Scarcely a media week goes by these days without a high-profile complaint about a breach of privacy, mostly by social media companies but also by government agencies and businesses.
A “horrified mum” says Google Street View published naked pictures of her kids playing by the paddling pool. Facebook helped advertisers target teens who feel “worthless”. A Ministry of Social Development “rush” to bring in a new data collection policy “jeopardised welfare agency clients’ privacy”.
As businesses and governments push out the frontiers of what is possible using digital technology, regulators are starting to react.
The European Union’s new General Data Protection Regulation, for example, comes into force next May. Under GDPR, customer consent for all data collection and use will have to be explicit. That is, companies will have to be able to demonstrate on demand that each customer from whom they collect data has “ticked the box.”
New “access” rights include consumers’ right to object to their data being used for marketing purposes, and a right not to be profiled. Penalties for breach are draconian – the maximum fine is €20 million ($32 million).
Given the many rounds of submission and argument involved in producing GDPR, and its global reach, it’s likely the voluminous document will be by the elbows of privacy commissioner John Edwards and Department of Justice officials as they work through the update of privacy law announced late last year.
GDPR-style regulation might be something of a stockade in the new Wild West, but marketers need to start making sure that all customer data they hold, use, or plan to gather sits inside the fence.
Facebook’s data on moments when Australian teenagers are thinking about “looking good and body confidence”, for example, might be of interest to marketers of cosmetics or gym memberships but it is unlikely to breach GDPR if the information used is anonymous and aggregated.
But more borderline examples abound. Simply Google-targeting ads to IP addresses whose owners have visited your website is unlikely to require consent, but basing your pricing on individuals’ previous purchases of your products will be highly risky.
Even with existing customers, companies will need specific permission before sending them individually any sort of marketing material via their email or physical address.
Marketers need to start asking hard questions about where the data for a campaign has come from, and whether they can demonstrate individual permissions for that data to be both collected, and used in the way proposed.
At this point, that involves asking whether systems are in place to identify what data is held on every individual consumer, and how they will go about securing permission from those who have not already given it.
With an election on the way, a GDPR-inspired New Zealand privacy law upgrade may take some time to make it onto the statute books, which is just as well because getting data, systems and permissions ready will not be a quick and simple task for many organisations.