l markets
INTERNATIONAL CONSENT CONTINUUM
for CASL IS COMING
Don’t wait. Prepare now...
Purpose-based Express Consent (Opt In)
Implied Consent can expire!
Mailing address + Tel, Email or URL
How to opt-out
Unsubscribe “Readily performed” processing
(Non-accidental) access from a computer system in
Broad definition of “commercial message”
Email, SMS, IM, MMS, video, and software in scope
CASL DESIGNED TO BE MORE RESTRICTIVE
Regulations still incomplete and CASL not expected to
come into force until late 2013 or early 2014.
USE TOOLS TO MITIGATE SPAMTRAPS
Use kiosks/iPad instead of teller requests
Ask to check spelling
Correct known domain typos
Ask to opt-in within eReceipt or send COI
Old email data is still a delivery risk
…even if it was initially COI’d
SEGMENT DATA BY TENURE (AND COUNTRY)
Adjust acquisition practices to help identify
recipient’s country jurisdiction, segment accordingly
Behaviorally verify users inactive for over 8 months and
re-confirm users inactive for over 18 months.
Continually scan for signs of life
…across all your frontiers
USE CAMPAIGN ANALYTICS
Look for email
Clicks. Opens can
be false positives!
Who are your
social media fans?
Can you re-target
Disclose tracking and data integration efforts…
and get consent where you can
ALLOW USERS TO OPT-OUT OF OBA
DON’T FORGET ENHANCED DISCLOSURES IN THE EU
“Updated cookies policy – you’ll see this message only once
and how you use our website, which improves the browsing experience and
marketing – both for you and for others. They are stored locally on your
computer or mobile device. To accept cookies continue browsing as normal.
Readily accessible privacy policies are a must
…on-deck and off
Web, mobile, and app
privacy policies should be easy to read!
Put it all together to help you
1. Constrain collection of data to only specific purposes.
2. Ask for unambiguous consent up-front. Mind industry-specific guidelines.
3. Record ‘overt acts of permission’ whenever possible. It is always possible.
4. Audit your database and practices to gauge Int’l risk. (UK ICO, CASL)
5. Preempt spamtrap risks online and at Point-of-Sale.
6. Put in place tailored data hygiene controls to cull bad data.
7. Scan for signs of life across all touch points to re-target and re-engage.
10. Bridge across marketing channels using your primary medium.
10 WAYS TO NOT TO BREAK YOUR BRAND
Privacy & Compliance Analyst Lead, CIPP
Experian Global Compliance | Marketing Services.
For more information, please visit