Reviewed your distribution list? Check. Provided an opt-out? Check. Purged personal information according the proper timetable? Check.
Marketers may be wary of conducting some of their most traditional activities following the debut of Canada’s new privacy law, the Personal Information Protection
and Electronic Documents Act, this year. That’s why ThinData, a permission-based e-mail campaign developer in Toronto, is trying to help. The Toronto-based firm is offering the Marketer’s PIPEDA Checklist, developed in partnership with Bennett Gold Chartered Accountants and the law firm Lerners LLP. The three lists offer tips to ensure compliance before, during and after a campaign, and are created specifically for e-newsletters, online contests or event registrations.
Wayne Carrigan, ThinData’s vice-president of client strategy, recently spoke to Pipeline about how PIPEDA compliance can become an asset to your business.
Pipeline: When did you realize there was a need for something like the Marketer’s PIPEDA Checklist?
Wayne Carrigan: We’ve been watching PIPEDA for a few years and all the other privacy legislation that’s been going on in Canada, and we watched what happened post-Jan. 1. The government didn’t do a great job of disseminating information to businesses, particularly small businesses. There’s certainly been a grace period allowing businesses to ramp up, but what we saw was the service sector kind of ran out to fill in a gap. All of a sudden the Privacy Institute get created. You’re seeing privacy consulting firms come up, you’re seeing legal offices with a privacy discipline. You’re seeing conferences. As we attended those conferences and we listened to our clients and the agencies out there, we saw that what was missing was a practical guide. Everybody knows the 10 principles, and if you go to the conferences they harp over and over again, “”You must disclose, you must have consent.”” It isn’t helping. Now I know that I need to disclose, but how do I do that? How practically do I do that? We decided people need a simple checklist, something that’s been vetted by someone who understands the marketing and technical aspect — that’s us. They need a lawyer to say, “”Yes, we agree,”” and they need an accountant to agree. That way when they come back and they say, “”We’re going to follow this guideline,”” they don’t have to turn and say, “”What do lawyers think,”” or “”What do the accountants think?””
Pipeline: How exactly do you think the checklists will be used?
WC: It’s to deal with what we call the PIPEDA objections. Marketers within their own organization are dealing with the confusion — “”am I going to break the law, what are the ramifications of this, maybe I should just not do anything for a while and let someone else figure this out”” — so there’s a self-objection based on pure confusion. Then there’s the objection where an agency would be working with a client and they say, “”Look, you should run an online contest,”” or that they should do registration for an event online. Then the client would say, “”No, we can’t do that anymore because of PIPEDA.”” And the fact is that’s just not true. Here is a tool now that agencies can use to educate their clients and overcome that objection, and here’s something that marketers can use within their own organizations to get over their own self-objection. All businesses who were affected Jan. 1 need to realize that they can do everything they were doing before. They just have to do it in a better way.
Pipeline: There are points on the checklists about creating a schedule for when private information should be made anonymous or destroyed. Are there any best practices you’re seeing around how long after a campaign or marketing activity that should happen?
WC: It’s a common-sense rule. How long do you actually believe you need this information, and when are you going to use it? We don’t have a set guideline, but what we recommend to our clients is that you should at least be reviewing your retention policy every six months. We think that’s a wise timeframe.
Pipeline: How much push-back are you seeing from consumers that’s driving PIPEDA compliance?
WC: Their belief in their empowerment that PIPEDA gives them doesn’t outstride what businesses are capable of handling. What’s even more important than making sure you’re following the guidelines is knowing how to communicate to those people that ask. I’ve gotten a personal e-mail where someone has confused CAN-SPAM and PIPEDA. Or, even though not-for-profits aren’t affected by PIPEDA, consumers don’t know that, and if not a not-for-profit doesn’t know how to respond to an inquiry, then I think there’s a real issue. I think you’re going to see people believe they have a right and they’re going to stand up for it, but they’re not going to be necessarily educated on what those rights are. It’s going to be the responsibility of business to clearly communicate what those are.
Pipeline: It’s almost like marketing the privacy as much as marketing your company’s products or services.
WC: We view compliance as just another part of your customer loyalty program. Our clients that are taking privacy and permission marketing very seriously and honouring that and being transparent are seeing better results, higher response rates. People are rewarding organizations that take their privacy seriously and are transparent about the process.
Pipeline: The checklists recommends appointing someone to monitor collection, use and storing of personal information. Who are you seeing taking on that role?
WC: I think that right off the bat, when everyone said you had to appoint a privacy officer, they went to the lawyer or someone in IT. We are seeing a move towards including marketers or other individuals that have access to that data. They’re the ones, at the end of the day, that can answer those questions. They’re the ones that know why they’re collecting and where that information is and how they got it. They can be the quickest to respond. We’re seeing organizations that had one person in charge of privacy starting to add privacy elements or responsibilities to various different people in different departments.
Pipeline: These lists are available off your Web sites, but is there anything else you’ll be doing to promote them?
WC: We’ve had requests from different legal firms to include them in conference materials. We’ve had a lot of organizations reference them in their newsletters. We’re seeing a lot of movement that way. We actually announced the checklist at the AIMS Canada e-mail marketing showcase and then the following day at the Canadian Institute’s online privacy conference last month.
Pipeline: How long before marketers won’t need to refer to checklists like these?
WC: I think there will always be a need. Legislation changes, best practices change, and technology will change. Ontario’s privacy may come out in the next eight months; that’s going to change things. Quebec’s constitutional challenge may change things. At the end of the day, though, all the guidelines are based on the CSA’s privacy guidelines. That’s an international standard, so even if things change, it’s going to be minor. It may be how to police it and what fines, but essentially the principles shouldn’t change. It’s not as important that people know the details of every item on the checklist, as long as they know there is a checklist. Before they communicate with people, before they collect information, they have to consider privacy as an issue. If we can get to that point in the next year or two, we’ve hit that stride, we’ve done our jobs.