Is Your Business Compliant?
Now more than ever, consumers are actively looking to ensure their data will be protected with companies they do business with. Business owners have the daunting task of staying on top of data privacy laws, on top of running their business.
Recently, our CEO sat down with an expert who helps business owners identify gaps in their practices, create strong policies and procedures and even trains staff on handling a data breach. In this blog, Hollywood Branded learns how to understand privacy laws with Jodi Daniels, CEO of Red Clover Advisors.
A Little More About Jodi
Jodi is the founder & CEO of Red Clover Advisors, a boutique privacy consulting agency. Jodi works with businesses in every industry to help them better understand and stay compliant with the ever-changing regulations in privacy, customer data collection and use, digital governance, online data strategy, and much more.
Jodi understands the challenges of building and managing a business or brand, and when it comes to compliance, “you don’t know what you don’t know…” so she works to simplify privacy laws so that you can get back to doing what you love.
Interview Transcript Highlights
Question: For our listeners who don't know that much about privacy or privacy laws, and they've probably been hearing or reading or listening to different people chatting about it, can you give us a little bit of a broad overview of why privacy laws exist and what matters about them to business owners?
Answer: Sure. And to do that we have to sort of separate the US where we are, and the rest of the world. We take a very different approach. So I'll start actually with Europe. In Europe, our listeners have probably been seeing lots of cookie pop ups and accept our cookies and emails around we care about your privacy, here's this new privacy notice. That is all courtesy of GDPR. Those four letters stand for the General Data Protection Regulation. It just celebrated it's first birthday, so end of May. We're in the toddler years now of GDPR and Europe takes a very individualized approach to privacy meaning it's each person, it's a fundamental right to privacy and they also take it at a very national level, here's the big privacy law for all of the EU, each country can then have it's own more specific if you want, but GDPRs kind of the floor and it puts the individual first.
In the United States, we take a very business centric approach to privacy, we're very capitalistic, it's all about also helping the small businesses, so many of our laws, privacy or not, often have a minimum threshold, trying to exclude the small businesses to help make them grow and try not to have compliance or anything be a burden to them. We've had privacy laws in the United States for a while, it's just a sectoral approach. Meaning, healthcare, everyone often thinks of HIPPA when you go to the doctors office. Your financial banking information and credit card, that's under it's own privacy law. Many of the marketers are probably familiar with the CAN-SPAM Act making sure our emails, I can unsubscribe from them. The ability to be on a do not call list, that's it's own separate privacy law.
Now where we are today is the amount of data that we have because of all our amazing digital technologies, creates literally 2.5 quintillion data bytes a day of data around the world. We have a lot of data. Companies are doing all kinds of fascinating, interesting, maybe not so wonderful things with it, and now we have privacy laws that are trying to catch up with honestly all the activities
Question: What are some of the things that businesses do that violate the laws?
Answer: Yeah, and I'm going to also answer that and talk about privacy laws because especially in the United States and in marketing, but there actually aren't a lot of privacy laws. So we can collect and use a lot of data, and there isn't a law that says we can't, the question is should we?
When a company goes and puts, typical website, I'm going to put a cookie on the site so I can analyze my traffic and re-target you and do things like that. Then I might use another company, another cookie is on the site to track my user behavior all along the web, and the incentive for me as the website is I get some type of kickback or payment for doing that. Well now that company goes and collects all the data, builds a profile, sells it. Someone else wants to utilize that for advertising, and you start to hear the stories of the pregnancy app who's data was shared with an employer. You start to hear about the kids who are targeted in their video games with all types of inappropriate ads. You get the, well hold on I just spoke about this on my phone and now I see an ad on Facebook or somewhere else. How did it just know? I didn't type it, I just spoke it.
When you add all of that together, there isn't a law in the United States that says you can't do those activities. Where we are is I have to disclose what I'm doing, and where California is moving is you have to disclose it even more specifically and give me more choices. So the biggest piece is really all around transparency. Now if we were in Europe, there's a lot more that I can and can't do. It's much more strict and you have to really think about it in advance first and decide am I allowed to do this and why am I allowed to do this? And then tell me why I'm doing it, and then make sure I can opt out or something like that. In the United States we are a little bit different.
A lot of us now have Amazon's Alexa in our house, and we know it's about to start talking with me right now, I said her name, she woke up. When you're having conversations and you don't say her name, you are seeing her light up and you know that there's some sort of data collection that's probably happening to some degree or another.
There's a lot of controversy, especially in the privacy community around that because now that company owns that photo and can do anything it wants, and it has the meta data associated with that. It might not use it right now, but it might in the future, and these things are free, but you've paid with your data.
Question: What are some of the other mistakes that businesses make?
Answer: I think the other is, the privacy notice is considered this boring legal document and it is kind of a necessarily evil document. What I see happen is a couple things. First, it doesn't get updated. That document is required by a variety of places. If you do business in Europe, we can talk about the GDPR requirements, but if there's any impact there you have to have an updated privacy notice. If you do business in California today or Delaware or Illinois or a variety of other states, you have to have a privacy notice, and the federal trade commission requires you to have one. So there's a lot of places that make you have one.
The mistake is that they write it and they forget about it. It's a living, breathing document. It's meant to do a couple things, it's meant to be literally your legal coverage for telling the person here's what we're doing with your data. Once you chop that legal requirement away, which is extremely important, it's also your communication vehicle. It's how you're connecting with your customers of this is what I'm collecting, this is why, this is what your choices are, and where I'm seeing companies go is creating a trust center, really updating that privacy notice with summaries, with hyper links, with visual boxes to make it a usable document and a conversation between.
The mistake is that they think it's just this check the box activity, they leave it and they never come back to it. But anytime you're going to go and embark on some type of new marketing campaign, strategy platform, you want to come back to it.
The other is being very trusting with the cool new marketing technology that you're going to be using. When you hand over that data, it's stored on their servers. Well what are they doing with it? Some of them will say well I have access to it, thank you for storing it with me, I'm going to do XYZ. Or what are the security controls that they have around that data, because if there's a data breach with that email service provider and you had my email, I'm going to blame you, the brand, not really the other service provider, because I was the customer, I trusted you with my email, it's your job to go make sure you're working with vendors that make sense.
Those are kind of the big ones, and then I think just in general is either going too conservative where especially in GDPR they stopped everything. And there's ways to work around that, there's ways to have some creative messaging, to still be able to entice people to opt into to your lead magnet and do things like that. And the others I think where people try to hide what they're doing because they're scared if they're forthright and explain we're collecting your data, or we're sharing it, or we're selling it, that I might not use your service, and I think what people want is honesty and integrity.
I've seen companies where it's free, and they'll have a little data page, and on that page they'll explain thanks for using our service, we're a free service, this is why, this is what we do with our data. Thank you for telling me, it's my choice now, if I want to use you, or if I don't. You were honest and I appreciate the honesty.
Check Out The Podcast!
Everyone should have insight on privacy laws to understand how their personal information is being used. If you're a business owner, this is even more important. You can visit Red Clover's website here and check out the full episode to learn more:
Every week we have a marketing professional on our show to share their tips, tricks and lessons learned from their professional experience. Check out some of our other podcast blogs from earlier this year:
Every week we release a new podcast featuring guest's with so much knowledge about marketing, you don't want to miss one! How can you make sure you don't miss an episode? Click below to subscribe!
