Reading: Privacy Laws

Drawing of a computer keyboard. All the keys are blank except seven in the center row, which spell the word PRIVACYWhat does privacy mean in today’s world? Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. Most of us expect some level of privacy, but the boundaries around privacy can differ depending on the individual and the situation.

The right-to-privacy issue has gotten more complicated as our culture has come to rely so heavily on digital communication—for everything from social networking to education to conducting business. Marketers have been quick to capitalize on the potential of digital technology to yield creative, aggressive techniques for reaching their target buyers. Sometimes these aggressive tactics cause a public backlash that results in new laws.

TELEMARKETING- DNCL

For example, intrusive telephone marketing activities led to the passage of the the Do-Not-Call (https://crtc.gc.ca/eng/phone/telemarketing/) Act of 2008, which permits individuals to register their phone number to prevent marketing calls from organizations with which they don’t have an existing relationship.

10 year anniversary for the Do Not Call list from 2008/9
10 year anniversary for the Do Not Call (DNC) list from 2008/9

The act was intended to protect consumers from a violation of privacy (incessant sales phone calls particularly during the evening hours), and it closed down many businesses that had used telephone solicitation as their primary sales channel.

PRIVACY

What follows is an overview of important privacy laws that have a particular impact on marketers. These are areas in which marketers need to be thinking ahead of the law. While there are plenty of perfectly legal marketing tactics that utilize personal information, if they are a nuisance to prospective customers, they are probably not good marketing and may be affected by future legislation when the public decides it has had enough.

Email Spam- CASL

Have you received email messages without giving permission to the sender?

Canada’s Anti Spam Legislation (CASL) doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial Web sites.

This includes malware, spyware and viruses in computer programs, in spam messages, or downloaded through infected Web links. That means that all email—even, for example, a message to former customers announcing a new product line—must comply with the law.

Managing Customer Data- PIPEDA

The Personal Information Protection and Electronics Document Act (PIPEDA) is the federal privacy law for private-sector organizations. Sometimes companies and organization possess personal data about their customers that is collected during the course of doing business. The most obvious examples are medical organizations that keep confidential patient records, financial institutions that capture your financial data, and educational institutions that record student test scores and grades. Other companies might know your contact information, your purchase patterns, and your Internet-shopping or search history. These organization all have important legal responsibilities to protect your data. Most of these alleged practices involve basic, fundamental security missteps or oversights.

 

The Privacy Commissioner offers practical tips that you can implement (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/tips-bus_info/) to reduce the vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

Key Takeaways For Good Corporate Cyber-Hygiene

  1. Start with security: only collect customer data when necessary; be transparent; and treat the data with extreme care.
  2. Control and restrict access to sensitive data.
  3. Require strong, secure passwords and authentication; protect access to sensitive data
  4. Store sensitive personal information securely and protect it during transmission: use best-in-class security technology.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network: put sensible access limits in place.
  7. Apply sound security practices when developing new products; train engineers in security and test for common vulnerabilities.
  8. Make sure your service providers implement reasonable security measures: write security into contracts and verify compliance.
  9. Establish procedures to keep your security current and address vulnerabilities that may arise; heed credible security warnings.
  10. Secure paper, physical media, and devices—not all data are stored digitally.

These 10 principles of PIPEDA (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/) may seem like overly technical considerations that aren’t important to someone working in a marketing organization, but in the same way that it is important for a marketer to protect its company from product liability suits, it is important to protect customers from security breaches related to the company’s products, services, and marketing activities. You must receive consent to collect the

Protecting Privacy Online

The Internet provides unprecedented opportunities for the collection and sharing of information from and about consumers. But studies show that consumers have very strong concerns about the security and confidentiality of their personal information in the online marketplace. Many consumers also report reluctance to engage in online commerce, partly because they fear that their personal information can be misused. These consumer concerns present an opportunity for marketers to build consumer trust by implementing sound practices for protecting consumers’ information privacy. Cybersecurity or hacks happen to large and small firms. In 2018, the Standing Senate Committee on Banking, Trade and Commerce examined the issue. Both consumers and companies are not as vigilant as they should be.[1]

Corporate Cybersecurity breaches impact Millions
Corporate Cybersecurity breaches impact Millions

Notice

Consumers should be given notice of an entity’s information practices before any personal information is collected from them, including, at a minimum, identification of the entity collecting the data, the uses to which the data will be put, and any potential recipients of the data.

Consent

Choice and consent in an online information-gathering sense means giving consumers options to control how their data is used. Specifically, choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer’s transaction. The two typical types of choice models are “opt-in” or “opt-out.” The opt-in method requires that consumers give permission for their information to be used for other purposes. Without the consumer taking these affirmative steps in an opt-in system, the information gatherer assumes that it cannot use the information for any other purpose. The opt-out method requires consumers to affirmatively decline permission for other uses. Without the consumer taking these affirmative steps in an opt-out system, the information gatherer assumes that it can use the consumer’s information for other purposes.

Security

Information collectors should ensure that the data they collect is accurate and secure. They can improve the integrity of data by cross-referencing it with only reputable databases and by providing access for the consumer to verify it. Information collectors can keep their data secure by protecting against both internal and external security threats. They can limit access within their company to only necessary employees to protect against internal threats, and they can use encryption and other computer-based security systems to stop outside threats.

New Standards for European Privacy – GDPR

All websites should have a privacy policy and offer the ability to consent or opt out of any personal data collection and clearly outline who is collecting what data. Cookies are the device that track your data and use of a website.[2]

 

The new 2018 European Privacy standards (GDPR) are considered best practices globally. It appears the majority of websites do not comply.[3]
(https://www.zdnet.com/article/cookie-consent-most-websites-break-law-by-making-it-hard-to-reject-all-tracking/”)

In the evolving field of privacy law there is an opportunity for marketers build trust with target customers by setting standards that are higher than the legal requirements and by respecting customers’ desire for privacy.


  1. https://sencanada.ca/content/sen/committee/421/BANC/Reports/BANC_Report_FINAL_e.pdf
  2. https://us.norton.com/internetsecurity-privacy-what-are-cookies.html
  3. https://www.zdnet.com/article/cookie-consent-most-websites-break-law-by-making-it-hard-to-reject-all-tracking/

License

Icon for the Creative Commons Attribution 4.0 International License

Introduction to Marketing I (MKTG 1010) Copyright © 2020 by NSCC & Lumen Learning is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.