The Privacy Thing

No, we're not talking Private Parts here.  This is the next of a series of Taber Reports excerpted from my upcoming Addison-Wesley book on Salesforce.com best practices.

Today's excerpt covers one of my favorite marketing conundrums:  personal data, opting-in, and the right way to market in this low-trust world we live in.  I'm hoping that you'll find areas in this one that I'm dead wrong about!  Please email me with feedback where you think I'm full of it.  Through vigorous debate, the ideas will get even stronger.  The best argument of the month wins a prize.

Let's Start with the basics

We all get spammed, and everybody hates it.  Yet marketing list brokers continue to do a land-office business selling email addresses and other personal information.   In the US, email is supposed to be CAN-SPAM compliant, and violations can carry a $10,000 fine per incident.  Yet reputable companies accidentally send out non-complaint mail all the time.  The core of CAN-SPAM requirements are:

• The originator's email address must be genuine, and the domain non-obfuscated.

• The mail needs to contain the physical address and phone number of the sender.

• The recipient must be given at least one way to opt-out of future mailings, and that method must actually work.

• The mail must be sent with some sort of explicit permission from the recipient (there's some wiggle-room here).

I need to emphasize that I am not a lawyer, I do not dispense legal advice, and no reader should make decisions based on the information in this mail without consulting their attorney.  Yes, my attorney made me say that.

The real issue -- of law, and in a very different context of marketing -- is "do you have the recipient's permission?"  Tough issue that causes amazing gnashing of teeth. 

The gold standard in this areas is double opt-in.  Double opt-in lists contain the names of people who initially opted in during registration, saying they were interested in receiving emails on this topic -- and then were explicitly opted-in again.  The double opt-in list means that the person has declared interest in hearing from vendors on a topic, and these lists will have higher yield than any other type (except, of course, your own company's mailing list).  Of course, there's a lot of poseurs in the double opt-in area, so the quality of lists varies by topic and by age.

The area of opt-in lists has become so important that many email blasting firms will kick you off their system if they suspect that your list has not been recently refreshed with opt-ins:  the metrics they use are bounce rate and unsubscribe rate, each a powerful indicator of a substandard list.

The fancier stuff

But exactly how you do the opt-in is pretty important:  different techniques yield different results.  The purists say that an opt-ins need to be explicit, with check-boxes on your web registration form, un-checked by default.  The re-opt-in should be done in a similar manner, where the user needs to take positive action to indicate their permission.

Even better is to have a personal profile page for each user, where they can check their preferences for types of mail, delivery methods, subject areas.  In other words, clearly indicating subtleties beyond brute-force "opt in."  But don't overdo it:  you don't want a registration page that's 3000 pixels long.

While this is ideal, it seems a bit much for my taste.  But here's an important point:  it is a matter of taste...and make sure you're not too far off your audience's tastes.

I can live with opt-in boxes that are checked by default, because the user clearly has the option of un-checking the box.

I can go even further, no explicit check-box on the registration form but a clear opt-in notification message.  This is only acceptable if the user is told clearly that filling out this form is a de facto opt-in to a mailing list, and that their recourse is to not fill out the registration form.

Likewise if they fill out additional information (in a progressive registration sequence) and they are told that filling out that info update form is tantamount to another opt in, I'm OK.

Of course, if you are going to be this loose in your opt-in criteria, you also need to provide more than one way to opt out:  not just the opt-out link in emails, but an opt-out link on your website and (even better) a profile editor on the web site that allows them to know what their opt-in status is and change it to meet their needs.

Sharing data, selling data

There can be little tolerance here.  If you never told the user that you'd be sharing their name with (or worse selling it to) others, you are way way over the line if you let the data out to someone else.  If you gave people the choice, and they were stupid enough to give you permission to share your contact info with others, go for it.  But very few people fail this particular IQ test.

Storing data, processing data.

Most of us don't think twice about where you store or share your user's data, particularly in this SaaS world.  But you'll start to think real hard about it when you have your first security breach, with thousands or millions of names being compromised.

You need to think about it even sooner than that:  if you are collecting the names and personal information of Europeans, there's a specific regulation you are probably breaking right now.

EC Directive (95/46/EC Chapter IV) is a 13-year old law that effectively requires European citizens’ personal information to be processed and stored within the European Union.  Like all laws, it is open to interpretation – and the most rabid interpretation would make much of electronic commerce and marketing nearly impossible.

The good news is that there are several strategies to comply with the law’s requirements. The first is simply to store all of the EC customer data within servers located in Europe.  This can be done by either storing all your marketing lists only in European servers, or by partitioning your customer base and storing only the European customers in servers in the EC.  Neither of these approaches will cost much, but will involve some interesting complexities in implementation and operations.  Here's the rub: you have to do the same strategy for any hosted services (e.g., email blasters, Salesforce.com, etc.) that hold customers' personal information.

The second strategy is to store only a fragment of the personal data within the US and the rest within a European data processing facility. The first step to this approach – which isn’t a bad idea in any case – is to document which customers’ information needs to be viewed and manipulated by which specific users. It is possible that the data that’s actually needed by your people is narrow enough that it doesn't hit the EC's definition of private customer data. Using this strategy, the protected personal identifiers – names or emails – would be stored within Europe (for example, in a database, an Exchange contact folder, an LDAP directory, or an email blasting service there), and the data stored in the US would hold only a cross-reference number to that personal data.  

The third strategy is to file waivers (“safe harbor policy statements”) via your internal legal counsel. The process can be quite involved, but is done regularly by global companies. Since other systems inside your company may have dealt with this issue in the past, extending your company’s existing waivers to the marketing servers should be a relatively procedural matter.

The fourth strategy is to have your lawyers include specific permission to process personal information outside the EC as part of all your European contracts, registration forms, and non-disclosure agreements. The idea here is to specifically ask European users for permission to process and store their personal information outside the EC. If you get the person’s “unambiguous permission,” either before they provide their personal information or as part of subsequent email / re-registration cycles, you should be able to avoid almost all of this regulation.

Finally, if you are Business-to-Business marketing and selling organization, you should also have your lawyers argue that you aren’t collecting personal information for “a natural person:” you are not collecting the personal information such as home phone and private email. You are typically dealing with business contact information (e.g., their business phone and email address). In this context, your lawyers may be able to argue that the regulation is moot.
 

Who Cares about the Law?
It's the Customer Reaction You Have to Look Out For!

Despite all the legalisms of these privacy and anti-spam laws, the real issue is at the core of marketing:  why are you doing anything that would piss off your customers?  Pay attention to the needs and desires of the audience you're trying to get to, and you're going to be doing the right things.

It's not the end of the world if you send one-too-many emails, or if you seed your mailing list with people who really weren't opted in. But if you're going to take these high-customer-risk actions, you've got to be sublimely sensitive and responsive to the desires of your audience:

• Only send them information that's relevant to their interests (Don't know?  Don't send it.)

• Do not have a pushy call to action

• Make it super easy to get off the list, and make sure the opt-out really works.

If you're going into these higher risk email behaviors, you might even consider starting your mail off with something like, "we're sorry to bother you with this, but our records indicated that you might be interested."

  Digg This!  

The Life of a Lead -- chapter excerpt coming in July

Contents copyright 2008 by DOTnet Consulting, Inc., all rights reserved.
All trademarks and graphics are the property of their respective owners.
Feel free to forward or syndicate this report, but you must include this copyright notice.
Somebody Brilliant™ is a trademark of DOTnet Consulting, referring to its principal.
This newsletter was mailed to you because our records show that you asked to receive it.
Click here to opt-out of future newsletters, although that will make us feel very sad.