Venture capitalist Mary Meeker addresses an important question when she refers to the “privacy paradox.” How do companies use data to provide better consumer experiences without violating consumer privacy?1
The Cambridge Analytica privacy breach is still fresh, Europe’s new data protection regulation is now in force and the Internet of Things (IoT) is creating more connected devices that report on our behaviour and location. Plus, a recent study reveals that 77 per cent of Canadians have some concern about their online privacy.2
Ninety per cent of the data in the world today has been created in the last 2 years. Our current output is roughly 2.5 quintillion bytes a day and that’s going to keep growing. The digital world has created a proliferation of data and has fundamentally transformed how we live. As consumers – particularly millennials – ask for increasingly customized experiences, how do we feed their appetite and defend their right to privacy?
Concerns are understandable, whether you’re a business or a consumer. So, we’ve put together this post to guide you through the most important aspects of data privacy, bring you up to speed on latest developments and provide important context around the respectful use of consumer intelligence.
Cambridge Analytica and Facebook
Recent events opened eyes to just how vulnerable online personal information can be. This UK affiliate of a U.S. political data firm gained access to private information of up to 87 million Facebook users3, including identities, friend networks and “likes.” Cambridge Analytica used the data to offer tools that could identify personalities and influence voter behaviour using hyper-specific digital ads. The technique is known as psychographic targeting. According to its website, Cambridge Analytica “uses data to change audience behavior,” both commercially and politically.4
General data protection regulation (GDPR)
The EU’s most significant change in data privacy regulation in two decades came into effect in May. It creates one set of rules for companies operating in the EU, even if they’re located outside of it. These regulations give people more control over their personal data, and businesses benefit from a level playing field.
The GDPR imposes stiff penalties for organizations in breach (up to 4 per cent of annual global revenue or €20 million). The conditions for consent have been strengthened (clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language). It must also be as easy to withdraw consent as it is to give it.5
Canada has been ahead of most countries in protecting the privacy of its consumers. The Personal Information Protection and Electronic Documents Act (PIPEDA) and the Canadian Anti-Spam Legislation (CASL) help safeguard Canadians while ensuring that businesses can continue to compete in the global marketplace.
The good news is that it’s possible to respect privacy AND build a strong marketing data base. The key is to ask for consent and be fully transparent about what you will do with the information. Before we take a look at how to build a respectful database, let’s take a closer look at the legislation:
The personal information protection and electronic documents act (PIPEDA)
This Canadian federal law sets national standards for privacy practices in the private sector. It applies to the collection, use or disclosure of personal information in the course of a commercial activity. Legislation came into force in stages between 2001 and 2004, there were updates in 2015 and changes will also take effect on Nov 1, 2018 (including data breach reporting).
Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within Alberta, British Columbia and Quebec. These three provinces have general private-sector laws that are substantially similar to PIPEDA.
Organizations covered by PIPEDA must obtain consent when they collect, use or disclose an individual’s personal information. People have the right to access their personal information and challenge its accuracy. Personal information must be protected by appropriate safeguards, and can only be used for the purposes for which it was collected – or consent must be obtained again.6
Canadian anti-spam legislation (CASL)
In full force since July 1, 2017, CASL governs the use of commercial electronic messages (CEMs) and computer program installation in Canada. The legislation focuses on consent and privacy rights. It outlines strict regulations for businesses and executives – with hefty fines for those who don’t comply – as large as $1 million for individuals, and $10 million for corporations.
There are two forms of consent that are acceptable under CASL – implied and express.
Consent, either orally or in writing, must be obtained before sending the first electronic communication for commercial purposes. If someone subscribes to an e-newsletter, for example, they have consented to receive electronic communications.
Businesses must keep a record of consent and how they obtained it as the onus of proof lies with them. Opting out must be an option.
Opting out must be an option
There must be an easily visible and functional unsubscribe option in commercial electronic messages. If someone hits the unsubscribe button, marketing-style electronic communications must cease within 10 business days.
Natasha Beznosova is Manager of Compliance at Canada Post. She advises, “If you have an existing relationship with a customer, you already have implied consent to reach out to them electronically for business purposes. But, you have to give them the opportunity to unsubscribe from your future communications and otherwise comply with CASL.”
Depending on your electronic message platform, creating an unsubscribe option can be difficult. It’s included when you use email tools like Mailchimp and LinkedIn Inmail, but is more complex to incorporate into day-to-day email tools like Gmail. Read Mailchimp’s handy guide to making emails CASL compliant.
I think it’s a real challenge for marketers to find the balance between personalization and data privacy. But it really comes down to having an open and transparent relationship with your customer so they understand why you’re collecting information, and how you’re going to use it. As long as you’re doing that, you can deliver those personalized experiences that they want and expect.
Canada Post takes consumer privacy very seriously. As an intermediary between businesses and consumers, we take a proactive approach to consumer data protection – believing in transparency and respect. We’ve been delivering to Canadians every day since 1867.
16 million addresses and 62 million parcels
Ours is the largest geo-location database in the country. We’re trusted with important mail like your new bank-card, tax information or utility bill. We help celebrate your life events, with wedding invitations, birth announcements and thank you cards. We also deliver the online world. At last count, we brought you 62 million parcels in peak holiday season.7
Although over three-quarters of Canadians have some concern about their online privacy, the same research shows that consumer comfort is improving, and that there is an appetite for a healthy exchange of data. Personalization is key to reaching consumers with messages that interest them. To achieve this, the relationship between marketers and their customers should reflect a respectful, transparent exchange of value. With access to over 16 million addresses in Canada, and exclusive access to apartments and condos, Canada Post’s Smartmail Marketing™ program delivers relevant and informative offers from trusted brand partners.
Our top 3 tips for respectful use of data
Considerate use of data is the best approach for marketing success. Lavigne Lind explains,
“Unless we have consent, Canada Post’s data intelligence defines insights within a postal code, which is a grouping of 20 households. By aggregating data in this way, we’re not targeting the individual – we’re using strategic, intelligent targeting to connect more people with the brands they want to hear about.”
A respectful and thoughtful use of data can be a major win for a brand, turning customers’ heads towards products and services that will truly resonate with them. It shows customers that the brand understands them and wants to cater to their interests. Postal Code Targeting zones in on a hyper-relevant population that has shared characteristics or demographic variables. As Lavigne Lind explains, “What’s really interesting about Canada Post’s geolocation targeting is the postal code. A lot of digital marketing channels are much more limited. The accuracy of location targeting via digital display is somewhere between 0 and 10 per cent, whereas we can zone in on any postal code in Canada with 100 per cent accuracy.”
Before we go, we’ll leave you with these top 3 tips for respectful intelligence:
Tip 1: Obtain consent
Whether implied or express, customers want to feel noticed and recognized, but not exposed.
Tip 2: Consider the consumer.
This is so important because it’s a conversation between real people, not revenue streams.
Tip 3: Collect useful customer data and explain why
Many businesses simply collect email address, and that’s a shame. Sharing a postal code allows businesses and consumers to leverage Postal Code Targeting, by locating anonymous groups of people that are likely to share brand enthusiasm. Let them know you’re searching for great customers like them.