Article 8 of the Charter of Fundamental Rights of the European Union is titled Protection of personal data. Within, the Charter outlines how privacy is a fundamental human right.
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly. It must be processed for a specified purpose, and the processing requires consent (or other lawful basis) of the person concerned.
- Everyone has the right of access to data which has been collected concerning him or her. They also have the right to have the data rectified.
These principles apply to all data subjects within the EU – citizens and residents alike.
It is this notion of a “fundamental right” that applies to “data subjects” in the EU that sets the table for broad legislative measures such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive in the European Union.
In addition to GDPR in the EU, regulation for data protection has emerged all over the world, for example in Brazil, China, California, and Australia.
From a technical marketing viewpoint, you don’t have to be a privacy lawyer to understand the principles of data protection and privacy. In fact, “privacy by design” is a concept you might already have run into when working in the tech world. It’s not a legal phenomenon – instead, it establishes that technology design and privacy design should be married from the very beginning.
As a technical marketer, you’ll work with data all the time. Because of this, you need to understand the principles of privacy design, of data protection, and of data security. These three concepts overlap quite a bit, and they all establish the groundwork for building services and marketing campaigns without infringing on the basic, fundamental rights of end users and customers
Consider this…
In your online store, you want to improve your ad campaigns’ conversion tracking by sending more data about your users to the ad vendors.
Many of the technologies that ad vendors typically rely on for matching conversions with ads are getting less and less reliable due to regulation and deprecation of browser features. One of the ways in which ad networks fight this is by collecting identifiers from users that can be matched against the advertisers’ own identity stores.
You have been tasked with setting up this collection. When your visitors make a purchase on your site, you’ll collect their email address, hash it, and then forward it to the advertising vendor with the hopes that these email addresses will improve the match rates of the conversions. This way you should get a more reliable understanding of how well your ads are converting.
Now, just stop for a moment and think about what’s about to happen.
- You are collecting an email address from your visitors and sending it to a third party. Some people have had the same email address for 30+ years. It’s extremely sticky as an identifier. Unlike cookies, the visitor can’t just delete their email address if they want to unlink from the advertising vendor’s data store. This is a privacy problem.
- Because the email address is personal data (it relates to an individual human being), you need a lawful basis to collect and send it to the vendor. Typically, this would be consent, where the user is prompted whether it’s OK to collect personal data from them and send it to the vendors. Is the user appropriately informed? What prevents the email address from being misused by the advertiser? Are the data flows transparent so that the visitor can access their data upon request? This is a data protection problem.
- Typically, you are instructed to hash the email address. This means the address is garbled in such a way that it is impossible (with current technology) to reverse it. However, when an advertiser gets an email address that has been hashed with a standard algorithm such as SHA256, they can simply hash all the email addresses in their database with the very same algorithm. That way they’ll know exactly which email address corresponds with the hash. This is a data security problem.
Sending email addresses to advertisers is an extreme example, but it’s also a very common one these days, unfortunately.
Your job as a technical marketer is to be sensitive to these things. You need to be able to detect when legal consultation is called for, when common sense should prevail, and when the visitor’s basic, fundamental rights are at stake.