We have all been on the receiving end of unwanted cold calls, silent calls and spam. It is more than a nuisance, and for some people it has caused significant distress. For those of us who take not only legal and regulatory issues seriously but also ethics seriously, it seems surprising that so many businesses continue to make unwarranted marketing calls and communications with consumers and businesses. However, we all need to double check that our own marketing teams are not inadvertently committing the same misdemeanors!
Many countries have strict rules about cold calling and spam, and even when you outsource your e-marketing, you remain liable for inappropriate calls and contacts. The Federal Trade Commission and regulators in Canada, Hong Kong, Singapore, UK and Europe have been active in the past year in levying enforcements and fines against a wide variety of companies that unlawfully trade in personal data (data brokers), collect personal information without consent and abuse the privacy of individuals by unwarranted cold calls, “robo-calls” and spam.
So what should we all be thinking about and putting in place now to minimize risk?
Well, let’s go back to basics. In most jurisdictions, if you are processing personal information, then you need to comply with relevant privacy and marketing laws when you collect, store and share personal data. This means you need to be transparent with individuals about what data you collect from them, whether they willingly give it to you or you willingly take it. So we need plain language privacy statements, clear cookie statements and innovative permission-based marketing practices.
Data protection and e-marketing compliance is more than a tick the box exercise and as the European Data Protection Supervisor recently said “Companies and other organisations that invest a lot of effort into finding innovative ways to make use of personal data should use the same innovative mind-set when implementing data protection principles”
So we need to take control of how we collect personal information, how we get permission to use such information, how we retain and re-use such data, how we manage cross-border data transfers of such data and finally how we outsource the processing of such personal data to third parties.
Unless we can provide an audit trail that legitimizes all personal data that we are processing, then in terms of compliance any databases we use are not worth the paper they are not written on!