Inside 1to1:Privacy

Privacy by Design primer for marketing pros

September 9, 2011

By Jay Cline, CIPP

If you're in marketing and you want to show you're current on the latest trends involving personal data, slip this in at your next team meeting: "We need to have a point of view on Privacy by Design."

Privacy by design--or PbD for short--has gained more traction lately as the recommended solution for technology companies releasing new products. As marketing and technology increasingly overlap, however, the potential use of PbD in marketing departments is also growing.

Just ask Apple and Google. They recently came under congressional scrutiny for designing smartphone operating systems that didn't fully minimize the use and protection of location-based data. Critics claimed that inserting privacy requirements into the design phase of these systems could have prevented these privacy shortfalls, which created a media frenzy that drowned out their product-marketing campaigns.

This idea of incorporating the fair information principles (see box) into the design requirements for software applications, hardware components and user devices isn't new. Compliance and audit professionals have long preached the virtues of thinking about controls before launching new projects instead of as a more costly afterthought. 

About the Fair Information Principles

A 1973 advisory committee to the U.S. Department of Health and Human Services identified the following principles as core to ensuring personal privacy. These principles influenced the development of similar and expanded lists of principles in Canada, Europe, Latin America, Asia and now Africa.

  • Notice - inform individuals about how their data may be collected, retained, secured, used, and disclosed
  • Choice - provide individuals control over secondary uses of their information and minimize the collection, use, and retention of data for primary uses
  • Access - provide individuals a way to review and correct what data has been collected about them
  • Security - maintain the confidentiality and integrity of personal data
  • Enforcement - hold the organization collecting personal data accountable to these principles through internal and external oversight mechanisms

The difference with Privacy by Design is it has a high-profile champion--Ontario Privacy Commissioner Ann Cavoukian. Although a number of corporate privacy officers were practicing privacy by design before Cavoukian coined the term, she’s been the voice most responsible for formalizing the concept and advancing it with industry and fellow regulators. Cavoukian’s efforts have caught the attention of Forbes, which, in an article this summer, praised Intel, the Graduate Management Admissions Council and Location Labs as early adopters of the PbD approach.

Inside 1to1: PRIVACY caught up with David Hoffman, Intel’s director of security policy and global privacy officer. Hoffman explained that Intel has integrated privacy into its Secure Development Lifecycle (SDL) for product development, new data processing and marketing campaigns. This integration takes the form of assessment and reference documents as well as champions in each business unit who validate the completed assessments.

It’s easy to see how Privacy by Design can help technology companies, but what does Privacy by Design have to do with the marketing agenda?

As marketing campaigns increasingly leverage social media technologies and mobile devices, their chances of making highly visible privacy blunders have also escalated. If marketing departments wait for their IT or legal departments to fully brief them on the privacy aspects of their planned campaigns, they could end up explaining to their executive team why they have been called to appear before Congress.

How can marketing co-opt PbD? Follow these five steps.

1. Change the mindset

If your marketing team views privacy as an obstacle that legal exaggerates, think again. Privacy in the new media is a consumer expectation. Moreover, privacy laws are here because citizen-consumers demanded them.

What's a better mindset? Be curious about the privacy interests of your target audience. Start adding privacy-related questions to your research of target audiences. Tap into this data and use it to your advantage to generate higher engagement and retention. Lead with privacy instead of ducking from it.

2. Build a PIA into your BRD

How do you systematically design to the privacy interests of your target audience and offer them privacy as a service? Convert your target audiences' privacy interests into a "privacy impact assessment" (PIA). A good PIA is a decision-tree-based checklist of questions that asks you how your product or campaign is going to collect, store, use, disclose and destroy personal data. Using a well-crafted PIA based on audience-member research can help you weigh the campaign risks and trade-offs of sharing data with different systems and third parties.

3. Add a micro-notice to that micro-site

One-page micro-sites have become the crossroads of social media marketing campaigns. They're the landing pages for consumers who've clicked on a link, and they bring them one step closer to completing the call to action. For many campaigns, the micro-site is also the first step toward collecting or pre-populating personal data from the audience member. The micro-site becomes a privacy point of interest. If consumers have even the slightest hesitation about the information being asked of them, they could drop out of the process.

Prevent that drop-off by adding a short privacy notice or "micro-notice" to that landing page. Tell the consumer why you need the data you're asking for and that you won't share it with others for marketing purposes, and include a link to your full privacy notice.

4. Create privacy self-service

You've heard of software-as-a-service. Offer your audience members privacy as a service. This could include options such as just-in-time privacy notices; a personal profile and permission-management center, and live chat for privacy questions. Enable consumers to dial up and down the level of frequency for marketing communications instead of just having an all-or-nothing on-off switch. Offering privacy as a defined service level can help you avoid leaving money on the table from consumers who want to micromanage their privacy experience like they do on Facebook.

5. Test and refine

Measuring impact is a daily reality for marketing departments. Spend X dollars on a campaign to generate Y dollars in sales. Privacy's role in improving or worsening your marginal returns shouldn't be overlooked in this measurement process. Run "A/B" tests, where you take one privacy approach with audience segment A and another with audience segment B. Document your findings and lessons learned, and keep them available in a shared area so that your future campaigns can start a leg ahead.

Up until about a year ago, if you announced at a party that your job was data privacy, people would think you tinkered around with computers all day. All that has changed. High-profile privacy debacles have popularized what privacy, or the lack thereof, means to the average person. The question is, will your marketing campaigns take advantage of this development?

 

Jay Cline, CIPP, is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.

 

 

Read more by Jay Cline:

Inching toward consensus: A roundup of U.S. privacy legislation
Broadening definitions of personal data portend greater scope of concern for privacy offices

GMAC: Navigating EU approval for advanced biometrics
IBM's Privacy Strategy: Trust Enables Innovation
Privacy and the Pharma Chain of Trust
Xcel Energy: Building privacy into the smart grid
Creating a privacy gameplan for your social media strategy
Privacy Consent Glossary
Opt In Or Opt Out For Global Direct Marketing?
Ubiquitous Identification Series: Will Other Countries Join the Canadian Debate Over the Privacy of Public Records?
Best Buy: Using Privacy Awareness to Build Customer Centricity