Eye on Privacy: New Year, Old Data
I usually start the year with a look ahead at what marketers might expect from legislators and regulators, but not this year. Because like legislators and regulators, all I can see is a proliferation of data, and not just marketing data. Everyone is in the data business. Companies are either buying data or looking for ways to monetize their data assets. And they’re probably doing both.
As marketers, we’ve been in the data business for decades. We have the experience, understand the risks and are well-positioned for whatever 2015 may bring—or are we? While we wait to see how the Internet of Things might impact us or where the next data breach may lead us, are there housekeeping issues we should address?
As I think about the wealth of new data sources on the horizon, I’m reminded of all the legacy data that marketers have.
What happens when much of your data was collected before Privacy By Design or even before notice and choice became the norm? We can implement all the newest security features. We can apply appropriate rules to new data as it is collected. But what can we do about data assets from the last century?
What we can’t do is to ignore legacy data or assume there are no rules for this data. Much of it is too valuable to simply throw it away, but assuming we keep it, how do we codify the data governance that should apply to this data? What makes sense to me is to attempt to define for our legacy data all the things we know about new data we acquire.
So where do we start?
It’s important to keep track of all your data sources, even those you may not use anymore. If you still have contracts for third-party data, be sure to look for anything that might help you define expectations of use.
This may be the one thing we can know for sure. Was the data collected in such a way that it comes under FCRA, GLBA, HIPAA or COPPA? If so, treat it accordingly.
Limitations Borne of Disclosures
The earliest disclosures I can remember were the general “your data may be used for marketing purposes,” and while it isn’t very detailed, it does set boundaries.
If your data was collected in a survey, warranty, request for information or other collection device with the general “may be used for marketing” disclosure, then you actually know all you need to know about use.
When talking about legacy data, consent is not something we would expect to find, but the consumer may have been offered an opportunity to opt out, and that is something you want to know about your data. Forgetting the debate about pre-checked or unchecked boxes, having given consumers a choice about the use of their data is an important fact.
You can identify use restrictions from regulations, disclosures and contract limitations, but you can also make decisions about use based on point of collection and what a consumer might reasonably expect given the nature of the data. Are you using the data in a way that might surprise or embarrass the consumer? Was the data collected at a time where consumer expectations may have been different from what they are today?
The best thing and the worst thing about legacy data is that there are probably no limitations to retention. That doesn’t mean that we should never purge this data. It does mean that we have to be more disciplined in looking at continued value, balanced against the increased risk of having this data.
Legislators and regulators will sort themselves out soon enough and we’ll have a better idea of what 2015 will bring. In the meantime, what housekeeping could you be doing?