Consumer Law Seminar ABTA
•Descargar como PPTX, PDF•
1 recomendación•384 vistas
Our Compliance Director goes through GDPR at The ABTA event.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Consumer Law Seminar ABTA
Similar a Consumer Law Seminar ABTA (20)
Último
Último (20)
Consumer Law Seminar ABTA
- 1. Compliant Digital Marketing Practices Public Version 1.2
- 2. Contour Marketing Automation Conversion Rate Optimisation Data & Databases Customer Insight Public 2
- 3. 3 Public Tim Roe Compliance Director for RedEye • Certified Data Protection Practitioner • Data Protection Law and IG • Direct Marketing Associations Privacy taskforce • Vice chair of the Direct Marketing Associations Responsible Marketing Committee • Content contributor and course tutor for the Institute of Direct Marketing • Content contributor and expert content adviser for the Direct Marketing Association
- 4. Public Agenda The data Lawful basis Consent Electronic marketing Legitimate Interest, processing and profiling Cookies Privacy Notices Importance of UX Eprivacy 4
- 5. 5 Basis for Presentation - Not legal advice - Practitioner guidance - Be cautious - Try to do the right thing Public
- 6. May 25th has come and gone… Public
- 7. …and nothing really happened. What a fuss about nothing. Public
- 8. 8 - Process what's needed - Be transparent - Data source - Information available - Lawful basis - Processing activities - You need the audit trails to prove compliance and to prove.. ACCOUNTABILITY What do you need to be compliant? Public
- 9. What data is covered under GDPR? Name Email Address ID Numbers Cookies IP addresses Profile Information Segments they belong to Personal data is "any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier“ ICO Public
- 10. Lawful Basis Which one? Consent? Legitimate Interest? Public
- 11. Consent“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” Informed Specific Detail “Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate”. The ICO Public
- 12. 12 Public Email SMS And maybe Social Media and Cookies! Just because you’ve got a tick box for one of those channels, doesn’t mean you can use them all.
- 13. Public
- 14. Public
- 15. Public
- 16. Public
- 17. This does not represent consent! Public
- 18. Public PECR? Does Electronic Marketing always need consent? Maybe not….
- 19. Public
- 20. Legitimate Interest • Analysis • Data matching and augmentation • Targeting and segmentation • Profiling “Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate”. The ICO Public
- 21. Using Legitimate Interest? This right to object must be explicitly stated, prominently displayed and is easy to exercise that right Collect the minimum data necessary and delete records after use Ensure you have a valid reason to process an individual’s personal data using your legal legitimate interests The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Rec 47 Public
- 22. 22 Public Can targeting, profiling and segmentation be Legitimate Interest? The text of the regulation refers to profiling in Article 4(4) as: “…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
- 23. Predictive modelling Customer ID & Cross-device tracking Orchestration Reporting & Analytics DataIntegration Personal & Demographic Onsite Behavioural Data Engagement Data Transactional Data Mobile & Device Data Data APP Data Lifestyle Data Email Direct Mail Paid Social SMS AdWords Web Push Store Multi-channel & Data Segmentation 23 Public
- 24. Public Profiling Example An airline studies the behaviour of its online customers. It examines what they search for, look at and how much time they spend considering each destination. This data will be combined with the location and route the customer is most likely to use based on their previous flight history. The profile will then be used to serve the customer with a marketing communication that highlights the destination and route they are most likely to be interested in. 24
- 25. Public Special categories of data Profiling can infer special categories of data Example: profiling food consumption or musical tastes might lead to the inference of ethnic origin or religion. If you infer special categories of data, the profiling maybe prohibited without explicit consent. 25
- 26. 26 Can profiling be a legitimate interest? Public
- 28. Public
- 29. PublicPublic
- 30. Public 30 Privacy Notices and personal data • Why do you need it? • Use a layered privacy notice/policy • Easy to understand • Detail segmentation, targeting, profiling, augmentation • Detail your cookie usage Public
- 31. 31 Public
- 32. Public
- 33. Elephant in the room! Public
- 34. GDPR Consent Before cookies are placed Audit trails Public
- 35. Designing data capture processes Transparent privacy notice design Public
- 36. 36 Data Capture must work harder than before User testing is vital for optimising the process Public
- 37. Public
- 38. Analyse, with real users, the UX of your forms & data capture points What can be done - Remote user testing - Expert UX review - Landing page(s)/ My account comms page - Mobile & desktop What this gives you - Identify UX issues & recommendations - Suggested: messaging, layout, hierarchy, priority - mock ups of proposed new experience Public
- 39. Why UX? Public Without customers there is no business Helps you understand the “why?” Identify areas of improvement Optimises spend on website
- 40. The future beyond GDPR and into E-privacy 40 Public
- 41. What does the future hold? New Regulatory regime ICO about to issue first fines E-Privacy challenges Web tracking consent And Brexit, of course. 41 Public
- 42. New regime gives rights and protections to individuals Privacy focus is an opportunity to build trust Transparency and control GDPR has educated people on their information rights 42 Public
- 43. Summary Processing personal data for marketing, presents certain challenges, some of which we have looked at today It can be a complex operation to ensure compliance But the new regulations shouldn’t stop you doing the clever stuff Design your systems and processes to put privacy at their core Look closely at how you are using tracking technology and ensure your privacy notices and cookie banners actually do what they should be doing And e-Privacy is just around the corner, its time to start planning now.
- 44. Thank you for your time 44 Public
Notas del editor
- Hello, and welcome to this presentation on compliant digital marketing practice. My name is Tim Roe and I am the compliance director for RedEye.
- Id like to start by giving you some background to the business I work for, RedEye, RedEye delivers improved conversion and ROI through Marketing Automation Technology and Conversion Rate Optimisation services RedEyes proprietary technology uses data from the web, transactions and multiple customer touchpoints, which is combined in a single platform to deliver multi channel marketing communications via web, email, social media, direct mail and mobile. We use profiling, tracking, analysis and predictive modelling in our solution, so data protection and privacy has been important to us for a long time.
- Now a bit about me. British Computer Society Certified Data Protection Practitioner Hold Post Grad Certificate in Data Protection Law and IG Chair of the Direct Marketing Associations Privacy taskforce Vice chair of the Direct Marketing Associations Responsible Marketing Committee Content contributor and course tutor for the Institute of Direct Marketing Content contributor and expert content adviser for the Direct Marketing Association
- What data are we talking about? What are the appropriate lawful basis for processing ? What is and what isn’t consent ? Electronic marketing and the law Gaining consent Legitimate Interest, processing and profiling Cookies and behavioural advertising Privacy Notices What is UX testing and why is it important when collecting data ? Beyond GDPR and onto e-privacy – how to prepare for the future and e-Privacy day!
- Not legal advice Broad based practitioner guidance, drawn from ICO publications, DMA guidance and the EDPB guidance. This advice focuses on data protection and privacy law Data protection is a complex subject Absence of case law on GDPR makes giving advice difficult, the first enforcement action is yet to happen Knowledge of the subject requires a great deal of reading and study and input from industry organisations and the regulator There's now lots of authoritative advice from the ICO, WP29, DMA and other industry organisations
- Seems like ages ago now, GDPR day, came and went. The sky didn’t fall on our heads 1000’s of ICO enforcement officers, didn’t break down the doors of struggling marketing departments. Although for some organisations, Armageddon did come to their marketing lists. The cost of this is still to be counted. The storm clouds have cleared and the sun has come out.
- And relax! Wouldn’t that be nice, the truth for many organisations is that there is still much to do, from acquisition campaigns to replace lost contact data, to embedding the compliance processes and systems in to business as usual. So, lets take a look at what you need to be compliant.
- a nutshell You must only process the data you need to You need to tell people what you are doing with their data You need to know where you have obtained the data You need to know what people have been told when it was collected You need to know what your lawful basis for processing is You need to know how and why you are processing the data You need the audit trails to prove compliance and to demonstrate.. ACCOUNTABILITY
- So when we talk about personal data, what do we mean? Name, Email Address, ID Numbers, Cookies, IP addresses, Profile Information and Segments people belong to. So that segment that you’ve creatively named “Grumpy Gits” is actually part of their personal data! “Special categories” of data have replaced “sensitive personal data” Special category data is more sensitive, and so needs more protection. Processing Special Categories of Data is generally Prohibited Race; Ethnic origin; Politics; Religion; Trade union membership; Genetics; Biometrics Health; Sex life; or Sexual orientation. Important to ensure that this is not being processed inadvertently But you can process Special categories of data under explicit consent
- To process this data, we need some sort of legal basis. Marketing is most likely to be undertaken either under; Consent: Freely given, Specific, informed, unambiguous with affirmative action. Legitimate Interest: Balancing the privacy rights of the individual with the needs of a business Both have different uses and are appropriate for different parts of your marketing processing. Lets take a look at consent first, what it is and what it isn’t
- “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” To be informed, enough information must be made available at the time. It’s got to be specific enough to be valid; What exactly is the consent for? There should be no doubt as to what the consent is for and that it has been given. Consent also requires a clear positive action. So, where is consent most likely to be the most appropriate legal basis?
- Unless certain situations apply, you are most likely to need consent for electronic marketing. Also, In certain circumstances you might need to consent for certain marketing processing activities too (especially if you are processing special categories of data) If you wish, you can use it for any type of marketing, phone or Direct mail Remember; Electronic marketing needs to be compliant with GDPR and Privacy and Electronic Communication Regulations. Electronic marketing means emails, SMS, social media. If you are capturing data to use for marketing purposes, make sure that you are transparent about all the channels you are using. If you’ll use email, SMS and Social, you must point this out before consent is obtained. Id like to take a look at some examples of data capture processes, where the organisation has obtained consent.
- Lets take a look at this example from Eurostar, simple, clear and informative. The find out more takes you to the privacy notice. Its pretty obvious what you are signing up for and there are three affirmative actions here too! They are adding their email address to a form specifically to sign up for email. They are then asked to tick a box Finally, they are asked to select a box saying “Sign Up” It doesn’t need to be complicated
- One of the best registrations I have found, is the BBC registration process. Each piece of data they ask for, allows you to easily find out more, without leaving the registration process. You can also delve in to more detail via further linked information. Take a look at how the BBC gives the individual an explanation as to why the date of birth is required. Capturing this data allows the BBC to see how people of different ages are using the BBC and to ensure there is content for everyone. Sounds good to me! Be Informed and Specific, Transparency builds Trust.
- Further through the process, you get to the point where marketing permission is sought. In the box for email marketing, there is a simple, specific explanation about the content of the emails that the BBC are going to send you. “These are regular emails, including a weekly update, to tell you about BBC programmes and services. From time to time, we might contact you to get your views on other issues about the BBC. To help you get the best out of the BBC, we may personalise them based on your location and how you use the BBC online. You can unsubscribe at any time. Find out more about the emails here.” Simple, Informed and specific consent.
- Lets take a look at what consent isn’t. What would you expect to be signing up for here? Would you be expecting marketing emails from this company? What is in clause F? F. Without prejudice to the provisions of the preceding paragraph E, and only with your consent, to send you via email, phone, mail, SMS or MMS the best deals and offers on products and services we think you might find interesting which are marketed by us or our partners or business partners operating in the following sectors: tourism, leisure, entertainment, high technology, fashion, decoration, consumer goods, food and beverage, finance, banking, insurance, energy, environment, communication, mass media, real estate, pharmaceuticals, clothing and textiles, education and training, energy, publications and publishing, information and communications technology, retail, sport, telecommunications and general services.
- So, if you entered you email address in that box, and agreed to those terms, does that mean the organisation has consent to share your data with virtually anyone they want? No, this is not consent. Text like that, unexpected processing and non relevant data sharing, should be brought to the attention of the data subject, not hidden in the t’s and c’s. This is why the law was enacted, to stop abuse of data. But does electronic marketing always need consent?
- Maybe not: If the contact details meet these requirements. Gathered during the process of a sale or in the context of a sale The marketing relates to similar goods or services The individual was given the opportunity to opt out at the time And has been given the opportunity to opt out since. You could have another option
- So this is still ok. Under the new e-privacy regulations, although still in draft, look likely to retain the soft opt in. As long as you have a relevant commercial relationship with the individual, such as they have brought or are buying from you, this method is acceptable. Its not consent, its giving the person the opportunity to object by using preticked boxes. The information on what people are going to be sent, is still included, so the individuals are still being informed.
- Which brings us to the next legal basis for marketing processing Legitimate Interest. What is LI processing Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” But, this isn’t an automatic legal basis for processing marketing data. Marketing is necessary, but is what you are doing unbalanced against the individual? You need to undertake a balancing test where you will balance the impact of processing you are doing, against the rights and freedoms of the individual. You might use legitimate interest for: Analysis, Data matching and augmentation, Targeting and segmentation, Profiling You can you use legitimate interest for many things (as long as they are legitimate of course)
- Where you collect the data you must tell the individual that you intend to use the data for direct marketing and they have the right to object. It must be explicitly stated, prominently displayed and away from any other information. It must be easy to exercise that right. You must collect the minimum data necessary only process the data for the reasons stated in your privacy notice and delete records after use. You must also document your valid reason to process an individual’s personal data using your legal legitimate interests.
- What about you targeting, analysis, and segmentation you do, is that legitimate interest? This type of processing broadly falls under the classification of “Profiling” under GDPR. “…any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” For marketing, the key words are personal preferences, interests, behaviour, and location. So, most modern marketing involves profiling. Depending on the context, profiling can also be quite intrusive if it includes online tracking.
- Modern marketing, creates enormous amounts of data. Much of which can be leveraged to optimise marketing effort and increase ROI. This is the legitimate interest of the organisation that is using it. Much of this data can also be classified under the new privacy rules as personal data. The new legislation doesn’t STOP you from using data this way. It just asks you to be transparent and informative to the individual As soon as we start to profile, we are creating new personal data that relates to the individual. This “profile” could include data from many sources Website search and browsing history Customer relationships and buying habits Credit card, store card and transactional history Credit scoring Complaints, feedback or enquiries Location Lifecycle habits Social media Property ownership Some use of data might be expected and relevant, some might not. Context is important. Be careful about the way you use the some of the web tracking data. Is the individual going to be expecting how you track them online? How transparent is your processing?
- What does profiling look like; Here is a typical example of profiling, used to make sure that the content of marketing and some web pages, are made as relevant to the recipient An airline studies the behaviour of its online customers. It examines what they search for, look at and how much time they spend considering each destination. This data will be combined with the location and route the customer is most likely to use based on their previous flight history. The profile will then be used to serve the customer with a marketing communication that highlights the destination and route they are most likely to be interested In this instance, all the tracking, analysis and profiling, is in context of what the individual is doing and where, so is more likely to be undertaken under legitimate interest.
- Profiling can trip you up Profiling can sometimes infer special categories of data Example, profiling food consumption or musical tastes might lead to the inference of ethnic origin or religion. If you infer special categories of data, the profiling maybe prohibited without explicit consent. This is why it is important to undertake privacy impact assessments when any new processing activity If privacy risks are identified, you can mitigate those risks by changing the process, or using a more appropriate legal basis, such as explicit consent
- Is the profiling LI, or does it need consent? Its possible that much of the profiling that is done for marketing, can be undertaken using legitimate interest. This is because it is unlikely to cause a legal or significant effect on the individual. The article 29 working party says: Profiling is allowed if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. However, Article 6(1) (f) does not automatically apply just because the controller has a legitimate interest. A balancing test still needs to be undertaken, you must consider the key elements, Context, Expectation, Relevance and Impact (to the individual) Its also possible for the profiling to stray into the realms of having a significant effect. The ICO has cited some research that shows it is possible to for harm or a significant effect to be caused by profiling. Ohio State University found that behaviourally targeted adverts can have psychological consequences and affect individuals’ self-perception. For example, if individuals believe that they receive advertising as a result of their online behaviour, an advert for diet products and gym membership might spur them on to join an exercise class and improve their fitness levels. Conversely it may make them feel that they are unhealthy or need to lose weight. This could potentially lead to feelings of low self-esteem. Profiling can make ads more effective and have a greater impact on the individual. This was one of the key concerns about the issues with Cambridge Analytica’s use of Facebook data, where the hidden profiling has allegedly been used to influence voting preferences. We undertake marketing, profiling, targeting and segmentation, because it works. We can use these techniques to persuade and influence. To stay on the right side of the law, transparency is vital
- Quite a lot of the clever stuff we do with the data, starts with the setting of a cookie on an individuals browser Article 29 working party When giving an opinion on an example of profiling…. “The extent and manner of profiling (use of click-stream data, predictive algorithms) also suggest a high level of intrusiveness. ” Cookie tracking and profiling, can be intrusive if it isn’t transparent.
- So, what do we mean about transparent? Here is an example of a web page. On visiting this webpage, The cookies reported on the right of the screen, are placed on my browser. In this case, before they have been accepted. Before anyone says, these are essential cookies, checkout the Facebook Custom Audience cookie! Unfortunately, placing cookies and the operation of the banners, don’t link together well on lots of sites. Tracking links clicked by certain visitors You might be building web profiles, or using them for presenting personalised content or to identify people responding to online campaigns, or you might be using them to track how people use your website These cookies can normally be first party and the data use controlled within your website or direct partners. Behavioural advertising Cross website tracking These are third party cookies that will track users beyond your website and serve your adverts on other sites and services.
- What about behavioural advertising? GDPR has classified the individuals data, that is traded between advertisers (Brands) and Publishers as personal data. This type of data use is among the most intrusive and hidden data processing that goes on. If this data is being gathered or used on your website, you may be jointly liable for its use with the others in the chain. A recent court ruling in Germany, set out that you don’t need access to the data to be a controller of it. You might gather it on your website, but you still remain responsible for its use throughout its use in the programmatic system. If you are using programmatic advertising, a privacy impact assessment is probably essential?
- Information and transparency, is a key part of the compliance piece. Much of the information on how data is used, will be contained in your Privacy notices, or privacy policy. This is where you; Explain why you need an individual’s personal data, thinking back to the BBC example, the extra detail of why you need date of birth, would be contained in the privacy notice. Use a layered privacy notice/policy, it doesn’t all have to be put in one place, make it easy to find what your need. It needs to be easy for people to understand, not written in legalise. Important information must not be hidden in your privacy notice (like the organisation earlier that wanted to share you data with the world) This is where you would detail segmentation, targeting, profiling, augmentation and the reasons for it. The privacy notice is also where use of cookies and other hidden tracking technology should be explained.
- Belmond have a simple to use privacy notice, that allows the individuals to easily drill down and find out what they need. If I want to find out about all those cookies on my browser, I can easily find out where that information is.
- The Belmond example, drills down in to the individual cookie usage, giving you the name of the cookie, what it is used for and a link to the website of the tracking provider.
- Won’t cookies require consent? Under the New e-Privacy Regulation, yes they will! No changes in the latest revision of the e-Privacy Regulation relating to tracking. Consent remains the only option for marketing tracking. However; Amendments to recital 20 means that a website owner could restrict access to content, subject to someone giving consent to cookies. This means consent must be gathered before all but strictly necessary cookies are placed.
- Consent will mean GDPR level consent Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Unambiguous Informed Specific Positive indication of the data subjects wishes. This will mean real consent control and reporting. Getting positive consent BEFORE cookies are placed. Someone's failure to act does not constitute consent. If you are using the cookie data, you are responsible or jointly responsible with the advertiser.
- These extra requirements for displaying information and ensuring effective data capture processes, mean that these processes must go through a more rigorous testing regime than ever before. What must you do to ensure you are making the most of each opportunity?
- Due to E-Privacy and GDPR your opt-in forms and preference centres are a critical part optimised marketing and compliance. So, How do you manage the requirements for customers to provide positive opt-in whilst maximising the volume of customer details you capture? Analysing the user experience of your key data acquisition points will help you make the most of GDPR, minimising losses and getting you ahead of the competition.
- Here’s some examples of the points of data capture that can be fine tuned using User Testing. Especially for those organisations that have lost much data due to re consent campaigns, getting these working right is essential.
- Without “compliant” customer data you will not be able to enhance the customer experience by personalising and streamlining the experience for users, thus creating unnecessary barriers for users putting conversions, retention and customer loyalty at risk. Using UX testing Remote user testing of: forms, sign-ups, preference centres (all data capture points) Expert UX review of key ‘data capture’ customer journeys Email/Landing page(s)/ My account comms page Mobile & desktop User videos and eye tracking This will help you with Identify UX issues & recommendations Suggested: messaging, layout, hierarchy, priority Where required mock ups of proposed new experience
- Without customers/users there is no business – use their experience to your advantage Helps you understand the "Why?" behind your users behaviour, not just the “what”. Identifies areas for needs driven improvements & innovation Optimises spend on the website,
- So now lets take a small step in to the near future and see what might lie ahead.
- We are in a new Privacy Regulatory regime Rumours across Europe that the DPA’s are preparing to levy the first enforcement under GDPR E-Privacy provides more challenges, but changes can be made now. Designing your web tracking consent mechanisms to be robust “before” EP-day Brexit will make no difference, if you intend to track no EU citizens, if you do, then it will.
- The new data protection regime gives rights and protections to individuals It is a positive step for people And as we are all people, that’s good right? Privacy focus is an opportunity to build trust Transparency will build trust Transparency and trust could become a key differentiator in business relationships More powerful than “targeted campaigns and lifecycle marketing” Transparency and control On the first contact and data exchange And ongoing control of the data the individual is sharing GDPR has educated people on their information rights People become less tolerant of bad practice More aware of organisations efforts to “do the right thing”
- Processing personal data for marketing, presents certain challenges, some of which we have looked at today. It can be a complex operation to ensure compliance. But the new regulations shouldn’t stop you doing the clever stuff Design your systems and processes to put privacy at their core Look closely at how you are using tracking technology and ensure your privacy notices and cookie banners, actually do what they should be doing. And e-Privacy is just around the corner, its time to start planning now.