Among all the accepted norms that are being transformed by COVID-19 pandemic, the role of data in society stands out. It’s clearer than ever that the availability of data, or its lack, is a decisive factor in combating viral spread. And so the pandemic is disrupting years of momentum to restrict the collection and flow of data in the name of privacy and security, most notably with laws such as GDPR and CCPA.
There is so much confusion about what companies can do with data that The European Data Protection Board (EDPB) issued the following statement:
“…the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.”
Although the need for such clarification seems self-evident, concerns about secondary uses and adequate security abound. Even in the midst of a pandemic crisis, these concerns are playing out most visibly in the news media:
- The Washington Post reported on Tuesday that the US government is in “active talks” with tech companies including Facebook and Google about using location data they collect from users to map the spread of the virus or predict future outbreak areas.
- The Post quotes Ashkan Soltani, a former Federal Trade Commission chief technologist who covered the Snowden revelations as a journalist: “Privacy is the first to go when there are national security issues.”
- Google’s involvement in developing a screening web site triggered five Senators to voice concerns about the arrangement.
- And recent news about Israel’s plans to use what the NT Times termed a “secret trove of cellphone data” to help track the coronavirus has also sparked intense discussions about the legal and ethical implications of data collection in the face of a viral outbreak.
Closer to home, marketers are asking how these controversies will shape policies toward data privacy in marketing. On one side, there is legitimate concern that ad tech companies and data providers will exploit data privacy exceptions to further their own economic interests through manipulative advertising and unmoderated data sales. On the other, there’s a growing recognition that excessive restrictions on data flow and retention can also cause harm by impeding tactical response in a crisis and hampering innovation.
So what should marketers do about all this? I’d suggest three things.
First, recognize that data about your customers can reveal opportunities to help them in a crisis with timely information and services. Second, organizations, data providers and advocacy groups must take a fresh look at the GDPR’s principle of “purpose limitation” (Article 5) and “public interest” exceptions (Article 89). And third, consumer anxiety and distrust put more emphasis than ever on transparency and security of personal data.
On the first point, the US Chamber of Commerce has assembled an inspiring list of examples of how companies are communicating with customers about coronavirus. A few examples:
- Marriott hotels informed their customers about new policies to address visit flexibility and cleaning standards.
- UPS has responded to concerns by providing customers with important updates on its service availability and sanitation.
- Walgreens has made several policy changes to help customers, including “waiving delivery fees for all eligible prescriptions,” starting free delivery on products from Walgreens.com, and creating “purchase limits on certain products” to make sure more people can buy essentials.
Whatever your business, finding ways to help customers in distress is rarely a bad idea. And whatever marketing purpose you may have collected data for, using it now to identify customer needs you may be able to fulfill can be a transformative opportunity. While the desire to say something to customers feels pressing, make sure you’re saying something differentiated, vital and relevant to their situation rather than just adding to the noise in their inbox. (See Augie Ray’s blog post.)
This leads to the second point about rethinking the balance between data minimization—a fundamental principle of the GDPR—and public interest opportunities that may be realized by retaining data for purposes other than those for which it was originally collected. Before COVID-19, it might have seemed absurd to imagine that retaining data like web analytics and mobile app usage could serve a “public interest” but now the clues such data might provide about individuals’ circumstances and vulnerabilities may be grounds to rethink automatic deletion. Organizations need to rely on legal advice to make this judgement. Still, considering recent events, it’s worth brushing up on the language of the GDPR, which emphasizes specific safeguards for these cases, and reassessing data retention policies in light of circumstances.
Which in turn brings up the third point. The best way to improve customer relations is to win the trust of your customers so they’ll be comfortable with your data collection policies, and the best way to do that is by being as transparent as possible about them. This means committing to giving individuals visibility and control over their information. Gartner recently published a Market Guide for Subject Rights Request Automation (subscription required) to help organizations build interactive privacy centers to support these transparency initiatives.
Along with transparency goes security to prevent the kinds of mishaps that can erase trust in an instant. Too often marketers and infosec professionals inhabit different silos within their organizations. Now is good time to build bridges. Working from home we may not be able have a chat over lunch, but organizing a conversation thread to discuss these topics might be even more productive.