ePrivacy Law Marketers Need to Know

© 2014 Marketo, Inc. Marketo Proprietary and Confidential

Duncan Smith CEO, iCompli

Autumn Tyr-Salvia Email Strategy & Compliance Analyst, Marketo

Liz Smyth EMEA Marketing Director, Marketo


Liz Smyth EMEA Marketing Director

@lizsmyth

Page 3 © 2014 Marketo, Inc.

The Rise of the Marketing Nation


THEN NOW

Information: SCARCITY

Purchasing Power: SELLERS

Organizational Power: SALES

Information: ABUNDANCE

Purchasing Power: BUYERS

Organizational Power: MARKETING

Unprecedented Changes in Buying


Finding customers Being found

Point in time blasts 1:1 Durable relationships

Demographic Behavioral segmentation

Few/isolated channels Exploding/integrated channels

THEN NOW

The New Rules of Marketing Engagement

#1

#2

#3

#4

Intuitive decision making Owned, big time series data #5


The Bottom Line: Everyone Can Market Like Amazon

Duncan Smith CEO, iCompli

@Duncan_iCompli

Copyright iCompli Ltd 2014

Two important privacy ‘agents’

What PEOPLE are aware of

and want

What the LAW requires us to

do

People ‘datafication’ How accurate is too accurate?

The understanding and application of privacy is not an academic exercise; it has a measurable impact on corporate risk and customer relationships. Let’s look over the ‘brow of the hill’ and prepare ourselves for legal and cultural changes.


Is the Perfect Storm on it’s way? “Perfect storm" of more data, more REGULATION

more ENFORCEMENT AND more AWARENESS


Data

Device

‘Hamster Wheel’



CULTURE AND AWARENESS Are they people saying anything?




and want


do


DMA research

The Data privacy: What the consumer really thinks is published by The Direct Marketing Association (UK) Ltd



‘Stealth wear’, a reflection on changing attitudes


‘Stealth wear’, a reflection on changing attitudes

Hyper-local maps





and want


do


Source: Data Guidance http://bit.ly/1j2s9iw


Do PEOPLE care about their privacy?

Technology is driving the collection/appetite for data Is the backlash coming?

Black, gay or Democrat? Facebook Likes are 85-95% accurate

we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons


What changes are on the RADAR

EU General Data Protection Regulation (GDPR) 2014: On going negotiation between EC, Council of

Ministers and Euro MPs 2014/15 Plenary Vote 2016 Q1 Possible implementation

PRISM mass surveillance under microscope 2014 Q1 first reading of enquiry including reviewing the Safe Harbor and binding

corporate rules governing EU to US data transfers Rise of ‘Trust Me’ badges


6 to watch out for..

Breach Notification

Mandatory data loss

disclosure

Privacy Process

PIA and Policies

Children

Under 18s

Right to be forgotten

Consent withdrawal, data erasure

Processor Controller obligations

More responsibility

for data security

Legitimate interests

Consent rules ‘harden’



New Behavioural Advertising Rules

Re-Targeting and Re-

Marketing

User visits a site

User completes a

particular action

Groups of users

formed based on

their actions

Groups are re-targeted and served specific ads

• OBA Rules - in force on 4 February 2013 - require third parties to give clear and comprehensive notice to users that; • they are collecting and

using web viewing behavioural data for the purposes of OBA, and

• how a web user may opt out of collection and use

• Must not create ‘segments’ to target under 13s


OBA Focus in the EU Non statutory changes These are in addition to Privacy

and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (‘Cookie law’) Emergence of self certify ‘Trust

Me’ schemes


Autumn Tyr-Salvia Email Strategy & Compliance Analyst

@aceofemail


Global Privacy Law


Why is spam considered bad?

• Receivers pay to receive email • More than 90% of email is spam • = Lots of money wasted!


US Email Law

• CAN-SPAM • Does not prohibit sending unsolicited email • Requires functional unsubscribe • Prohibits email fraud


US CAN-SPAM

CAN-SPAM: Not terribly effective at reducing unwanted email


Canada Email Law

• CASL – Enforcement Starts July 1, 2014! • Requires opt-in

o Very specific about opt-in methods • Passive opt-in expires

o 6 months for inquiries o 2 years for former customers

• Covers all Canadians • Private right of action (2017)


Best Practices

• Stricter than US law – comply with global antispam community • Direct opt-in – not opt-in to a third party data vendor • Engage in best practices to get the best results


Cookies

• Essential functions: • Personalization • Site preferences • Shopping carts • Analytics • Marketing data

• Fears: • 1984


US Cookie Law

• California Privacy Law AB370 • Disclose whether you respect “Do Not Track” • Disclose whether 3rd parties collect PII for you • Have a comprehensive privacy policy


Canada Cookie Law

• CASL • Virtually no restrictions on cookie tracking


Australian Privacy Act (1988)

Ten National Privacy Principles for handling personal information: • Collection • Use & disclosure • Information quality & security • Openness • Access & correction • Identifiers • Anonymity • Trans border data flows • Sensitive information

Permission for email is by Opt-in only, that is Express consent (direct from the recipient) or Inferred consent (a relationship with the customer already exists).


Australian Privacy Act (2014) By March 2014, Australian organisations with annual revenues of over $3Million will need to comply with an amended Privacy Act. These organisations will need to detail how they handle personal information, & understand the changes to when personal information can be used for direct marketing or be sent overseas, for example –

• An organisation must notify a user of the intended purpose of collecting

their information at the point the personal information is collected. • Consent must be kept up-to-date & customers should be informed when

their data may be used for a different purpose to what was communicated when it was stored.

• From March 12 if data is disclosed offshore to a 3rd party provider the organisation can be held vicariously liable for any breach by that third party (i.e. a breach by your cloud computing provider is treated as your breach) meaning additional due diligence & bespoke contracts may be required.


New Zealand Privacy Act (1998)

Twelve privacy principles: • Collection of personal information (1-4) • Storage & security of personal information (5) • Requests for access to & correction of personal information (6 & 7) • Accuracy of personal information (8) • Retention of personal information (10 & 11) • Use of unique identifiers (12)

Permission for email is by Opt-in only, that is Express consent (direct from the recipient) or Inferred consent (a relationship with the customer already exists)


OUR ADVICE What are our recommendations?


Top 5 Things you can do now

1. Get your finger on the pulse and start ‘following’ people and organisations who report on changes to privacy law

2. Raise the privacy ‘bar’ in your organisation, get it on the agenda and start to prove the business case by demonstrating TRUST-PRIVACY-SALES go hand-in-hand.

3. Be AWARE of your target audience and their differing privacy attitudes

4. Privacy impact assessments and privacy by design are coming – you might as well start now (see 2 above)

5. Use personal data to deliver demonstrable benefits (‘Genius’).

@Duncan_icompli


5 ‘Low hanging fruits’; quick easy privacy impact assessments 1. Revisit your web assets and check what cookies/tags are

dropped 2. Confirm they are described/listed in your privacy policy 3. Confirm there is a clear message on ‘first access’ that

your site uses cookies and present options to manage/limit collection of data

4. Set your customer record to have a ‘provenance’ field aka ‘where did you get my name from’?

5. Record data provenance on all new contact/leads acquired


Questions?

Duncan Smith

Autumn Tyr-Salvia Liz Smyth @lizsmyth @Duncan_iCompli @aceofemail