While the wording of most privacy regulations is usually straightforward, they may still leave the door open to different interpretations. Often, companies have their own interpretation that often translates into internal compliance requirements.
Moreover, other entities (e.g., local or international, institutional or otherwise) may also provide their recommendations, guidelines, and best practices. In some cases, they can even add layers of regulation.
As such, there is no one best compliant solution that can meet all companies’ needs. But, it is still important for marketers to look for a solution that can accommodate all the possible requirements of their company, and absorb some of the complexity to speed up the data collection strategy.
In general, companies can collect and process customer (personal) data based on several different legal grounds:
Consent: when the processing of customer data for a specific purpose requires specific consent.
Performance of a contract: when the company offers an option to sign up to a specific service —for example, on top of WiFi services— many data processing activities can be included in the contract (including profiling, marketing, etc.). This is the case with loyalty programs.
Legal obligation: when the company has to honor local regulations. In France, for example, companies have to store WiFi logs for 12 months.
When it comes to the choice of what legal ground to leverage, all the other principles of data protection regulations must be considered: the principle of data minimization, the principle of fairness, the principle of purpose limitation, etc. Local regulations in specific countries may impose more strict requirements as well.
Here are 7 tips that help companies get peace of mind when collecting and managing customer data.
Tip # 1: Collect and manage consent with granularity
All optional marketing-driven data processing activities are generally based on the legal ground of consent.
For example, if there are two purposes: a) send personalized messages (text message and/or email), b) share data with social networks to show personalized ads, the company must require two different checkboxes.
Tip # 2: Minimize customer data collected
Every piece of customer data collected for a purpose not justified by the legitimate interest or performance of a contract must be collected upon specific consent or otherwise be “minimized” to honor the principle of “data minimization”.
But companies probably need consent to justify the collection of the gender information and use it for a marketing purpose (for example a personalized newsletter). If companies don’t get consent for the marketing purpose, then they shouldn’t save the customer’s gender information in order to honor the data minimization principle.
Companies should adopt a solution that provides a configurable mechanism that allows minimizing the personal data of each customer, reducing it to the minimum covered by the legitimate interest if a specific consent is not collected.
Tip # 3: Be sure to respect age restrictions
In some instances, companies may want to collect an explicit declaration of the minimum age. Companies should adopt a solution that provides a flexible mechanism that asks for a mandatory confirmation of the minimum age and blocks access to the service otherwise.
Tip # 4: Process the data only if there is consent
When data processing is carried out on the legal ground of consent, it is very likely that there are multiple (specific) consent types collected from the customer, in the form of a checkbox. If a certain processing activity depends on consent, it is then important to make sure that processing doesn’t occur unless consent is collected.
For example, companies could adopt a solution that provides them with the ability to define the minimum consent required from a contact to process the behavioral profiling data used to personalize the customer experience. Some companies may formulate their consent as one single generic marketing program or they may split the consent over multiple opt-ins (for example, marketing communications, personalized content as separated opt-ins).
Tip # 5: Localize, localize, localize
When companies operate on a global scale, it is important to keep into account the differences in terms of data protection regulations, as well as the different requirements posed by the teams of each country or region.
Tip # 6: Retain customer data only for the period needed
To address these needs, companies should adopt a solution that can handle the data retention parametrically based on country and type of data. For example, they should distinguish between WiFi logs and all the other customer data.
Tip # 7: Sync the subscription from multiple channels
When a company has multiple subscription collection sources for the same marketing program, a customer could be prompted to subscribe to that program via a sign-up journey in their locations despite already being subscribed (for example if they already subscribed on the website). In this case, companies should avoid prompting customers to subscribe if they have already done it from another channel.
Now is the time to lay the groundwork for better data collection and management. If you need help doing so, get in touch with us. Discover how we helped Burger King, Campari, Carmila (Carrefour Group), Guess, The Cordish Companies, and Valentino get peace of mind when collecting and managing customer data.