Understanding Customer Data and Regulatory Compliances

We live in a world of data-driven marketing. Simply put, data-driven marketing has the numbers to back it up. In fact, according to Forbes, companies that adopt data-driven marketing tactics are six times more likely to be profitable year-over-year compared to those that don’t¹.

Consumer data is key for any business, as it aids in apt decision making, marketing strategy development, and achieving business growth, as well as simply making customers happy. Because of these reasons, many companies across verticals are trying hard to collect, store, and utilize a variety of customer data ranging from their demographic details to consumer behavior patterns. 

Today, all over the globe, there are numerous laws and regulations in place to protect customer data and privacy. According to research by Gartner Inc., by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020². This comes at a time of heightened awareness of data privacy. A 2021 Cisco Consumer Privacy Study found that 86% of people care about data privacy and want more control³. This doesn’t necessarily mean that consumers are not willing to exchange their data for more personalized experiences and exclusive services. Research suggests 92% of consumers will trade personal and preference data for loyalty points and 86% will trade personal and preference data for early or exclusive access⁴. 

It is crucial to assess and reassess your customer data strategy in order to comply with various regulations and laws while still serving customers as best as possible. This article will dive into subjects that are important to know in relation to data-driven marketing, including collection, storage, and management of customer data, important rights of consumers, a few widely followed regulations, and compliance requirements. 

Customer Data Collection:

Customer data collection is the methodological process of gathering information about your customers and target audiences. Data can be collected through various sources and strategies. It is crucial to ensure your data is complete during the collection phase and that it is collected legally and ethically.   

Customer data can be collected in many ways, including customer surveys, feedbacks, questionnaires, forms, interviews, tracking customer activities and transactions, and more.  

Types of Customer Data:

• Zero-party data: Forrester Research describes it as data which a customer intentionally and proactively shares with a brand. It can include preference center data, purchase intentions, personal context, and how the individuals want the brand to recognize them.  
• First-party data: It is data collected directly from users by your organization. It can include purchase history, contact information, website and mobile app interactions and behaviors, etc.  
• Second-party data: It is data shared by another organization about its customers (or its first-party data). It can include data from surveys, social media data, consumer research data, etc.  
• Third-party data: It is data that has been aggregated and rented or sold by organizations that do not have a connection to your company or users, such as demographics. 

Zero and first-party data are more valuable since the information is received directly from the customers about what they want and how they behave, think, feel. 

What is PII?
According to the National Institute of Standards and Technology (NIST), Personally Identifiable Information (PII) is any information that can be used to distinguish or trace an individual’s identity (e.g., name) and any other information that is linked or linkable to an individual (e.g., employment information). Thus, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in some context.  

Sensitive personal information includes legal data such as full name, Social Security Number (SSN), driver’s license, mailing address, credit card information, passport information, financial information, and medical records. Non-sensitive or indirect PII is easily accessible information from public sources like phonebooks, the internet, or corporate directories. Examples of non-sensitive or indirect PII include zip code, race, gender, date of birth, place of birth, and religion.  

Terms similar to PII exist in legislations of many countries and territories around the globe. For example:

• In the European Union, directive 95/46/EC defines personal data as information which can identify a person via an ID number, or factors specific to physical, physiological, mental, economic, cultural, or social identity.  
• In Australia, the Privacy Act 1988 defines personal information as information or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained a much broader definition than in most other countries.  
• In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act defines personal information as data that on its own, or combined with other pieces of data, can identify an individual.  

Three Important Points on Personal Data Collection:

1. Consent: Obtain the consent from individuals to collect, use, and disclose their personal data.  
2. Data minimization: Data collected and processed should not be held or further used unless essential for reasons that were clearly stated in advance.  
3. Sensitive information: Brands should almost never collect certain sensitive data such as race or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, etc.  

More About Consent, Opt-in, and Opt-out:

Consent is an independently offered indication of a person’s interest through a statement or affirmative action by which he or she signifies agreement to the processing of personal data relating to him or her. 

• Explicit consent: According to the General Data Protection Regulation (GDPR), this consent requires a written statement or a digital note. The key being that it must be able to be verified.  
• Unambiguous consent: This involves knowingly checking a box or agreeing to technical terms.  

Opt-in is a form of consent given by web users, acknowledging interest in a product or service, and authorizing a third party to contact them with further information.  

• A ‘single opt-in’ means a user only needs to subscribe once, and they will begin receiving emails. In the US, opt-ins are required for SMS marketing but not for email marketing, however it is required to provide a clear and easy way to opt out. Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, require brands to obtain explicit opt-in consent from individuals before sending them marketing communications.   
• A ‘double opt-in’ means a user must subscribe and then confirm their email through another link. GDPR and UK’s GDPR do not insist on the double opt-in process. However, in Germany (which is part of the EU), double opt-in subscriptions are the norm. Australia and Canada are other territories where double opt-in process is necessary to confirm consent.   

The best way to deploy double opt-in is to be completely transparent when you send a confirmation email or SMS to a potential subscriber. You can include the following details in that communication:  

• Briefly describe the type of content to which they have subscribed to.
• A link to your privacy policy in full detail
• How to opt-out from receiving further communications. 

Opt-out refers to several methods by which individuals can avoid or stop receiving unsolicited product or service information. As per various laws, companies must act on customer’s opt-out request within certain period to avoid legal consequences.  

Key Rights of Consumers About Their Data:

Various laws and regulations give consumers certain rights when it comes to their data.  

• Right to know: Every consumer has the right to know what, how and for what purpose their personal information has been collected.     
• Right to be forgotten: Consumers can request to have their personal data erased, and brands are obliged to delete that information from the brand’s records.     
• Right to opt-out from transaction: Brands must post a clear and conspicuous link on their website that says, “Do Not Sell My Personal Information” and enable consumers to opt-out of the sale of their data to third parties.    
• Right to contact information: Brands are required to inform consumers where they may find more information about a brand’s privacy policy and compliance efforts.    
• Right to access: Consumers have the right to request you provide them with the information in a readily usable format. This must be free of charge and provided within a certain amount of days from the request. Individuals must also have clear and easy access to the company’s full privacy policy.  
• Right to fair treatment. In no way, shape, or form can a company discriminate or treat users differently based on whether they exercise their rights. All consumers must be provided with the same level of access and service regardless of which rights they exercise.  

Crucial Points About Consumer Data Storage and Management:  

Encryption, Anonymizing, and Masking:

• Personal data must be encrypted.    
• Data should be anonymized to remove personally identifiable information.   
• It must be ensured that data is stored or transmitted with the minimal required details for the specific transaction, with other details masked or omitted.  

Firewalls and Access Control

• Appropriate security measures must be in place to prevent access and follow the principle of least privilege.   
• Companies must create ethical walls implementing screening mechanisms to prevent certain departments or individuals within an organization from viewing PII that is not relevant to their work, or that might create a conflict of interest.  
• Access permissions to sensitive data must be audited regularly along with monitoring activities by privileged users blocking and alerting on suspicious or anomalous activities.  

Secure Audit Trail Archiving

• Ensure that any activity conducted on or in relation to PII is audited and retained for a period of 1-7 years, for legal or compliance purposes, and to enable forensic investigation of security incidents.   
• These logs should be stored in a centralized system with limited access.  

Data Transfer

• Check regulations before you transfer customers’ personal data outside the location of the jurisdiction of the respective law.   
• Sensitive PII must be transmitted and stored in secure form, for example, using encryption.  
• Brands must implement systems that can track sensitive data transferred within or outside of the organization and identify unnatural patterns that could suggest a breach.  

Breach Notifications

• Companies must notify all involved parties of breaches, the impact on their records, and remedies to the issue.    
• Companies should also discuss what they are doing to mitigate future issues.   

DPO

• Appoint a Data Protection Officer (DPO) at your organization.   
• The Data Protection Officer is a mandatory role for all companies that collect or process EU citizens’ personal data, under Article 37 of GDPR.   

Retention Schedules

• Data must be maintained for a specific period before eventually being purged from the system. Requirements vary widely based on data type and industry. In some cases, perpetual maintenance is the standard.  

Periodic Privacy Policy Updates

• As per CCPA guidelines, brands must update their privacy policy every 12 months.  
• That way, customers know if they are collecting, selling, processing, or otherwise handling data differently than before.    

Widely Followed Regulations Around the World:

The Act	CCPA	CASL	GDPR
Territory	State of California	Canada	European Union
Year	2020	2014	2018
About	It is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.	Canada’s anti-spam legislation (CASL) protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats.	It is a law on data protection and privacy in the European Union and the European Economic Area.
Key Points	Tell customers:   – You collect personal data   – What personal data is   – How you process and collect this data   – Why you collect the data   – They have the right to opt out of marketing   – They can contact you for further information	Perform an audit on your database to identify any non-compliance risk related to managing your contacts, contacts’ consent, records, etc.	Organizations can collect personal data for a specific purpose and only use the collected data for the purposes they said they would. They must also ensure that information is deleted when it is no longer needed. Companies must implement robust data protection practices.
Consent	It does not require active, advanced consent. You can collect and use the data right away without any confirmation from the person. However, they do have the right to demand you to stop using the data in certain ways and you must follow this demand.	Companies must obtain either express or implied consent before sending commercial electronic messages to individuals. Further, organization must keep records of what information was shared in the consent request, when and how the recipient consented.	Senders must give with a clear affirmative action. Pre-checked boxes do not count as consent. Further, organization must keep records of what information was shared in the consent request, when and how the recipient consented.
Opt-out Duration	Within 15 days	Within 10 days	No specific duration
Maximum Penalty for Violation	Up to $7,500 per intentional violation.	Up to $1 million for individuals and $10 million for businesses.	Up to 4% of the annual global turnover of the preceding fiscal year or €20 million – whichever is greater.

Checklist for Regulatory Compliances on Customer Data:

1. Prepare: Prepare your organization and teams to follow and comply with the regulations and laws around customer data. Identify and classify your data assets. Understand and keep yourselves updated about consumer rights, rules, and regulations.    
2. Implement: Create and update your data and privacy policy. Implement procedures to give response to consumers. Within your organization, ensure proper permissions for access controls and implement data security measures. Upgrade critical systems and software in use for data collection, storage, and management.  
3. Maintain: Review and update privacy policy annually. Conduct regular training and assessment amongst your teams. Streamline rights response processes. Eliminate unnecessary data and procedures to enhance efficiency. Ensure that you are implementing all procedures to comply with data regulations and privacy laws.   

Disclaimer: The information provided here does not, and is not intended to, constitute legal advice. Kindly take advice of your legal counsel for regulatory compliances.​ 

Sources: 

1. https://www.3tl.com/blog/50-important-statistics-for-your-data-driven-marketing-strategies  

2. https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023–65–of-the-world-s-population-w  

3. https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-cybersecurity-series-2021-cps.pdf  

4. https://www.cmswire.com/customer-experience/5-ways-transparent-personalization-can-win-over-customers/ 

5. https://csrc.nist.gov/glossary/term/PII#:~:text=Definition(s)%3A,either%20direct%20or%20indirect%20means 

6. https://online.hbs.edu/blog/post/data-privacy 

7. https://www.investopedia.com/terms/p/personally-identifiable-information-pii.asp  

8. https://oag.ca.gov/privacy/ccpa#:~:text=The%20California%20Consumer%20Privacy%20Act,how%20to%20implement%20the%20law 

9. https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business  

10. https://www2.deloitte.com/ca/en/pages/risk/articles/canada-anti-spam-law-casl-faq.html  

11. https://fightspam-combattrelepourriel.ised-isde.canada.ca/site/canada-anti-spam-legislation/en  

12. https://gdpr-info.eu/  

13. https://www.gov.uk/data-protection  

14. https://www.relationshipone.com/blog/guide-can-spam-casl-gdpr/