How many times have you filled an online form, where the checkbox for “Please send me marketing junk” has been checked by default?
How many times have you seen a consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. prompt where the request to deny consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. is behind multiple clicks, but to allow consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. is on the first layer of the user interface?
How many times have you noticed ads following you around the web, without having accepted this practice in the first place?
These are all examples of services that most likely did not incorporate Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. (or privacy by default) principles when they were being built.
As a technical marketer, you will often be tasked with designing campaigns and services that need to collect data from your visitors and customers. Understanding Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. principles will help secure the legal and ethical considerations of this work, but you’ll also quickly find that increased transparency and trust can be competitive advantages.
At its core, Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. means that “privacy” – the user’s right to have their data protected – is incorporated into service and system designs by default. It’s not just about adhering to legal frameworks like GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. (EU) and CPRA (California), even if these are important aspects of the principle. It’s also about building trust between the service and its audience.
Don’t miss this fact!
Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. is more than just abiding by legal regulations and ethical guidelines. It’s also about building services that your users are comfortable using, knowing their data is protected and that preventative measures have been taken to ensure this protection.
Privacy by Design principles
The seven foundational principles of Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. should guide you when designing services and campaigns in your marketing work.
It’s important to understand that privacy can’t be guaranteed solely by compliance with regulations. It needs proactive design work and embedded privacy practices in the organization as well.
Principle #1: Proactive not reactive; preventative not remedial
When you bake privacy into the technological design of your products and services, you are naturally adopting a preventative approach to privacy.
You are equipped to anticipate and prevent privacy-invasive events before they happen, rather than waiting for privacy risks to materialize.
Principle #2: Privacy as the default setting
Users shouldn’t have to jump through hoops to get privacy settings enabled. Privacy should be opt-out rather than opt-in.
When privacy is the default setting, the user’s privacy is set to the strongest level of protection, whether the user interacts with the settings or not. Privacy is protected across all systems, and across IT and business practices.
Principle #3: Privacy embedded into design
Privacy should be an integral part of the system. This doesn’t mean that the efforts put into privacy should diminish functionality.
“Privacy” should be one of the first topics discussed when designing the site, app, or service. It can’t be introduced as an afterthought – this will be very costly and most likely will suffer from lack of retroactive control.
Software designers often use a “definition of done” to determine when a feature is complete. Privacy should be a central part of that definition – no feature should be deemed complete until it has been validated with a privacy-first mindset.
Principle #4: Full functionality – positive-sum, not zero-sum
Following what was discussed above, privacy should be seen as a positive-sum approach, not zero-sum.
The latter implies that any decisions taken to improve privacy detract from security and other development work on the service.
The former claims that integrating privacy into every design element is a net positive for service development. Privacy is considered thus a competitive advantage rather than a detractor that exists just to satisfy regulations.
Principle #5: End-to-end security – full lifecycle protection
Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. protects the entire lifecycle of data from collection time to the point when it’s set to be destroyed.
This emphasizes the holistic approach to data processing that Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. brings in its wake. It would be impossible for a single silo in an organization to handle the full breadth of user data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. – thus Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning., by nature, is an interdisciplinary effort within the organization.
Principle #6: Visibility and transparency
Data operations should remain visible and transparent to both users and providers. Being open with your users about your privacy policies and procedures helps engender trust.
Much of privacy work revolves around documenting and communicating actions clearly and unambiguously.
However, Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. is more than just a link to a Privacy Policy – it’s about oozing privacy in all decisions the user is faced with when interacting with your service.
Similarly, you need to make it easy for your users and your possible auditors to review your privacy policies as well as the privacy and security of your systems.
Principle #7: Respect for user privacy – keep it user-centric
Ultimately, Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. is about respecting user privacy. This is easy to forget when you’re working with systems.
It’s common to get preoccupied with the nuts and bolts of a system, trying to figure out should you collect data A or data B to satisfy the business requirements. But Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. dictates that you need to consider what’s best for the privacy of the user. If this is in conflict with your business design, you will need to pivot the design so that embedding privacy-first principles becomes a net positive rather than a detractor.
Always protect the interests of users by defaulting to strong privacy protections. Make all privacy-related decisions user-friendly and frictionless to implement.
Deep Dive
Privacy by Design checklist
The following list (adapted from the ICO website) includes a range of questions designed to probe you (and your organization) for whether you are following Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. practices.
It’s not meant to be an exhaustive list, nor is it something that all organizations can follow. However, it should give you an idea of what a privacy-first organization would actively consider when working with service and technology design.
- Are data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. issues part of the design and implementation of systems, services, products, and business practices?
- Is data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. an essential component of the core functionality of your processing systems and services?
- Do you anticipate risks and privacy-invasive events before they occur?
- Do you process only the data that you need for your purposes?
- Do you ensure that data is automatically protected (by default) in any IT system, service, product, and business practice?
- Are you transparent about those responsible for owning data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. processes within your organization?
- Do you strive for a plain language policy in documentation, so that individuals can easily understand what you are doing with their data?
- Do you proactively offer users tools they can use to determine how you are using their data and whether privacy policies are correctly enforced?
- Do you offer strong privacy defaults, user-friendly options and controls, and do you respect the user’s preferences?
- Do you only utilize data processorsThe data processor processes personal data only on behalf of the controller. (such as third-party vendors) that provide sufficient guarantees that they, too, subscribe to Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. principles?
Ready for a quick break?
The Technical Marketing Handbook also follows the “Relaxing by Design” principle, which requires you to take a break of 5 minutes right now.
Privacy by Design in digital marketing
In digital marketing, you’re often working with third-party tools and services.
If these tools and services don’t embed strong privacy protections by default, it will be difficult for you to adopt a Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. approach in your work as a result.
However, there are certain approaches you can adopt even when working with uncooperative third-party tools.
- Data minimizationA principle by which only the minimum amount of data is collected to satisfy the purpose for which it was collected. means that you only collect the data you need. You never collect data just for the sake of collection or just because you can. Every single datum that passes your collection system needs to be collected with a purpose. This not only reduces the risk of data breachesA security incident that results in unauthorized access to confidential information. but also builds consumer trust.
- Transparency in data use means that you clearly communicate to your customers how their data will be used.
- Purpose limitation means that you will not use the collected data for any other purpose than to which you have a legitimate basis.
- Retention policy sets an expiration date for the data, so that you won’t hold onto it after it’s no longer needed for the purposes your users have agreed with.
- Restricted sharing means that you will not share the data with other parties unless required to satisfy the purposes your users have agreed with.
- Privacy as a user experience (UX) element means that UX design should incorporate privacy considerations, so that users can have agency over their own decisions regarding privacy protections and related settings.
- Ongoing compliance and education means that Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. is a process that should be constantly evaluated and reworked within your organization. Laws and technologies evolve, and so should your practices.
Following these approaches means that you might ultimately need to switch third-party service providers in case their offering conflicts with Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. principles.
Luckily, these days almost all data-related practices have a host of vendors to choose from. It’s also possible that communicating your privacy concerns clearly to vendors whose services lack the required features might be just enough to prioritize privacy design in future iterations of these services.
As a technical marketer, treat Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. more than just a compliance checklist.
It’s a philosophy that governs all of your actions when working with users and their data. It’s not just about laws and regulations – it’s also about a shift to a more ethical and user-centric approach to marketing in general.
Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. can be more than just a regulatory necessity. It can be a strategic asset. Your brand can use Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. to differentiate as one that values and protects its customers’ privacy.
This is one of the strongest messages you can push in this era of data overuse and misuse.
Key takeaway #1: Privacy by default
Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. is predicated on the notion that privacy should be incorporated in system and service design from the very beginning. It’s just as vital part of design as any other part of the development process. It also encompasses the idea of “privacy by default”. When designing a feature, it should be designed so that privacy is ensured by default. Privacy needs to be opt-out rather than opt-in.
Key takeaway #2: Seven principles guiding Privacy by Design
Privacy design should be preventative, not remedial. Privacy should be “on” by default, and it should be embedded into the design process. Privacy should not compromise functionality – it should add to it. Privacy design should cover the full lifecycle of data; data operations should be visible and transparent; and user’s interests and rights should always be protected.
Key takeaway #3: When working with data, ask yourself these
Did you collect the right amount (data minimizationA principle by which only the minimum amount of data is collected to satisfy the purpose for which it was collected. principle)? Are you retaining it the right amount of time? Are you using it solely for agreed purposes? Are you communicating its use transparently? If you research these questions before taking on any new data-related endeavor, you can support Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. in your organization’s data systems.