Recently the Attorney General of California (Rob Bonta) announced that Sephora had reached a settlement with the state for continued violation of tenets of the California Consumer Privacy Act (CCPA). According to the settlement, Sephora had been notified of their violations and were unable to address and/or correct them within 30 days of notice which forced the state to sanction the brand via financial penalties in the amount of $1.2M dollars.
Brands have been struggling to bring marketing and information technology stacks into compliance with modern data and privacy regulations that are being issued by various world governments (e.g. CCPA, GDPR) hoping that regulatory auditors would be lenient and/or forgiving. California has clearly stated that they are no longer taking the issue lightly and have given fair notice to businesses and data processors to comply. The South Korean Personal Information Protection Commission (PIPC) has also started cracking down on brands and recently issued over $71M dollars in fines to Google and Meta (Facebook) for using improperly gathered data to personalize advertisements. The European Union GDPR authorities also continue to hand out very sizable fines to businesses misusing user data and user consent.
While it can be a very challenging task to contend with strict and ever changing regulations; the problem can be broken down into workable units (especially while partnering with consultants such as AMP Agency). Where possible it’s easiest to adhere to the most limiting regulation your brand is subject to so that there is no need to maintain or defend multiple workflows based on customer residence or other criteria.
Some helpful guidelines regarding the gathering and maintenance of consumer marketing consent:
- Leave nothing to chance, spell out exactly what you are doing with the data
- Consent language must be clear and easily understood
- Consent must be freely given, no deception or coercion
- Consent is a one-time non-editable event
- You cannot change consent without asking
- You cannot change refusal of consent
- You can ask for new consent or different consent
- Consent must be a positive action
- Must be a click or checkbox …. “Yes, I agree” or an actual signature
- Absence of action is not consent
You are generally allowed to send non-consensual communications when they are specific to:
- A transaction that requires confirmation or notice such as an eCommerce order notification
- A communication that is required as means to complete a contractual obligation on part of the user or organization
- A communication that is required by a specific membership or operational model where said model is clearly stated in a terms of service (e.g. operational emails to a franchise owner, delivery of a digital magazine subscription)
As part of a Marketing Organization you need to be able to answer these questions:
- Is the organization capturing personally identifiable information such as name, address, birthday, gender, photographs, phone numbers, email addresses, IP addresses (this list is not exhaustive)?
- Is the organization capturing financial data, biometric data, genetic data, or any data regarding a user’s physical health?
- What kinds of data processing or models are already being performed?
- What are the current and anticipated use cases for processing user data? How long do you intend to hold the data?
- Do you have existing consents for user data? Can you provide a record of active consents?
- How was user consent to capture and process data collected?
- How does the organization flag and handle a user’s withdrawal of consent?
A simplified action plan/checklist you can use to plan your adherence to regulatory guidelines:
- Audit your existing data and vendors
- Look across all systems and integrations
- Your vendors’ liabilities are your liabilities!
- Document how the data is being used
- How, where, when, and why
- Update your policies and procedures
- Make sure the data is secure and exposed only on a “need to know” basis
- Make sure there is a data breach policy
- Make sure there is a listed contact in data policies such as a Chief Data Officer, including various methods of contact.
- Build mechanisms to capture clear consent
- Where possible turn on Double Opt-In policies
- Update the Terms of Service where applicable
- Deploy Web Forms with clear notices and positive consent action items (e.g. user checks checkbox)
- Build a subscription preferences page and make sure communications adhere to it
- Add cookie/tracking pixel disclaimers where applicable
- Regather user consent whenever the data is unclear
- Respect consent and preferences
- Use Opt-out and exclusion lists
- Make sure segments contain proper audiences
- Provide a means to update and/or revoke consent
- Provide useful content options in a preferences center
- Send unsubscribe confirmations
- Make sure consent is always a positive action
- Click, checkbox, signature
- Make sure you have policies to handle customer data requests- Right to be forgotten (deleted from all systems)
- Right to full disclosure (data record report from across all systems)
- Remove anything broken or out of compliance
- Implement all of your new best practices into all your future campaigns
- Always remember consent is key!
- Always remember consent is revocable!