While the wording of most privacy regulations is usually straightforward, they may still leave the door open to different interpretations. Often, companies have their own interpretation that often translates into internal compliance requirements.
Moreover, other entities (e.g., local or international, institutional or otherwise) may also provide their recommendations, guidelines, and best practices. In some cases, they can even add layers of regulation.
As such, there is no one best compliant solution that can meet all companies’ needs. But, it is still important for marketers to look for a solution that can accommodate all the possible requirements of their company, and absorb some of the complexity to speed up the data collection strategy.
In general, companies can collect and process customer (personal) data based on several different legal grounds:
Legitimate interest: when customer data is necessary to operate and deliver a service. In this case, the company has to inform the customer via an accessible Privacy Policy
Consent: when the processing of customer data for a specific purpose requires specific consent.
Performance of a contract: when the company offers an option to sign up to a specific service —for example, on top of WiFi services— many data processing activities can be included in the contract (including profiling, marketing, etc.). This is the case with loyalty programs.
Legal obligation: when the company has to honor local regulations. In France, for example, companies have to store WiFi logs for 12 months.
When it comes to the choice of what legal ground to leverage, all the other principles of data protection regulations must be considered: the principle of data minimization, the principle of fairness, the principle of purpose limitation, etc. Local regulations in specific countries may impose more strict requirements as well.
Here are 7 tips that help companies get peace of mind when collecting and managing customer data.
Tip # 1: Collect and manage consent with granularity
All optional marketing-driven data processing activities are generally based on the legal ground of consent.
The consent to be collected should map the processing purposes described in the related privacy policy for which the consent is used as a legal basis. A common practice is to collect the consent with a checkbox for each purpose listed in the privacy policy that relies on consent.
For example, if there are two purposes: a) send personalized messages (text message and/or email), b) share data with social networks to show personalized ads, the company must require two different checkboxes.
The granularity of the consent is a matter of how companies formulate the privacy policy. For example, although it is a common practice to separate the consent for receiving messages and personalize the content of these messages, there are hundreds of companies collecting only one aggregated consent (as they would either send personalized messages or not send anything at all).
When companies collect customer data on the legal ground of consent, data protection regulation usually requires storing a minimum set of metadata that tracks where, when and what specific privacy policy has been acknowledged.
Companies should adopt a solution that allows tagging each agreement and policy notice with a version. The solution should store when and where the consent was collected along with which version of the document it refers to. On top of ensuring compliance, this mechanism also would allow preserving the actionability of all customer data collected until a certain point in time according to the content of the privacy policy acknowledged by each customer without having to delete the entire customer database.
Tip # 2: Minimize customer data collected
Every piece of customer data collected for a purpose not justified by the legitimate interest or performance of a contract must be collected upon specific consent or otherwise be “minimized” to honor the principle of “data minimization”.
Take, for example, the Privacy Policy and Terms of Use regulate the use of WiFi service. Companies may probably justify the collection of the phone number or email address based on a legitimate interest (for example to send a transactional message to the customer at every use of the service with his device as a measure of transparency and security and to provide an easy way to let the customer exercise his rights).
But companies probably need consent to justify the collection of the gender information and use it for a marketing purpose (for example a personalized newsletter). If companies don’t get consent for the marketing purpose, then they shouldn’t save the customer’s gender information in order to honor the data minimization principle.
Login features with social networks like Facebook is a common practice with guest WiFi, as it provides a seamless experience to customers. With the exception of certain devices like the iPhone, social media login features allow companies to collect customer data directly from the social account without promoting annoying forms. However, this mechanism in general pulls a lot of information from the customer account (profile photo, likes, friends, etc.). If companies don’t make use of this data and its usage is not made explicit in the privacy policy, the data minimization principle requires that companies don’t process this data.
Companies should adopt a solution that provides a configurable mechanism that allows minimizing the personal data of each customer, reducing it to the minimum covered by the legitimate interest if a specific consent is not collected.
Tip # 3: Be sure to respect age restrictions
Most data protection regulations impose restrictions regarding the processing of the personal data of individuals under a minimum age. In most cases, it is sufficient to declare in the privacy policy that the service is not intended for the use of such individuals.
In some instances, companies may want to collect an explicit declaration of the minimum age. Companies should adopt a solution that provides a flexible mechanism that asks for a mandatory confirmation of the minimum age and blocks access to the service otherwise.
Tip # 4: Process the data only if there is consent
When data processing is carried out on the legal ground of consent, it is very likely that there are multiple (specific) consent types collected from the customer, in the form of a checkbox. If a certain processing activity depends on consent, it is then important to make sure that processing doesn’t occur unless consent is collected.
For example, companies could adopt a solution that provides them with the ability to define the minimum consent required from a contact to process the behavioral profiling data used to personalize the customer experience. Some companies may formulate their consent as one single generic marketing program or they may split the consent over multiple opt-ins (for example, marketing communications, personalized content as separated opt-ins).
Tip # 5: Localize, localize, localize
When companies operate on a global scale, it is important to keep into account the differences in terms of data protection regulations, as well as the different requirements posed by the teams of each country or region.
Providing policies in the local language is a great start; however, it is not always easy to localize and maintain a privacy policy text in each language. Most importantly, it is very common to have different data strategies or marketing practices in different regions. For example a company might not have a loyalty program in a specific region, or running Facebook ads only in specific ones.
Tip # 6: Retain customer data only for the period needed
In most data protection regulations, the privacy policy must declare how long the customer data is stored for. In many cases, data protection regulations do not impose specific periods of time and it is a very common practice to state that the data is “retained for the period necessary to provide the service”. It is a good practice to state a period whenever possible. However, when deploying internationally, it is important to consider the local regulations that might impose specific restrictions for a certain type of customer data.
To address these needs, companies should adopt a solution that can handle the data retention parametrically based on country and type of data. For example, they should distinguish between WiFi logs and all the other customer data.
Tip # 7: Sync the subscription from multiple channels
When a company has multiple subscription collection sources for the same marketing program, a customer could be prompted to subscribe to that program via a sign-up journey in their locations despite already being subscribed (for example if they already subscribed on the website). In this case, companies should avoid prompting customers to subscribe if they have already done it from another channel.
Now is the time to lay the groundwork for better data collection and management. If you need help doing so, get in touch with us. Discover how we helped Burger King, Campari, Carmila (Carrefour Group), Guess, The Cordish Companies, and Valentino get peace of mind when collecting and managing customer data.