As Europe’s General Data Protection Regulation forces companies worldwide to conform to stricter privacy standards, firms are struggling to determine how they can safely implement GDPR, protect user data from hackers, and be transparent in online advertising and communications to avoid a public backlash and/or regulatory penalty. Allie Bohm, Policy Counsel at Public Knowledge and a speaker at the August 2 Cynopsis Measurement & Data Conference, says brands need to think about their data policies “from the bottom up.”
But first, find a good lawyer. “Much of what it means to ‘implement GDPR’ is still being worked out both through regulation and through litigation in Europe, so how to safely implement GDPR is actually a challenging question,” says Bohm. “Where brands are collecting Europeans’ personal data, the best course of action would be to consult with a European lawyer who is an expert on this topic. The International Association of Privacy Professionals has a certification for ‘Information Privacy Professionals’ focused on Europe, and an attorney with this certification would be a good bet.”
As for protecting user data from hackers, “Brands should think about their data collection and retention policies practices from the bottom up, starting by asking what user data they collect,” advises Bohm. “Do they really need that user data? And, if so, for what purposes? How long do they need to retain the data to achieve those purposes? What would be the costs of losing user data – both in terms of financial cost and reputational cost, as well as any other costs? In light of the answers to those questions, brands should think about what they need to do to protect user data. At a minimum, brands should adhere to the latest, state of the art data security practices. But, in many instances, the best security policy is what’s known as ‘data minimization’ – not collecting or storing extraneous data in the first place. If brands do not have the data, they cannot lose the data and data thieves and other malicious actors seeking the data will have less of a reason to target the brands.”
Transparency in online advertising and communications is super-important to avoid a public backlash, and brands should voluntarily implement the notice and consent practices they adopt to comply with the GDPR in the United States and in the non-European countries where they operate, says Bohm. “They should find user-friendly ways to inform users of the data they collect and store, why those data are collected and stored, how long those data are retained, and with whom those data are shared. For data points that are not necessary to complete the user-requested transaction, brands should allow users the option to not have the data collected, stored, or shared at all. To the greatest extent possible, these notice and consent points should not be buried in the depths of a privacy policy, but rather should be displayed to users in formats in which they are likely to actually observe and absorb the information and make an affirmative election. These actions will build good will among users. Also worth noting, says Bohm, is that “many users will opt-in to targeted advertising, because they find it to be time-saving and prefer to see advertisements that are relevant to their interests.”
As for avoiding regulatory penalty, it is important that brands are honest about what they do and do not do with user data. “The Federal Trade Commission has the authority to take enforcement action against companies that engage in unfair or deceptive practices,” points out Bohm. “A deceptive practice occurs when a company says that it is doing one thing, but actually does another. So, if a brand claims that it will delete user information upon a user’s request or that it does not collect certain data, it must, in fact, delete the data upon request or decline to collect the particular data, respectively. The FTC uses its unfairness authority much more sparingly, but to ensure compliance, companies should make sure to avoid actions that (a) cause (or are likely to cause) ‘substantial injury’ to users, (b) where there is no way the user could reasonably avoid the harm, and (c) there are no countervailing benefits of the action to the user.”
The Cynsiders column is a platform for industry leaders to reach out to colleagues, followers, and the public at large. In their own words and in targeted Q&As, columnists address breaking news, issues of the day, and the larger changes going on in the ever-evolving world of television, video and digital. Cynsiders columns live on Cynopsis’ main page and are promoted across all daily newsletters. We welcome readers’ comments, queries, and column ideas at [email protected].