Part 1

Part 3

Part 5

Part 2

Part 4


Click to Subscribe: 


Episode Transcript

Benjamin: Welcome to privacy week on the MarTech podcast. This podcast is sponsored by Searchmetrics. Searchmetrics sets the standard for innovation in the content and search engine optimization industry. They support businesses who care about understanding both how to use content as a marketing channel and how to improve their organic rankings in Google. If you're an enterprise level marketer, the Searchmetrics suite of software and services will help you optimize your existing content, help you understand what topics need to cover next, and how to ensure that your writers produce effective. There are billions of google searches happening every day in Searchmetrics gets your stories to the top. 

Benjamin: This week we're going to start a deep dive into a subject that can help keep money in your pocket by helping you keep your job: privacy. Each day this week we're going to publish an episode that covers the rules for capturing and using customer data. Joining us for Privacy Week is world renowned privacy expert, Kasey Chappelle. Kasey is an online privacy advocate and the data protection officer for GoCardless. She has worked as part of the in house counsel for large enterprises including Ebay, Vodafone and American Express global business travel. Kasey has a wealth of information to share and we're excited to have her to help us kick off. Privacy Week, today we're going to talk about some of the General Rules for privacy, specifically international privacy law. Here's the first part of her interview with Kasey Chappelle from GoCardless. 

Benjamin: Kasey, welcome to the start of privacy week on the MarTech podcast. 

Kasey: Thanks Ben. It's good to be here. 

Benjamin: It is fantastic to have not only an x peer or coworker at the bay, but also a world renowned privacy expert. This might be a little overkill to have you on our MarTech podcast, but we're absolutely thrilled to be graced by your presence. 

Kasey: Well, thank you. I don't know if I can live up to world renowned expert, but certainly I've been doing this for probably about as long as most people in this industry. I started my career right about the time that the first data protection directive was coming into effect. I've been doing this for companies across a really wide array of industries. I started in online advertising, surprisingly enough, moved onto ecommerce payments, mobile telecommunications, travel, and now I'm in Fintech, so I've seen this from a lot of different sides and from both sides of the Atlantic. It's been a fascinating career.

Benjamin: So you've basically been in the privacy field since it started and you've been the in house counsel related to privacy for some of the biggest, most sophisticated marketing companies in the world. So what I want to do is have you give us to start off privacy week. Some of the basic rules for privacy. There's been a lot of news related to facebook and their data protections and Gdpr, why don't we just start off with privacy one and we'll work our way into more sophisticated topics. Can you give us the high level of what marketers need to know to stay compliant with privacy? 

Kasey: Well, if you need the very simple summary of privacy and how to not violate the law, I guess rule number one is don't be creepy. Now obviously there's a lot of nuance to that in a lot of detail to that, but privacy laws on both sides of the Atlantic and really around the world are designed to ensure that you do what you say and you say what you do, that you give people notice about the kinds of data that you're using. That might have an impact on them and you make sure that you build in some controls around it. You give people choices about how you're going to use their data, 

Benjamin: so don't be creepy just related to online marketing. I would also say that you mentioned giving people notice. One of the practices for giving people notice is having your privacy policy published on your website and the truth is most people who are using consumer services are probably not reading that in great detail, so what are some of the ways that are best practices that marketers use to make sure that their customers are aware of what data is being captured and how it's being used. 

Kasey: There was a great study that came out quite some time ago now that said that it would take about four months out of every year for people to read the privacy notices that were presented to them and every interface they interact with. That's outrageous. Obviously privacy notices or not, how you're going to achieve appropriate levels of what the industry is called. Transparency about your operations. So privacy notice of course is an absolute necessity. It's required by law and regulators are going to be looking for it and certain people who like to read privacy notices like me, apologies, but there are better ways to make sure that you're achieving those expected levels of transparency. There's an interesting concept, particularly in online marketing called the upfront notice for the just in time notice. It's making sure that you're giving people relevant information about the experience that they're having at the point where they're having it, so a good example of that is the direct marketing associations requirements around upfront notice and on add links, something similar in the US around the network advertising initiative and their requirements around notices for behaviorally targeted advertising. These are areas where you can provide a little more transparency, a little more notice in ways that people will actually interact with as opposed to sticking it in your privacy notice at the footer of a page and expecting somebody to read it. 

Benjamin: So like you love reading privacy statements. Kidding aside. I've read one in my entire life and it's published@thebottomofBenjshap.com. I don't even remember what's on it. I understand the concept of making sure that while someone is engaging with your content that you're promoting the privacy policy or how the data is being used upfront. Not Me, but I'm sure that there is a marketer here that is rolling his eyes and saying, that's going to hurt my conversion rates if I take up real estate to put in legal language about privacy, so what is the right balance in terms of enabling customers to understand what data is being collected and how it's being used and three, lining the process to get them to actually engage with the service. 

Kasey: Not Concerned about conversion. That creates an interesting balance. I'm sure you remember this term from our Ebay days. Every pixel fights for its life. The idea that anything you put on the page could potentially have an impact on conversion, could create dropoff and those of us in the privacy industry are sensitive to that and there have actually been a lot of studies about that and some of those studies have shown that when you are transparent about how information is being used, when you share more information, it has an impact on conversion, but it has a positive impact on conversion. So if you're sharing privacy information with people, say on a web form and you can tell them something like, here's how we're going to use your information and here are the choices you have about it. And a lot of instances what these studies show is that people are more willing to engage with your web form, for example. So I wouldn't presume that sharing privacy information, providing upfront notice, giving choices is only going to negatively impact your conversion rates. 

Benjamin: I think that's a very important distinction that you can use privacy messaging as a indicator to build trust with your consumers. So by letting them know in an appropriate fashion at the right time that you are going to provide data protection and that their data will only be used in an appropriate manner. You're building the type of trust that they would want and you're hopefully building more goodwill that will enable them to move forward. Now, I'm sure that there are to use extreme some privacy people that want the font size for the privacy message to be larger than the marketing message and I'm sure all marketers would want the marketing message to supersede the privacy message. There has to be a balance there. 

Kasey: Well, there absolutely has to be a balanced. You know, like everything. It's in negotiation at the privacy. People of course do have the law on their side. It's a big stick that you can use, especially with some of the new laws coming into effect that have things like four percent of total global turnover as the potential penalties. I always like to use the carrot instead of the stick when I work with my marketing teams to make sure that they're understanding the implications on both sides of the equation. 

Benjamin: We're going to get into the conversation about the repercussions for breaking the law in a later episode. Actually, at the end of this week, I do want to talk a little bit about what the law is and it's been changing. There was the GDPR laws coming out of, was it the European Union who actually made the Gdpr laws? 

Kasey: Gdpr, the general data protection regulation is a European level regulation, which means that the European Commission and the other governing bodies at the EU level created a regulation that applies across all of the EU member states. This is in comparison to the previous data protection. Yeah. Lot of Europe, which was a directive, meaning that each member state in the EU had to implement their own enacting legislation, so now we have one law across Europe. It's different. It's new. It's not a revolution so much as an evolution in data protection law. It imposes new prescriptive obligations on anybody who collects and uses personal information about EU residents. 

Benjamin: Use a couple of things to break apart. Their. First off, the GDPR was a ruling that covers the vast majority of European countries, so there are special protections for the collection of personally identifiable information for those countries. Specifically how do marketers know what countries those are and how do they know how to appropriately handled the Pi for their customers in Europe. 

Kasey: So think about how you address the jurisdiction of any law of you're operating in Europe. Obviously the GDPR applies to you. If you're intentionally reaching out to European residence, you've got a website that's targeted at France, you've got a service that's available in German, right, or any of the other multitudes of ways that you could be specifically operating with respect to European residence. Then obviously the Gdpr is going to apply to you. If you have any way of knowing that you're interacting with European residents, say you're collecting geolocation from your ip addresses or something like that, then you should probably presume that the GDPR applies to you. It's got some pretty significant extra territorial impact 

Benjamin: that basically anybody that's using google analytics, Google analytics, looks at an Ip level to understand where a website visitor is coming from. So hypothetically, I have a podcast that I market all over the world. Pretty much anybody that's an English speaker, I have traffic that comes to my website from Europe. So now I am under obligation to meet the GDPR restrictions. 

Kasey: You're right, if you have a website that's available from Europe than there is a potential for residence to be interacting with you and accessing your services. So we have seen quite a few websites do geoblocking for exactly that reason. I'm a huge fan of food. Fifty two and they broke my heart. When last May, they started blocking European residents from accessing the site. All of a sudden all of my cooking just went out the window because that's where all my recipes were. That's the quantification that anybody providing services to potential European citizens is going to have to undertake. Right. What is the potential risk of having this data about Europeans now? The GDPR could potentially apply 

Benjamin: two comments. One family which was founded by Dave Feller, who was a fellow alum, great cooking website. And two, can you tell me what the rules are for Gdpr? So for those of us who have a website or a web property that has customers or visitors in Europe, what are the things that we need to know at a high level to make sure that we are compliant with Gdpr? 

Kasey: The data protection directive required a whole lot of things that nobody ever paid any attention to. GDPR didn't change a whole lot of that. It just made the stakes are much higher, so there were things that people were not doing that we're not compliant with existing data protection law. They weren't making sure that they had a legitimate reason to have the data. They weren't ensuring that the data was proportionate to the purposes that they were trying to apply the data to. They weren't capturing the right consents, were necessary to process the data. These aren't new requirements. There are requirements that were part of the data protection directive before the Gdpr and that's been in effect since 1998. 

Benjamin: What I'm hearing from you is the GDPR is not necessarily a new set of rules. It is the enforcement of the previous rules that basically marketers and other people that are collecting data ignore him, but what matters is you have an appropriate reason to be collecting data. You're given the right notification that you're collecting data. What were the other components that you said? 

Kasey: Data minimizing, and this is an interesting one. This is one that I think a lot of companies were dropping the ball on. Data minimization means that you're only collecting the data that you actually need to achieve your legitimate business purposes, that you're not keeping any longer than necessary, that you're establishing the right protocols within the business to ensure that the data is only handled in appropriate ways. There are all of these different nuances that are wrapped around the concept that your treatment of data should be proportionate. It should be legitimate and it should be minimized, and that's really the essence of the principles of Gdpr. 

Benjamin: I think that's a great stopping point. We've got lots more to talk about related to privacy. We're going to go into detail about what are the data protection rules for email marketing for advertising and what happens when you break the rules, but that up today's episode of the MarTech podcast. Thanks to Kasey for joining us and if you want to hear more of cases, advice, we're going to publish an episode every day this week so it hit the subscribe button in your podcast app to check back with us tomorrow morning when we'll be discussing the rules related to privacy and data capture. If you can't wait until our next episode and you'd like to learn more about Kasey, click the link in our show notes to see her bio. Thanks to search metrics for sponsoring our podcast. If you're looking to grow your online presence, go to Searchmetrics.com to request a free tour of their platform. 

Benjamin: If you are subscribing to the MarTech podcast, we want to say thank you for being a member of our community. I would love to hear from you. I'd love to hear what you think about the show. If you have any questions, comments, if there's any topics that you'd like us to cover, so click the link in our show notes to contact us. We also have some links to our linkedin or twitter, or you can just look for the handle benjhap, that's b e n j s h a p. If you haven't subscribed yet and you want a weekly stream of marketing and technology knowledge and your podcast feed in addition to the rest of privacy week with Kasey Chappelle from gocardless, we've got a bunch of great episodes lined up, so I hit the subscribe button on your podcast app and we'll be back into your feed tomorrow morning. Okay. That's it for today, but until next time, my advice is to just focus on keeping your customers happy.

Benjamin: Welcome back to Privacy Week on the MarTech podcast. This podcast is sponsored by Searchmetrics. Searchmetrics sets the standard for innovation and the content and search engine optimization industry. They support and businesses who care about understanding both how to use content as a marketing channel and how to improve their organic rankings in Google. If you're an enterprise level marketer, the searchmetrics suite of software and services will help you optimize your existing content, help you understand what topics need to cover next, and how to ensure that your writers produce effective posts. There are billions of google searches happening every day and searchmetrics gets your stories to the top. 

Benjamin: Yesterday we started our week long deep dive into a subject that's critically important to marketers in every industry, in every business, in every channel of marketing. Privacy. For those of you who missed our conversation yesterday and are catching up every day, this week, we're going to publish an episode that covers how you can stay out of trouble by understanding the rules for online privacy. Joining us for Privacy Week is world renowned privacy expert, Kasey Chappelle, who is the data protection officer for GoCardless. Kasey has worked as the in-house counsel related to privacy for large enterprises, including Ebay, Vodafone, and American Express global business travel. She has a wealth of information related to privacy and legal matters and we're very excited to have her on the podcast. Yesterday, Kasey walked us through some high level roles for privacy, specifically related to international privacy protection and GDPR and today we're going to turn our attention to the rules for data capture. Here's the second part of our interview with Kasey Chappelle from gocardless. Kasey, welcome back to privacy when you come the MarTech podcast. 

Kasey: Thanks Ben. 

Benjamin: It is great to have you here. Yesterday we talked about some sort of high level rules and what data you can capture and Gdpr and we started off very high level and I want to get more granular and specifically talk about data capture. So let me frame the conversation this way. I'm a marketer. I want every piece of data that is relevant to understand who my customers are, what their behaviors are with my website and potentially other websites and I want to know where I can find them and I want them to know what they're interested in so I can find people that are just like them. How do I not go to jail? 

Kasey: Let's think about data protection law for a second. Obviously it's in a marketer's best interest to have as much data as possible. It's an every company's best interest to have as much data as possible, but what a data protection law like Gdpr says is that you have to minimize the data that you get. You have to have a legitimate reason for having the data and you have to be transparent from wherever you're collecting it from. So if you're say publishing a web form, then it's really clear to the individual who's filling out the web form that you're getting their data. So maybe you have fewer prescriptive obligations around transparency for the web form, but if you're getting data from other sources, how is it that you're going to provide that transparency? How are you going to let people know that you're getting that data from those other sources and how were you making sure that the collection of that data is legitimate and these are the things that data protection law tries to put a little bit of rigor around. So what it says is you should have a notice. You should tell people you're collecting the information and this is what I think that marketing companies in particular are going to struggle with because there are so many third party sources of the data. 

Benjamin: Let's dive into that a little bit more and I'll give you a couple of scenarios. What I have a web form on my website. I want as few fields as possible because the less information that I have to capture increases my conversion rate for somebody to fill out that form so I can ask someone for their name and their email address and that's probably the minimally viable form. Maybe I don't even need their name, but let's just say I need that. There are services in the background that can then take that name and email address and provide me a wealth of other information about them. How is that addressed by the privacy community using a third party data source to be able to collect information that wasn't given to you personally? 

Kasey: Well, I can talk a little bit about my own experiences at gocardless. Obviously we're a B2B company. I spend a lot of time thinking about lead generation, lead enrichment, lead qualification, data enrichment. It's gotten harder and Gdpr puts a lot of controls around the building of those kinds of dossiers of individuals that you can use then to enrich and enhance the datasets that you've already got because the law says that people need to know that you're doing that. They need to have controls around it and there needs to be a justification, a legal justification for the creation of those dossiers. So a lot of the companies that have been involved in lead generation and data enhancement are finding that their data sets are getting smaller and their clients are getting more demanding because the clients want those lead generation companies to be able to justify their data processing activities. 

Kasey: We've seen some companies that do it really well and we've seen some companies that you get on the phone with them and you say, well, tell me about your Gdpr compliance program, and it's like the Shrug Emoji on the other end. That's a pretty big red flag and we've had to terminate a couple of relationships because of that. I think it's imperative for anybody who's collecting that information and intends to use it to be able to explain where the information is coming from and to make sure that the providers of that information can demonstrate that they've done so lawfully. I think that means that some of that information is going to be less available than it has been in the past. 

Benjamin: What I am buying data from a provider or a data source, so I'm using a lead generation service. Who's at risk here? Is it the lead generation services responsible for capturing their data in a appropriate way or is it the end user of the data? Can I get in trouble? Let's say I'm working with a lead generation source to do data enrichment for the people that are visiting my website. Am I on the hook there for buying the data from them or are they on the hook for capturing it and then selling it to me? 

Kasey: Well, everybody's on the hook. Data Protection Law has a distinction in the law about roles and responsibilities, so companies that are collecting information for their own purposes are data controllers for that information. There's another concept in the law called data processors. Those are the vendors, the suppliers that you use that support your business processes. A lot of marketing companies are going to be processors on behalf of other companies that are the data controllers. Now, under the previous version of European data protection law, data controllers bore almost all of the liability for compliance because processors really could say that they were just acting at the direction of the controller. The new version of the law puts some additional obligations on processors now, so that means that if you're bringing on another company who's performing these activities for you, you as the controller or responsible, but that processor is responsible to and both could incur liability under the law. 

Kasey: Now, lead generation is an interesting one, right? Because in a lot of cases, the creation of those dossiers is happening without you, the company purchasing the dossier, really controlling how that happens. Those companies really should be acting as controllers for the creation of those dossiers. When they share it with you, you're still a controller too. You're both liable and that means that you have a responsibility to make sure that the information sources that you're getting this from are also acting responsibly. If they've broken the law and you acquire it, then you've broken the law too. That's tricky. 

Benjamin: So the guidance for marketers to put words into your mouth, but the guidance for marketers is that while you are onboarding data providers, you need to ask them what their compliance policy is with privacy rules and regulations. Specifically Gdpr, if you're marketing towards European customers. 

Kasey: Okay. A new found respect for supplier due diligence I would say as a result of GDPR and a lot of companies are putting a lot of work into that because you can't have willful blindness here. Do you have to be on top of where the data's coming from? 

Benjamin: I think it's not only a new found respect for selecting the right vendors, but it's also newfound fear of capturing data and there's, like I mentioned in our first episode, there is this balance of wanting as much data as you can possibly get. Not knowing when it will be valuable to help with your targeting and help with your marketing automation, so my question here is while you're capturing data, how do you figure out what is a reasonable amount of data to capture? What are the guidelines for what is relevant? 

Kasey: A pretty clear guidance on that and that's one of the areas where there's been a lot of thinking put into it. You have to have a business purpose for the data that you're collecting. You can't just collect something without having a use for it in mind. You have to document that purpose. So in all of your processing activities, this is one of the significant changes in Gdpr. You have to maintain a register of all of the ways that you're collecting and using and sharing information. You have to enumerate the business purposes for that information and you have to have a legal justification. Now this is where the log gets a little bit into the weeds, the legal justification. I think there are like six of them that could potentially apply. There's only a fraction of those that actually apply. When you're talking about marketing activities, you can do it with consent, you can do it because it's necessary for the performance of a contract with the data subject or you can do it under something called legitimate interests, which means that you as a company have a legitimate reason to process this information that is not outweighed by the rights of the data subject. 

Kasey: That's a little bit of a balancing act and there's some guidance on how to do what's called a legitimate interest assessment. This all gets really prescriptive and operational and I apologize if anybody's eyes are glazing over at this point, but I do think that those requirements of the law provide a little bit of a roadmap for companies who want to make sure that they're only collecting the data that they need and they're doing the right thing with the data. 

Benjamin: I think at the end of the day there is a balance here and when you talk about legitimate interest, it sounds like the law is understanding that there are times when data collection, likely generation is appropriate and necessary. I think there is also a balance for harvesting as much data as you can without a legitimate business need also becomes a privacy risk and you need to be sensitive to what the consumer's rights are. It's a very complicated subject. At the end of the day from marketers that are looking to collect data specifically with lead generation, what guidance would you have to make sure that they stay compliant with privacy regulations? 

Kasey: I think anybody in the marketing industry is going gonna have to put some serious thought into hiring an expert. I think if you're intending to operate in this space, having a data protection officer or even just having a member of a legal team or some sort of an outsource expert who can craft the processes that you need to have in place to make sure that you continue to operate lawfully, that's just invaluable. That can save you a world of pain. Later on. 

Benjamin: I hear you at an enterprise, having somebody on the legal team in house counsel that understands the rules and regulations of privacy. I've seen it firsthand working with you at Ebay, how valuable that can be. What about for the little guys, 

Kasey: you know I've asked this question so many times, how do you maintain something as prescriptive as the Gdpr without having a full time expert on board? There's a real cottage industry that has risen up over the last year or so here in Europe that's outsourced data protection officer services and I know a couple of people that are running some pretty interesting organizations in this space that will provide support as needed rather than having a full time expert. I think it helps to have somebody craft for you a little bit of a checklist. Maybe when is it that you as a company are going to be making decisions that have a privacy impact that you might need to escalate to get real advice on having just some basic checklist that helps you understand when what you're doing has a real privacy impact and when you need to ask for real help could be a great way to handle this and having somebody lined up that can be that help when it's needed is a good way to make sure that you're not falling into some of the pitfalls. With the law, 

Benjamin: so I'm hearing two primary tips that I want the marketers listening to this podcast to pay attention to with relation to data capture. First, when you are using third party vendors to capture your data, you need to understand what their data capture policy is because they are not the only ones that are liable for capturing the day they ended appropriate fashion and just like you have a lawyer that looks over your contracts, you also need to find a resource that can help you understand what impact your data collection policy at outreach policy has on your consumers' privacy, and there are consultants and third party councils that can help you with this. If you don't know someone, we will try to find some resources and put some links on our website to help you find them. So I think that's a great stopping place for today. 

Benjamin: That wraps up this episode of the MarTech podcast. Thanks to Kasey for joining us. Don't forget that we'll publish an episode related to privacy everyday this week. So hit the subscribe button in your podcast APP and check back with us tomorrow morning when we'll be discussing the privacy rules for email marketing. If you can't wait until the next episode and you'd like to learn more about Kasey, you can click the link in our show notes to see her bio or go to [inaudible] dot com. Special thanks to search metrics for sponsoring this podcast. If you're looking to grow your online presence, go to searchmetrics.com to request your free tour of their platform. If you're a subscriber to the MarTech podcast, we want to thank you for being a member of our community. If you have questions, comments, you'd like to reach one of our guests. If you have any suggestions for topics, we should cover it. 

Benjamin: Click the link in our show notes for the contact us page. You can also find links to our twitter or linkedin pages where you can just search Benjay, shop B, e nj o s h a p in your social members. If you haven't subscribed yet and you want a weekly stream of marketing and technology knowledge and your podcast feed. In addition to the rest of privacy week with Kasey Chappelle from gocardless, got a bunch of great episodes lined up over the next few weeks, so hit the subscribe button on your podcast app and we'll be back on your feet tomorrow morning. Okay. That's it for today, but until next time, my advice is to just focus on keeping your customers happy.

Benjamin: Welcome back to Privacy Week on the MarTech podcast. This podcast is sponsored by Searchmetrics. Searchmetrics sets the standard for innovation and the content and search engine optimization industry. They support businesses who care about understanding both how to use content as a marketing channel and how to improve their organic rankings in Google. If you're an enterprise level marketer and the search metrics suite of software and services will help you optimize your existing content, help you understand what topics need to cover next, and how to ensure that your writers produce effective posts. There are billions of google searches happening every day in searchmetrics gets your stories to the top. 

Benjamin: This week we're doing a deep dive into a subject matter that's critically important to marketers, industry, business, and channel of marketing privacy. For those of you who are just joining us today, each week we're going to publish an episode that covers how to stay out of trouble by learning the rules of online privacy. Joining us for Privacy Week is Kasey Chappelle, who is a privacy advocate and the data protection officer for Gocardless, Kasey has worked as part of the in house counsel for large enterprises including Vodafone and American Express global business travel. She has a wealth of information related to privacy and we're very excited to have her here. So far this week, Kasey's has walked us through an overview of some of the basic rules of privacy, some of what Gdpr means, and a little bit about data capture, and today we're going to turn our attention to the rules for privacy related to email marketing. Here's the third installment of our interview with Kasey Chappelle from gocardless. 

Benjamin: Kasey, it's midweek. Welcome back to privacy way come the MarTech podcast. 

Kasey: Thank you Ben. 

New Speaker: We're halfway home and today I want to focus on a topic that's very important in terms of new user generation, in terms of retention driving revenue. It's critically important to marketers. Email marketing. Let me ask you, we talked a little bit about where you can capture your data, how you can capture what you can capture it, what are the basic rules for using data to reach customers and what consent you have to have to send emails to someone. 

Kasey: Oh, email consent. As EU resident, I can tell you that my inbox has been overwhelmed over the last couple of months with emails from companies saying, Hey, Gdpr means that we need you to confirm your consent. That's not true. Hasn't changed, but email marketing roles are tricky, very specific to different locations. If you're in the US, you have to comply with the canned spam law. If you're in the EU, there's something called the eap privacy directive that affects you. In Australia, there's the very, very strict spam act and evil marketers should be aware of the implications of these very rigid, various specific laws that apply almost anywhere they could operate. 

Benjamin: There's the universal definition of spam. 

Kasey: Well, I guess you could say that spam is an unsolicited commercial message. There's a distinction in most loss. Australia is an exception. I'll get into that in a second. In most laws between service messages and marketing messages, if you're sending a service message, if you're sending something that you're communicating to somebody because they bought something from you and you need to send an invoice or an itinerary or some sort of a confirmation of an activity, it's not spam, it's not unsolicited. You have a relationship with that person. It's not marketing. You're not promoting a product or service, and usually spam laws won't apply to that. 

Benjamin: Okay. 

Kasey: Australia doesn't have that distinction. They just say that all commercial messages are regulated, so it's a little stricter when you think about essential service messages versus non essential service messages, but let's focus on marketing. You know, it's a marketing message because it's promoting a good or service, right? You're trying to get somebody to take some action that's unrelated to a service that you're already providing to them. So that's the first question. Do you have a marketing email? Second question then is, is it unsolicited? Do you already have a relationship with this person in the US, for example, that would be called an existing business relationship and the rules say that you don't need express consent to market to those people in the EU. There's something called these soft opt in under the privacy directive and soon to be the privacy regulation that says that you can communicate with people that you already have a business relationship with until they tell you not to. 

Kasey: There are some qualifications in that right in the EU. You have to give them the upfront choice to tell you not to communicate to them at the point where you create the business relationship with them. That's why when you checkout, say in an ecommerce flow in the EU, you'll see the little box at the end that says, we'd like to continue to communicate with you about related products or services to care to tell us not to or something like that. Now, Gdpr has some new rules around consent. If you were relying on consent, we talked in the last section about when you do need to rely on consent. There are other justifications for processing, but where you do need to rely on consent because you don't have an existing business relationship, you're trying to reach out to somebody new for something new. Then Gdpr says that consent to be specific, it needs to be informed. 

Kasey: It needs to be unbundled from other disclosures, so it couldn't be, for example, you can't require somebody to tick the box and give you consent or they can't do the thing that they're trying to do in your privacy policy. Exactly. That's why you are more often now seeing those separate tick boxes in the checkout flow. There's a distinction to me between marketing emails and sales specific emails for the cold email on official line in the sand from marketers that I've talked to have been. One of them is when you are sending a one to many email everyone that you're sending it to needs to have given you consent, so if I have a newsletter or someone has to have subscribed to the newsletter for me to reach out, but the sales team can send one off emails from their personal accounts and using the same domain and not be breaking the law. 

Kasey: Is that true? I mean I've worked at a handful of btby clients and their sales teams to lead generation. They go through linkedin and they scrape people's email addresses and they reach out to them personally. What's the role related to one to one email outreach? There's another word that you used there that I think draws and important distinction there and that's B to b to b to c is different and most marketing in the B to c space is going to be the email blast because you're not going to reach out individually to individual consumers, but B to b marketing can be more targeted, more tailored and more specific. In that way. You are generating a relationship with an individual B to b marketing here in the UK at least is treated differently from B to c marketing in a lot of cases. You can rely on the legitimate interests assessment. 

Kasey: Remember we talked about those justifications for processing, so the legitimate interest justification says that you can communicate with somebody, you can use their data, you can reach out to them to create a sales relationship because you as the BDB marketer have a legitimate interest in doing that and because what we're talking about is b, two b, because it's an individual outreach to somebody in a business context and not in a personal context. Then when you do that balancing test against their right to not be reached out to, then that balancing test falls on your side of the equation. What's interesting to me is essentially when you're at work, there is less protections for you in terms of email marketing. It's more legal. If that's a phrase I could use for someone to send you an unsolicited email because it's going to a work inbox, which is just interesting to me. The other thing that I guess I want to ask you about is with the increase in marketing automation, I'm seeing more personalized outreach on the consumer side. For example, I sign up for a service where I buy a product and 

Benjamin: I get an email that looks like it's from the company's founder. No, in reality, it's an automated message that can be sent to everybody. My question is, does it matter if it is from a general inbox or from a personalized inbox related to what the privacy rules are? 

Kasey: It doesn't actually matter. Email is being sent to somebody who has engaged in your services in the past. Then you can rely on the existing business relationship exception. You can rely on the soft optin, which means that you don't have to have the explicit consent of the recipient to send that message regardless of whether it came from a personalized email account of the founder or not, quote unquote. The distinction here isn't related to who sends the message. It's related to the context in which it was sent. 

Benjamin: What I'm hearing from you is that there is less protection of your inbox when you were at work and the expectation is that it's okay for someone to send unsolicited emails to you as long as they have a business purpose, meaning that they are trying to sell you something that's actually not canned spam. On the flip side, if a sibling sends a personal email to your personal inbox trying to sell you something, that's more likely to be crossing the line so you do need more protections to sell to consumers than you do in btby. Is that fair? 

Kasey: I'm thinking about this because obviously I've been living in the UK for 10 years, so a lot of the advice that I've been giving most recently has been about how this works in the UK regulatory context. I don't know that the FTC rules actually have that B to b versus B to c distinction. 

Benjamin: It seems like there's an awful lot of gray area. This is the frustration for marketers in terms of what is canned spam is that the laws are not 100 percent clear with the distinction between what I'll call sales marketing and email marketing. 

Kasey: So I'm looking at this here and say that under the can spam act, you can send emails to business people, so can spam is really around consumers. I wouldn't say that it's necessarily that your business inbox doesn't have as many legal protections around it because remember canned spam isn't just about that initial consent. 

Benjamin: It's also about not being misleading. 

Kasey: It's about making sure that you can unsubscribe what spam laws around the world do in a B to b context is they recognize that businesses have a need to market to other businesses or they'd go out of business. 

Benjamin: So the good news is that the unsolicited emails from the sales team doing lead generation trying to generate new interest. Those are actually fair game in terms of spam laws. But on the flip side, you absolutely need to have consent. When you're sending your mass marketing bulk emails, no matter how personalized they are, and I think that's a good stopping point for today's episode. So that wraps up this episode of the MarTech podcast. Thanks to Kasey for joining us. We're going to publish an episode every day. This week we're halfway to the finish line, so hit the subscribe button on your podcast app and check back with us tomorrow morning when we'll be discussing the rules for online advertising, and if you can't wait until our next episode and you'd like to learn more about Kasey and go card list, click on the link in our show notes to her mio or going to go cardless.com. 

Benjamin: Special thanks to search metrics for sponsoring this podcast. If you're looking to grow your online presence, go to searchmetrics.com to request your free tour of their platform. If you're a subscriber to the MarTech podcast, we want to thank you for being a member of our community. If you have questions, comments, if you'd like to make suggestions on topics we should cover with a link to the contact us page in our show notes. You can also find links to our social media pages or you can just look for Benjay, Shap, b, e nj o s h, a p in whatever social network your odd. If you haven't subscribed yet and you want a weekly stream of marketing and technology knowledge and your podcast feed in addition to the rest of the privacy week with Kasey Chappelle from gocardless. We've got a bunch of great episodes lined up for the next few weeks, so hit that subscribe button on your podcast app and we'll be back in your feed tomorrow morning. Okay, that's it for today, but until next time, my advice is to just focus on keeping your customers happy.

Benjamin: Welcome back to Privacy Week on the MarTech podcast. This podcast is sponsored by Searchmetrics. Searchmetrics sets the standard for innovation and the content and search engine optimization industry. They support businesses who care about understanding both how to use content as a marketing channel and how to improve their organic rankings in Google. If you're an enterprise level marketer, the searchmetrics suite of software and services will help you optimize your existing content, help you understand what topics need to cover next, and how to ensure that your writers produce effective cuffs. There are billions of google searches happening every day and searchmetrics gets your stories to the top. 

Benjamin: This week we're doing a deep dive into a subject that is critically important to marketers, every industry, business and channel of marketing privacy. For those of you who are just joining us, we're publishing an episode every day this week related to the rules of online privacy. 

Benjamin: Joining us for Privacy Week is Kasey Chappelle, who is a world-renowned online privacy advocate and the data protection officer for GoCardless. Kasey has worked as part of the in house counsel for large enterprises, including the Ebay, Vodafone and American Express, Global Business Travel, and she has a wealth of information related to online data protection and privacy. So far this week has walked us through some general rules for privacy, what Gdpr means, how you can safely capture some data and what are the rules for email marketing. And today we're going to talk about online advertising. Here's the fourth installment of our interview with Kasey Chappelle from gocardless. Kasey, it's Thursday. We are almost to the finish line. Welcome back to privacy week on the MarTech podcast. It's great to be here. Ben. Always good to talk to you. Today we're going to jump into talking about online advertising. So we've talked a little bit about data capture. What are the rules for where you can capture data, what's legal, and we've talked a little bit about email marketing. How can you reach out to your customers? What about the people that haven't actually given you their personally identifiable information? What are the rules for reaching out to your customers using third party ad platforms? 

Kasey: You know, when I started my career privacy roughly 1998, which feels like a long time ago, was a long time ago, 

Benjamin: 20 years ago 

Kasey: when I started my career in privacy in 1998. One of the really big ticket hot topic items on the agenda was online privacy and behaviorally target advertising, adware and spyware, the use of cookies, and here we are in 2018, 20 years later and the really hot topics and online privacy are behaviorally targeted advertising and the use of cookies in the collection of information and the use of it for advertising online. The more things change, the more they stay the same and I think part of the reason why we're getting so many more detailed and prescriptive privacy laws around the world is because there's a deep sense of unease about the way that we've managed the collection of information online and the use of it for targeted advertising and other customization and personalization. People don't know what's happening to their data and they're really unnerved by it. When you ask them about it now, that doesn't mean they're necessarily changing the way that they interact online, but people are starting to get the ability to lock some of this down. With the rise of things like ad blockers, private browsing. People are starting to go dark online and the laws of course are getting stricter, so I think marketers are paying the price for 20 years of maybe not being as open and honest and giving people as many controls as they would've liked in this space 

Benjamin: of the market in the room. Let me just say, I mean, do people know what's happening with their data like I'm pretty sure my dad knows that when he's on facebook that whenever he puts information online that it's going somewhere, that they're capturing it. There are ads that follow him around the Internet when he goes to Amazon and buy something and then goes to whatever webpage is going to next. That product shows up in front of him. My Dad is not the most technologically savvy person in the world, but he's able to connect the dots that I was on Amazon looking at a product and now it's in front of me. That's not random. I just don't buy that. People don't know what happens with their data. Maybe they don't understand technically how it's passed or how it's protected, but when you go to a website they were trying to understand who you are. 

Kasey: People understand that now they may not have in the past, but certainly especially with the rise of Gdpr, people are very aware now of the implications of how they share data online and it's funny you mentioned facebook because obviously facebook has gotten a lot of trouble lately for a lot of these things and part of the reason why they're so heavily scrutinized, but they're in so much trouble for these things is because they have not been as upfront as they should have been early on in the process. Now, facebook's in trouble for an entirely different reason right now with Cambridge Analytica, but think about the position that facebook is in. Your Dad knows what happens to his data on facebook even if they're using it for other purposes because he has a relationship with facebook. 

Benjamin: Yeah, 

Kasey: but your dad doesn't have a relationship with the multitude of advertising companies operating in the back end. I'm sure you and most of your listeners have seen those charts. Of the complexity of the online marketing industry and how many different players on the demand side, on the supply side, and all of the exchanges in the middle, do you think your dad understands who exactly is making those decisions about him and how he might if you wanted to turn those decisions off 

Benjamin: in the same way? When my dad who's up, homeowner understands that when he pays his utility bill, he was paying one company to deal with the waste that comes out of the house. Now. Does he know what company manufactured the Piping to take the waste out of his house? Does he know what the relationship is with the treatment plant? Does he know what the water recycling plant that repurposes it for drinking water, and this is maybe a bad metaphor, but he understands that there is a mechanism that takes his data and repurposes it for online advertising in the same way that he understands when he pays the waste management company to take the trash out, that they do something with it and it goes away and somebody else deals with it and yeah, sure, maybe they monetize whatever is in the trash, but I'm done with it. 

Kasey: It's an interesting analogy, but I think it fails in one important point, and this is an important distinction between the US approach to privacy versus the EU approach to privacy. In the US, privacy is handled as a consumer protection issue, which means that sure there are a lot of these companies that are using your data, but if generally you're not being unnecessarily discriminated against or impacted in some way that's harmful to you, then it's unlikely that there will be a regulatory impact for using that data. The EU doesn't handle it that way. In the EU, there is a fundamental constitutional equivalent, right 

Kasey: to informational self determination, which means that even if that information isn't being used in a way that is detrimental to you, you have a right to understand who's using it, why they're using it, how they're using it, and to make choices about it. So that's where the complexity of the ecosystem, it becomes a problem because it's very, very difficult. You know, your dad doesn't have a right to waste management self determination if the same way that he has a right, if he's an EU resident to informational self determination, but he can't exercise that if he doesn't understand how the ecosystem works or. And this is where I think the most progress will be made if there is an industry code of conduct that ensures that he has maybe a one stop shop for identifying who's got his data on how it's being used and making choices about it. 

Kasey: So that's where industry initiatives like the DMA or the Iab or the Nai come into play because what they can do is they can create, let's call it a translation layer between all of these complex things that are happening in the background that nobody really should expect a lay person to understand and what are the real choices that that person needs to make in order to make sure that their human rights are being met. Being a human and being a marketer for a second. Although humans to market, no matter how much artificial intelligence is becoming prevalent in the marketing industry. Like I understand that I appreciate and I believe in the need for people to be able to maintain anonymity and privacy. I think the reality on the other hand is there is value created by the distribution of information that helps consumers but also helps businesses which helps the economy which creates jobs. 

Kasey: And now we're going down the rabbit hole of, you know, where do we draw the line for privacy and what marketers can do. I want to turn the conversation a little bit to what marketers need to know to make sure that they are applying best practices and not getting in trouble in terms of online advertising. I have data from my website. We have cookies, Google has a cookie and facebook has a cookie and I can feed information based on what behaviors people have on my website and I can plan marketing automations and marketing campaigns around that. What's the line? Where do I get in trouble? You get in trouble when you're using individually identifiable data in a way that that individual doesn't have any control over, and I've chosen my words carefully there because I think that there is sometimes a disconnect between what the marketing industry would consider to be personal data and what regulators consider to be personal data. 

Kasey: My one piece of advice is identifiability matters, so if you can achieve what you want to achieve with data that is at the least achievable level of identifiability, then you will minimize your legal problems. That probably doesn't make a whole lot of sense. Let me use some really concrete examples here. Okay. Gdpr makes a distinction between personal data, anonymous data, and an interim category called suit on him as data a suit on a mistake. Data means that it's about an individual, but it's not connected to any real world identifiers and what the marketing industry would say is that a lot of online advertising is sued autonomous rather than fully identified. Now Sudhana ms data is still treated as personal data because it has a direct impact on people. You're being singled out from other people and presented with content that is tailored appropriately to you and because you're being singled out and targeted and things are being personalized for you. 

Kasey: Even at a bucket level is the industry talks about. It means that there's the potential for some sort of a discriminatory impact. So what the law says is that if you're creating those kinds of autonomous profiles, you're targeting people in that way. Then there's a certain level of regulatory obligation that you need to meet, but it's a lower level. Then fully identified data. There are a couple of, let's flippantly call them, get out of jail free cards that are associated with pseudonymous data. That can help they see pseudonymization as a privacy enhancing technology. It means that if you don't have the ability to connect this back down to a real world identifier, there are certain things that the Gdpr requires of companies handling fully identifiable information that you don't have to worry about. Things like responding to subject access requests and some of these other more heavy prescriptive obligations that don't apply to and data. 

Benjamin: So what I'm hearing is essentially there's three levels of data personally identifiable information, your name, your email address, your social security, your phone number. There are clear data protections around how those can be used in online advertising targeting. There is pseudonymous data which is cookies and I'm just going to use an example of somebody comes to my website. They look at a product, I can retarget them using the cookie without actually knowing who they are, but I can personalize the advertisement based on their behavior. So that sounds like sue Donovan's data and then there is anonymous data, which I guess that's aggregate data where you don't know a person 

Kasey: aggregate data. Certainly right. If you aggregated it, then you've achieved a level of anonymity that takes it out of the scope of data protection law, pseudo anonymous data. Think of it as when you maybe have a unique identifier attached to the data, but it's not a persistent identifier and it's not connected to any sort of real world identity and achieving that level of pseudonymity. It's not uncomplicated, but certainly if you're providing a marketing service and you're making that effort to make sure that you're stripping out direct identifiers, that you're keeping your unique identifiers on a nonpersistent basis, then you've achieved a level that the Gdpr recognizes his privacy enhancing. Well, that doesn't mean that you don't have any data protection obligations, but it does mean that there is a recognition that you've taken some steps to be privacy protective. 

Benjamin: So let me give you a real world example. Using facebook hot topic. People come onto my website and I get 500 email sign ups and I want to take those email addresses that people have given to me somewhere in my privacy policy. It says that I can use that information for marketing. I take those emails, I upload them to facebook, I had some creative and I start serving them ads. Let's say I'm promoting somebody else's business. Now it's not even my business, right? I have an affiliate relationship and I want to push people to buy something on Amazon. Is that legal? I'm taking personally identifiable information. I'm uploading it to facebook and I'm driving someone to a service that doesn't have their consent. 

Kasey: Well, the devil's in the details here. Where did you get the emails to begin with? Did you collect them lawfully? Did people know that you would have them and that you'd be using them for marketing purposes and even if you're not using to email them? If you've collected the information for marketing purposes, then the law generally says that you have to have used some level of transparency there. 

Benjamin: The example I'm using, and really what I'm getting at is you can take a list of email addresses, hypothetical. You get them in a way that says, I'm potentially going to use this information for marketing, but they're looking at a checkbox that says, yes, I want to submit this form to get this white paper or to contact you. Now, let me preface this with, I don't do this. Everybody who's listening, I'm not advertising on facebook are advertising anything else to you, but facebook does have the ability to take email addresses and target those people. Probably most marketers already know that. The question really is related to how much consent do I have to get from customers to be able to use their Pii in the advertising platforms and that's why I'm asking the question. So Kasey, using this example of the end customer did technically give consent through my privacy policy but probably doesn't know that I'm going to be advertising to them for another service. Is that okay? 

Kasey: So the first thing that I would, I would take a look at here if I were advising on how to create good privacy and that kind of an interaction is what's the nature of your relationship with the data subject, with the end user here, if they've checked out in some way with you, if they've engaged in a transaction with you, you've clearly had an opportunity to present a privacy notice to them, right? So you've interacted with them in some way. Now you've got their information because you've interacted with them and you're using that information to engage in some sort of a commercial activity in some sort of a marketing activity. The fact that you've uploaded those to facebook for their audience matching services is probably an outgrowth of that relationship with that person. Now maybe you're advertising somebody else's goods and services and in order to make sure that you are able to do that in the US, it would probably be okay if you have that in your privacy notice and you let people know that you are collecting their information for marketing purposes in the EU, you'd probably have to be a little more specific. 

Kasey: That checkbox would need to include some fairly detailed information about the fact that you were using their information for third party marketing purposes and you might need to get explicit consent. You might need to get their opt in to use their information for third party marketing purposes, 

Benjamin: reason for marketers to engage with a privacy specific expert when they're putting their legal documentation together. I think the takeaway here is it depends where you are. It depends what's in your privacy policy. It depends what data you're using. It depends what platform. Privacy is very complex. 

Kasey: Well, here's an important thing to understand. Privacy is contextual and it's about expectations. It's about whether what you're doing is going to be consistent or inconsistent with the model of what's happening 

Benjamin: that is in your consumer's head, 

Benjamin: and that's where I go back to that first point of, don't be creepy. Do people expect that this is happening? If they don't expect that this is happening, how do you adjust that expectation? How do you make it clear to them that it's happening and in some cases, depending on the impact to them, how do you give them the choice to either say yes or say, no, I want you to pull the car over. I want you to take out a pad of paper and write this down. Don't be creepy, and that wraps up this episode of the MarTech podcast. Thanks to Kasey for joining us. Don't forget every day this week we've published an episode related to privacy, so hit the subscribe button on your podcast app to check out our last episode on privacy when we'll be discussing what are the repercussions for breaking the law as they relate to privacy. 

Benjamin: If you can't wait until our next episode and you'd like to learn more about Kasey and go Carlos, you can click on the link in our show notes to find her bio where you can go to go cardless.com. Special thanks to search metrics for sponsoring this podcast. If you're looking to grow your online presence, go searchmetrics.com to request your free tour of their platform. If you're a subscriber to the MarTech podcast. Thank you for being a member of our community. If you ever have questions, comments, if you'd like to suggest topics that we should cover on the MarTech podcast, click the link to contact us in our show notes for you can find a couple of links to our social. Yeah, networking accounts. You can always search Benjay, shop B, e nj o s h, a p for any social network and you'll be able to engage with us there if you haven't subscribed yet and you want a weekly stream of marketing knowledge in your podcast feed. In addition to the last episode of Privacy Week with Kasey Chappelle from gocardless, we've got a bunch of great episodes lined up over the next few weeks, so hit the subscribe button in your podcast app and we'll be back in your feet tomorrow morning. Okay, that's it for today, but until next time, my advice is don't be creepy and just focus on keeping your customers happy.

Benjamin: Welcome to the last episode of Privacy Week on the MARTEC podcast. This podcast is sponsored by searchmetrics searchmetrics sets the standard for innovation and the content and search engine optimization industry. They support businesses who care about understanding both how to use content as a marketing channel and how to improve their organic rankings in Google. If you're an enterprise level marketer, the search metrics, we have software and services will help you optimize your existing content, help you understand what topics need to cover next, and how to ensure that your writers produce effective posts. There are billions of google searches happening every day and searchmetrics gets your stories to the top. This week we've been doing a deep dive into a subject that's critically important to marketers and every industry, business and channel of marketing privacy. For those of you who've missed the last few episodes, if you're just catching up each day and this week we've published an episode that covers how you can better understand the appropriate ways to use data and target your customers. 

Benjamin: Joining us for Privacy Week is Casey Chappelle, who's a world renowned online privacy advocate and a data protection officer for gocardless. Casey has worked as part of the in house legal counsel for large enterprises, including Ebay, Vodafone and American Express global business travel. She has a wealth of information related to data capture and privacy and we're excited to have her here so far this week. Casey has walked us through some general rules for understanding privacy, what you need to know related to data capture, what are the rules for email marketing and what you can do in terms of online advertising. And today we're gonna. Talk about what are the repercussions when you break the law related to privacy. Here's the last installment of our interview with Casey Chappelle from gocardless. Casey, it's great to have you back. The finish line is near. It's almost the end of privacy week. Oh, that's kind of sad then, but it's good to be here. It's been fantastic to catch up and I feel like one of the things that I want to talk about first before we get into the repercussions, a lot of our conversations from marketer to lawyer are, here's what the law is and then the marketers says, okay, but here's what the tools do and here's how I upload the information and there's a lot of gray area in between. What you can and can't do. Is it me or is this stuff complicated and not very clear? 

Kasey: You can almost think of that as a feature, not a bug. It's supposed to be complicated and not very clear because the law isn't going to give you the answer to every single possible circumstance. The law is going to tell you some guard rails. It's going to tell you what are the general principles you need to understand and then it's up to you as a company to make decisions about how your specific circumstances fit within those general principles. 

Benjamin: So we've talked about a couple of those principles throughout the week and I will try to summarize some of them. First off, you've mentioned it, I've said it as the closing to our last episode. The hard and fast rule for privacy and data protection is don't be creepy, and the underlying rules behind that are tell your prospects and customers when you're capturing their data, tell them what you're capturing, tell them how you're going to use it and tell them how long you need it and have a reasonable business case for having that information. Did I miss anything there in terms of the General Rules of privacy? 

Kasey: No, that sounds pretty good. 

Benjamin: Great. So we've set a baseline for what you need to know in terms of high level rules for privacy. Now what happens when you break the rules? What happens when you break the law? 

Kasey: Well, like with all gray areas, you can come too close to the opposite edge of the line, right? And then you're fully in the black and not in the light. When that happens, it really depends on the legal regime. There are nuances to enforcement 

Benjamin: across 

Kasey: different countries. In the US, for example, you're going to have the FTC as a very activist regulator. Now they're going to step in when there's a circumstance that sets a precedent that they want to set, they're going to pull out the big guns. 

Benjamin: When you've done something really wrong, 

Kasey: when there's broad or widespread malfeasance or when something has really high profile, 

Benjamin: that's not going to be the case when you're exactly right. That's not going to be the case for most marketing activity. I'm sorry to everybody that works at facebook for turning you into a verb and from my friends that work there. It's a wonderful company. For the record, I'm an investor. I believe in facebook. I'm just trying to be funny. 

Kasey: Well, but facebook is a useful tool in the arsenal for people like me because there are so many cautionary tales that come out of it. I don't know if you remember. I used to use facebook. Beacon is the cautionary tale at Ebay and I continued to use that. There are lots of examples of where facebook operated in the gray area and got it wrong and for most of my career, the response from certainly people on the product side had been, well obviously they're getting away with it and my response has always been there not entirely getting away with it. They're paying the price in a lack of trust. They're now paying the price and higher scrutiny and recently they've been paying the price in some pretty spectacular finds. Both facebook and Google have been subject to some of the biggest enforcements in privacy in history. These have been driven by the FTC. On the US side, and they've been driven by primarily theme competition authorities in the EU and that's because until just recently there were not heavy fines associated with violations of data protection law. Now gdpr totally changed that equation. GDPR can impose up to four percent of total global turnover as a penalty for violating it. 

Benjamin: Okay, so four percent of total global turnover. First off, what's the turnover? 

Kasey: This hasn't actually been put into effect yet. This is linked to revenue, but we haven't really had any good enforcement cases in effect yet, so we're not entirely sure what the calculation is going to be that goes into that. I also think that if the penalty that you're focused on is regulatory funds, you're missing the biggest risk because most marketers also aren't going to see the impact of the highest level of fines. The EU continues to be reliant on the enforcement activities of members, state data protection authorities who are in large part overstretched, under resourced, and they're going to be doing the same thing the FTC does. They're going to be looking for the cases that have the highest impact. 

Benjamin: Yeah, they're resource constrained. Just like any other entity and they're going to look for the biggest culprits or the highest visibility one, so other marketers understand that there is a repercussion to breaking the law. Exactly. 

Kasey: Now what you are going to see happen though is what's happening in the US. For example, class action lawsuits and naming and shaming. There's a lot of activity from privacy advocates in this space. Companies that get it wrong, you know they're going to get a little bit of a spotlight shined on them in the EU. There is now the ability for privacy advocates to bring class action lawsuits. There has not been a cultural class actions over here in the past and that's where you're going to see a lot of activity. You're going to see some of the same privacy advocates that, for example, protested against the form behavioral targeting activities here in the UK, the ones who protested against facebook's use of the safe harbor and got the safe harbor and validated that there's a lot of activity over here in that space on the Gdpr gives them new powers. 

Benjamin: What was the safe harbor that was invalidated? 

Kasey: This is really going to get into the weeds. The safe harbor was a mechanism that allows you to transfer personal data from the EU, two entities in the US, the Gdpr and the data protection directive before it had obligations to minimize the transfer of data outside of the EU. You could only send it to foreign countries if those countries could provide the same level of protection as the EU. 

Benjamin: It's the underground railroad of data. 

Kasey: That's a way to make sure that EU protections continue to apply to data even when it's transferred outside of the EU. Now, the safe harbor was the way that a lot of companies operating in the U. s allowed for that transfer to happen. There was an Austrian law student who brought a case against facebook in Ireland that went all the way up to the European Court of Justice and invalidated the safe harbor, which meant that companies like mine, that we're transferring data to, operating entities outside of the EU had to struggle to find alternative mechanisms to continue to allow that transfer without creating business disruption. It was a huge deal in my industry and for a lot of companies now those advocates have new powers, so that's what we have to worry about more 

Benjamin: so essentially what I'm hearing is regulatory power is that if you are a highly visible or a ruthless lawbreaker can essentially come and hit you with fines up to four percent of your operating revenue, which is a huge mark, 

Kasey: regardless of how that's calculated, it's going to be big. 

Benjamin: Basically four percent of something is what you can be fine, which is meaningful. It's not 50 percent, but it's meaningful. Mostly if you're an enterprise level company. The other thing that comes to mind is, you know, facebook has obviously had some data protection issues. They've sort of been highlighted as a platform that can be taken advantage of and they had a 20 percent drop in their stock in this quarter, the same quarter that Mark Zuckerberg was in front of Congress. And to me, I don't think that that's an accident. I think that having all of the privacy and data protection issues that they've seen showed up in their bottom line. Not In the fines, but in the public opinion and in their ability to drive revenue because people soured on the platform, so the impact that it had on their brand reputation ended up having a bigger impact then any of the regulatory powers can find them. 

Kasey: Absolutely. When I was at Vodafone, we used to talk about the Daily Mail test, which was essentially is this an activity that you want to see on the cover of the Daily Mail? It's the tabloid newspaper. It's very alarmist, very extremist. The supermarket here. TESCO had a daily mail cover story about their use of their loyalty program data and how they were selling that to third parties and that's another great cautionary tale that I've used. The impact on brand, the impact on reputation. You can't put a figure on that and when it's gone, it's gone. A good reputation for good privacy practices is money in the bank. When it comes to this stuff, a bad reputation can sink you. Twenty percent of facebook's value is a significant drop. Even facebook, there's no laundry getting away with it and sorry, facebook for picking on you. I have some good friends there too. I think one of the other things to keep in mind, particularly when you're operating in a B to b space, is that it's not the regulators who are going to be your harshest critics or your biggest watchdogs. It's your clients because there's another part of the GDPR that requires companies to exercise oversight over the third parties that they work with, and what that means is that there's a lot more due diligence that's being exercised. So if you're working with other companies, they're going to be expecting you to have story straight. 

Benjamin: At the end of the day. It's like for marketers who are listening to this, and I've spent all week listening to privacy, this is not something that shows up in our kpis. Our job is to build a brand. Our job is to get awareness, drive engagement, create revenue, but there is the risk that if you behave badly and you do take advantage of people's privacies, if you take advantage of your customers, the repercussions far outweigh the benefits. So again, Casey, what was the tagline? What was rule number one related to privacy? Rule number one was don't be creepy. Okay, so don't be creepy. Tell people what data you're collecting, tell them how you're going to use it, get consent when it's being used. We've gone through lots of detail about email marketing, what's appropriate about online advertising. I hope you've enjoyed privacy week and at the end of the day, keep your customer's best interest at heart and let them know what data you're collecting and how you're collecting it, and that wraps up privacy. 

Benjamin: We've come the MARTEC podcast. Thanks to Casey for joining us. If you've enjoyed privacy week and you'd like to hear us discuss other media topics related to marketing and technology, hit the subscribe button in your podcast app and check back with us next week. If you can't wait until our next episode and you want to learn more about Casey or go cardless, click on the link in our bio or go to cardless.com. Special thanks to search metrics for sponsoring this podcast. If you're looking to grow your online presence, go to searchmetrics.com to request your free tour of their platform. If you're a subscriber to the MARTEC podcast, we want to thank you for being a member of our community. You can contact us if you ever have questions, comments. If you'd like to talk to any of our guests by clicking the contact us link in our show notes where you can visit our website, which is Martech pod.com. 

Benjamin: You can also find links to our social networking accounts, or you could search Benjay, Shap, b, e nj o s h, a p in any of your social networks. If you haven't subscribed yet and you want a weekly stream, but marketing and technology knowledge and your podcast feed. We've got a bunch of great episodes lined up over the next few weeks, so hit that subscribe button on your podcast app and we'll be back with you next week. Okay, that's it for today. Thank you again, Casey Chappelle from gocardless for joining us for privacy week and my advice. Until next time, don't be creepy and just focus on keeping your customers happy.

Comment