Getting data privacy right when it’s too easy to get wrong

Screen+Shot+2019-03-28+at+8.46.46+AM.jpg

There have been several recent developments aimed at protecting customer data and privacy, including the implementation of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and newer “opt-in” and “just-in-time” requirements. But how data is collected and used continues to be of paramount concern for customers and brands alike.

And the headlines continue to permeate mainstream media channels. A social media giant stored users' passwords in plaintext (making them susceptible to theft). A leading tech company included a built-in microphone in a home security system, then neglected to inform customers (scary!). Every other day, it seems, we’re alerted to another real-life privacy/security/breach/hack story.

Now Mailchimp and Shopify are the latest brands at the centre of data privacy scrutiny. The companies have unequivocally “broken up” – Mailchimp asked Shopify to remove its app integration from the Shopify marketplace due to growing concerns around Shopify’s updated terms of service. Those new terms would require Mailchimp to hand over customer data acquired outside of Shopify.

Meanwhile, Shopify is also citing data privacy concerns, indicating that merchants are entitled to any data captured on their behalf, and that Mailchimp failed to respect Shopify’s terms of the new agreement. It appears neither company is interested in backing down from their claims against the other, and it remains to be seen if a compromise can be worked out in the future.

It begs the question: In the quest for big data, how can companies remain profitable while protecting the privacy of the very customers they’re collecting data on? Well, there are some key takeaways for brands looking to develop their own data privacy strategies:

Put the customer at the centre of your strategy. This is often easier said than done, but it’s crucial in order to be successful and build a trusting, loyal customer base. Implementing privacy by design – that is, having the highest privacy settings by default – is a good first step. When designing new products and services, care should be taken do encrypt sensitive customer information to help protect data (such as customer’s identities, passwords and payment information) in the event of a hack. And users should be able to easily access and export their data, if or when they so choose. The bottom line is this -- considering the customer’s best interests, and sticking to that commitment at every step, will help mitigate concerns over privacy and potential data breaches.

And in the case of two or more partners who cannot agree on what it means to protect the customer’s privacy – or if each partner firmly believes their respective measures have the customer’s best interests top of mind – then perhaps an amicable breakup is the best path forward for everyone involved.

Be transparent with users and partners. There should be no question about the kinds of data collected – and why they’re collected – when users access a website or purchase a product online.

A clearly defined user agreement should be visible when accessing any website. Are you asking for a customer’s address or birth date? Clearly explain why you’re requesting the data, and what the benefit is to the company versus the user, and what the user can (and can’t) expect by providing various degrees of their personal information.

This mentality must extend to partner agreements as well. When working with third parties, it’s equally important to clearly define your objectives and expectations, including what kinds of data you are requesting are shared. That way, if or when differences do arise, it will be much simpler to find common ground.

Establish an ethical code of conduct. Every company needs to understand what “appropriate data usage” means for them. For instance, will data be deleted after a certain period of time? Will only the data required for the original purpose be collected? These are just a couple of sample questions to be asked, and then defined, in an ethical code of conduct. Without one, you run the risk of making data collection subject to interpretation by different employees and partners, which could have potentially negative consequences for the brand, not to mention lasting reputational damage. Leaning on IT professionals in the organization to clarify the organization’s approach to data usage, along with local and national regulations, and demanding every employee do the right thing and uphold the code of ethics, should be part of any robust privacy strategy.

At the end of the day, companies that want to differentiate themselves over the long term would be wise to move beyond compliance when implementing their data privacy programs and consider ways to be proactive, strategic and customer-centric. Otherwise, they risk alienating the very users whose data they depend upon.