Digital Marketing in a Privacy-Conscious world

Summary

  • Data privacy should be at the forefront of every digital marketer’s mind now more than ever. Consumers are now more privacy conscious, privacy regulations are being introduced and enforced, and the market is responding to these changes.

  • There are specific privacy laws that apply to using customer data for digital marketing. But these laws don’t prescribe how digital marketing should be conducted. They simply set out the outcomes that need to be achieved, so each digital marketing strategy will give rise to unique challenges.

  • “Personal information” may include a broad range of data, depending on how data is collected, used and combined by the business. Data that may not be personal information on its own may become one in the context of digital marketing.

  • To identify potential privacy risks in digital marketing, digital marketers should work with other stakeholders to conduct a data mapping exercise, privacy analysis or a privacy impact assessment.

  • Various measures will need to be taken where risks are identified, including review of third party supplier arrangements and updating external and internal policies

Why do digital marketers need to care more about privacy now more than ever?

Digital marketing practices are allowing companies to reach new heights much faster than ever before. There is now an abundance of tools and technologies that allow companies to leverage consumer data in a way that helps them scale rapidly. Customer data can be generated, collected and used by businesses to maximise interaction between consumers and brands, with the help of the sophisticated Ad-Tech and MarTech ecosystem. 

On the other hand, consumers are becoming increasingly privacy-conscious. Users are more careful about how their data is collected and used. They demand more transparency and control over the ways their personal information is used, and the ways in which companies handle personal information are facing more public scrutiny. According to a study from KMPG, nearly all U.S. consumers (97%) reported that data privacy is a concern and the majority of consumers (87%) view data privacy as a human right. Unsurprisingly, consumers also worry about what companies are doing with their data (54%). Privacy laws are also playing a significant role in shaping the ways digital marketing is conducted around the world. It is also an evolving area – New Zealand’s privacy legislation was recently updated with the introduction of the Privacy Act 2020 (NZ Privacy Act). 

The market is responding to this changing consumer and regulatory landscape. Browsers are stamping out the use of third-party cookies, which will lead to a shift in the current Ad-Tech or MarTech ecosystem. Companies are revising their data strategies and prioritising data privacy as a key area of risk. Regulators are given more power to deal with dishonest and damaging practices and expose breaches to the public.

There is a clear incentive for digital marketers to adopt a privacy-centric approach to marketing activities. Falling foul of privacy laws and user expectations have a direct impact on the reputation of the business. Even being associated with a partner or supplier who is found to have loose practices could have the same effect. And in some jurisdictions, the fine for breaching privacy regulations can be substantial. 

Overall, navigating this ever-changing landscape will require an effort at an organisational level, with marketing, IT, legal and privacy (sometimes PR and insurance) having to be involved in dealing with data-related issues. However, there are certain things digital marketers should be aware of so you can identify potential data issues, think about steps that need to be taken, and start conversations about them with other teams. 

What are the privacy laws that apply when using customer data in digital marketing?

The NZ Privacy Act 2020 is the primary legislation that governs the handling of personal information in New Zealand. It is principles-based legislation which means that it does not contain specific rules and processes that can be applied to different online marketing methods. It only sets out the outcomes that businesses need to achieve when dealing with personal information.  There are 13 information privacy principles set out in the Privacy Act, which cover:

  • when, from whom and how personal information can be collected

  • storage and security of personal information

  • access and correction rights of individuals

  • how personal information can be used and retained

  • When personal information can be disclosed to third parties or outside New Zealand, and

  • when and how you can assign a unique identifier to individuals.

An overview of these principles is available on the Privacy Commissioner’s website. There are also additional rules around reporting privacy breaches as well as criminal offences for certain acts such as destroying documents when a request has been made for it. 

Overseas legislation could also apply to New Zealand businesses, especially if they operate a business or target customers in those jurisdictions. The key regulation which acts as the benchmark for privacy legislation across the globe is the General Data Protection Regulation (GDPR). The GDPR is more prescriptive than the NZ Privacy Act 2020 in a number of areas, such as the consent requirement and rules that apply to data processors. The potential fines are much greater (i.e. maximum of the higher of either 20 million euros or 4% of annual global turnover), and looking at the recent fines imposed over the last few years, it will be prudent to check with your legal teams whether your business will need to comply with it. 

Each digital marketing strategy and the functions of MarTech tools will require specific privacy considerations to comply with the principles in the NZ Privacy Act and, if applicable, the GDPR. Each situation will likely raise unique challenges, so it is important that all relevant stakeholders are involved in the conversations to successfully navigate the inherent ambiguity associated with privacy-related issues. 

What is “personal information” in digital marketing? 

Only certain data are subject to privacy laws. A key question for any digital marketer looking to leverage data is whether you are dealing with “personal information”. The NZ Privacy Act defines personal information broadly as information about identifiable individuals, and the GDPR has a very similar concept which they refer to as “personal data”. This information isn’t limited to the types of data that is usually associated with identifying people, such as phone number or email address. It also covers information, which on its own may not be able to identify individuals (such as IP address or device details) but once combined with other information may reasonably be capable of doing so. 

In marketing terms, any combination of data touchpoints that can be used to identify or be used as identifiers to track the activities of a single person will be treated as personal information. This means that any de-identified, anonymised, or pseudonymised data will still be reviewed carefully to ensure that they are not capable of identifying a single person even when combined with other information that the organization has. Also, if you obtain non-identifiable information from data sources (e.g. a data management platform) to feed into another platform (e.g. a customer data platform) to create a more persistent customer profile, then such information could also be considered personal information under the Privacy Act. In other words, any piece of data should not be looked at in isolation in the state that they are collected or stored. It should be viewed in the context of the processes and platforms used by the business as a whole. If it can be used by the business in any way to identify an individual (i.e. for “jigsaw identification”), then it should be considered personal information.  

The type of personal information collected and how information is combined internally also matters. The more sensitive information is, the more steps you have to take to ensure you adhere to the principles of the NZ Privacy Act. For example, the threshold for proving you had a lawful basis for collecting sensitive information (e.g. health status, financial status, etc), would be higher than for the more standard identifiers such as email addresses.

Overall, identifying which data is personal information or can be used or combined to identify individuals is important. It will inform the assessments required and risks associated related to marketing activity.

How do I identify areas of risk in marketing practices? 

The starting point in assessing the risk associated with digital marketing activity is mapping out what data you collect and how it is used, combined, disclosed or transferred within the business. A detailed record that takes into account all internal and third-party tools and systems used to manage data in digital marketing will be needed to assess compliance with the privacy laws.

From a marketing perspective, it would be useful to segment each relevant marketing strategy and the technology systems and tools used, and identify data flows in relation to each specific technology solution. The map can then be expanded to include how they are connected and flow until the point the relevant data is deleted (or left static). You may also be reliant on third-party tools to provide you with either the data or executions required to maximise the effectiveness of your digital marketing strategy. In such a case, you would also need to understand the supplier’s data handling practices and the agreements you have in place with them that may have a direct impact on your own practices and compliance with the NZ Privacy Act. 

The mapping exercise can be done on its own as a general review or as part of a privacy analysis when your business is about to embark on a new project that changes or expands the way your business handles data. The Privacy Commissioner has published a useful toolkit for conducting a privacy analysis or a privacy impact assessment which is available here. (Note this tool has not been updated to reflect the changes introduced in the 2020 NZ Privacy Act, but it still provides a useful outline of the types of questions that organisations should be asking as part of any data-related project or proposal.)  

A privacy analysis of any new tool, system or process can help reveal if the change would have a real impact on the business’s data handling practices. Depending on the nature of digital marketing (whether it is a simple retargeting, web analytics, ad measurement, conversion tracking or a combination of these things), you will need to explore for example:

  • the purpose and objective of data collection and use

  • whether there are any configurations that can be implemented to track and design a privacy-conscious solution as different configurations can result in in different evaluations and privacy requirements

  • the terms that apply to the relationship with the supplier or partners

  • the types of personal information being used and processed in the strategy implemented, and

  • the storage duration of the data.

Of course, this exercise is not something that has to be done by marketing teams alone. You should involve your privacy, legal and IT teams to assess all associated risks.  

What needs to be done once a risk is identified? 

Having a map of the data flows from collection to deletion and analysis of the risks will inform the various measures that will need to be taken to address potential issues and minimise risk. Configurations may need to be modified, data collection or sharing may need to be changed, and certain activities may need to rolled back. From a legal and risk mitigation perspective, you will also need to look at the following. 

Third-party supplier arrangements

You may need to revise your relationship or agreement with third party suppliers who are identified in the mapping exercise. If you are relying on suppliers to collect or manage data on your behalf, your IT and legal teams should review their data handling and security practices and ensure there are sufficient protections in the agreements. For example, if you are using a supplier’s tool to process or store your data on your behalf, you will need appropriate terms that include obligations to notify you of any incidents, give you full assistance to deal with privacy issues and requests, as well as appropriate warranties and indemnities. If you are transferring data overseas, you may also need a data transfer agreement in place. 

Privacy statement

When you collect personal information, you must make specific disclosures to ensure the person is made aware: 

  • what information you are collecting

  • why you are collecting the information

  • what the information is going to be used for, and

  • who will receive it.

A review of the data flow may reveal certain areas that need to be updated, particularly if you are implementing a new MarTech solution that relies on customer data. It is also important that the any statement or policy is presented in a way that is readable and user-friendly. Any unexpected statements, such as the collection of sensitive health information, should be made more prominent via a separate tick box.  

Internal policies

Digital marketers play an important role in helping their businesses reach new customers in the digital world. In doing so, you will need to work with various stakeholders to place the business in a good position to use customer data in a privacy-conscious way. The stakes for privacy breaches – and in turn the trust of customers – are now higher than ever. 

Your business should have internal policies for both dealing with privacy related enquiries and data breach incidents. These policies may need to be updated to account for any risks identified in the process mapping exercise mentioned above. If you are implementing a specific online tracking solution, you may need to develop processes to handle customer data enquiries relating to such a solution and ensure you can work with the solution providers to fulfil enquiries. The incident response may also need to be updated to account for potential issues that may arise due to the new solution, in particular the criteria developed for assessing the severity of the breach for notification and response purposes. 

Bio

Samuel is an Associate Director at JW Legal where he leads its commercial advisory practice. He has broad experience in commercial matters with a focus on technology (including data privacy), intangible assets and new innovations. If you have any questions or comments regarding this article, please get in touch with Samuel (e: samuel.choi@jwlegal.co.nz | p:+640212848699). 

Justin Flitter

Founder of NewZealand.AI.

http://unrivaled.co.nz
Previous
Previous

Meet the fresh new face of TMG.

Next
Next

Where are all the Marketing Unicorns?