The New Age of Marketing: Compliance, Regulation and Data Management

By Gregory Gragg, CEO, Blue Chair LLC (Gragg Advertising, IntegriShield and Lever1)

All businesses need to start looking at marketing at a higher level. Employing a marketing critical thinker and visionary to put together a marketing plan for the future.

Why is this important?

Change. Plain and simple. You must actively prevent your marketing plan from becoming stagnant, or one of three things will assuredly happen: your marketing program will not embrace new technology and systems to better reach the consumer, becoming irrelevant in the consumers’ mind or worse yet, get you sued. In some cases, the government is forcing you and your business to change.

So, let’s start with compliance, regulation and data management.

Americans with Disabilities Act (ADA), privacy, content, data and usage compliance

Your marketing activities could result in a lawsuit or even worse, a Civil Investigative Demand Order (CID) from the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) or an investigation or action from any of a number of states Attorneys Generals.

Any business owner who has been subjected to a lawsuit, CID or action knows even if you win, you lose due to the time and money spent fighting legal or government entities.

The Americans with Disabilities Act

The ADA requires businesses to make accommodations for individuals with disabilities.

In addition to ensuring people with disabilities are protected in all areas of public life, including jobs, schools, transportation, and all public and private places that are open to the general public, web content should also be accessible to the sight- and hearing-impaired and those who must navigate by voice, screen readers or other assistive technologies. The current standard relied on is Web Content Accessibility Guidelines 2.0 (WCAG 2.0) and the most current is WCAG 2.1.

In September 2018, the U.S. Department of Justice (DOJ) confirmed that ADA DOES apply to public accommodations’ websites. Also, in 2018, there was a 177% increase in lawsuits over website accessibility versus 2017. (Source: https://www.adatitleiii.com/, dated Jan. 31, 2019).

Failure to create an ADA-compliant website could open a business to lawsuits, financial liabilities and damage to your brand reputation. Private lawsuits will likely end in a judge telling you to fix your site so do it now before you have to pay attorney fees.

In summation, it is better to devote the resources necessary to ensure your website is ADA compliant than risk a lawsuit.

General Data Protection Regulation

General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). All sites that attract European visitors must comply even if they don’t specifically market goods or services to EU residents.

The GDPR mandates that EU visitors be provided several data disclosures. The site must also take steps to facilitate such EU consumer rights as a timely notification in the event of personal data being breached. Adopted in April 2016, the regulation came into full effect in May 2018, after a two-year transition period.

Why is GDPR important in the states?

The GDPR gave way to the California Consumer Privacy Act (CCPA), which codified enhanced privacy rights and consumer protection for California residents.

Other countries and states will be following the same guidelines and using them as a baseline for their privacy laws and regulations

It would be wise to consult your lawyer for a definitive plan but the following are our best practices developed by our experts; we feel these will go a long way to protecting you from various federal and state civil actions.

Data mapping

Make sure you outline on paper how data runs through your organization. Mapping the flow of data will help you identify areas that could cause GDPR or CCPA compliance problems.

Training

Compliance is a company process of change for current systems and employees – all employees need to understand the importance of data protection and be trained regularly on the basic principles of all applicable regulations and procedures necessary for transparent data management and compliance. Document your process in writing and then follow it.

Privacy policy

Review and update your privacy policy. If you do not know what this is, you are in trouble. Check with your legal and compliance team and dig in. This is the first-place regulators will look for compliance.

You are required to report to individuals the legal basis for processing the data, retention periods, the right to complain, whether their data will be subject to automated decision making, and their rights under the GDPR and CCPA.

You must provide the privacy policy information in a way that is easy to understand and clear in language.

Vendor management

Understand how your vendors are generating their information and ensure they are following the same guidelines you are. Do not buy leads from anyone who does not have a clear map of their data they are selling as well as a clear privacy policy themselves. Ask to see both. Make sure your vendor agreements include language assuring the vendor will be in compliance with all applicable regulations.

The current rules and regulations have a lot of grey area. If your vendor is out of compliance you could be held accountable for using the data, they have supplied. The market will have to come up with different tactics to make sure all data complies but not at the cost of sacrificing user experience. Many companies came out with new features in the weeks before the initial GDPR deadline in May 2018, so be sure to check competitor websites for changes and best practices for your niche industry.

Protect yourself from and report any data breaches

You should be meeting with your IT team regularly to discuss the attacks your system is seeing as well as the security plan for data. We permanently delete or invalidate data every six months. Millions of records are managed annually, so we felt redacting information to ensure the data no longer had value was the way to go. Check with your team to develop your own data management plan. General rule: Don’t keep data you don’t have to keep. Dump it.

Be sure to have the right procedures in place to detect, report and investigate not only internal but also external data breaches.

You may want to set up scenarios on data breaches and how you would respond to each situation. Keep in mind local data is different from national and international. The reaction will also be different for each from your team. Have a plan and analyze the scenarios to uncover your weak spots. Then fix them. We have experienced data breaches and I can verify it causes a significant disruption to your business. In many cases, the press gets involved which then leads to federal and state investigations. This is another fiscal and time hole you don’t need.

Typically, you must report data breaches to the Supervisory Authority within 72 hours, unless the personal data was anonymized or encrypted.

Continue working on operational policies, procedures, and processes

As mentioned before, privacy is not a one-time project. It is continuous work to make sure that the data you collect is safe and used with a proper scope. You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.

Opt-in forms

The focus here is to gain consent on all marketing generated through your website or landing pages. Submittal and opt-in forms are primary ways business gather information. So make sure the privacy policy, as well as disclaimers and opt-ins, are a part of the process.

Cookie consent

Make sure you are adjusting forms and getting consent for cookies.

As part of the opt-in protocol make sure you have disclaimers, privacy statements and opt-ins for cookies. You will need to explain to the consumer specifically how you will be “cookieing” them. They will need an opt-out option.

Additional GDPR cookie regulations are coming out; you can find them here at https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_Union). Again, these are the EU regulations, but all states are looking at these as guidelines for creating their own state laws.

Data transfer and disclosure

Make sure your privacy policies and disclosers follow federal guidelines. Outline to the consumer how their data is being used and who it will be sold to. They now have the right to know in California and soon will across the country.

“What’s measured improves.” – Peter Drucker

GREG GRAGG, as CEO of Blue Chair, LLC., has 27 plus years in the post-secondary education field. In addition, he has more than 30 years of entrepreneurial experience in startups, acquisitions, business development, and take overs. Beginning with Gragg Advertising in 1992, Greg has started four additional technology companies, purchased one and helped developed over 20 proprietary products focused on “good practices” in performance marketing, Professional Employer Organizations and Brand Security.

Greg has been nominated for entrepreneur of the year twice and has received numerous accolades and awards over the years