The Federal Trade Commission has confirmed it is investigating Facebook for possible privacy violations, a result of last week’s revelations that Cambridge Analytica used data from 50 million Facebook users to target advertising to potential Trump supporters.
For data-driven email marketers, the Cambridge Analytica and Facebook scandal might appear at first to be a bit of a conundrum.
Email marketers use customer data every day to augment campaigns with personalization, and data drives the most successful digital advertising campaigns due to added relevance. Cambridge Analytica’s use of personal data to target voters on Facebook, and the impact on the 2016 presidential election, may provide an example of how personal data can deliver more successful marketing campaigns.
“As brands develop relationships with their customers, it is not only inevitable, but also desirable that they are listening closely to their customers to help better anticipate their needs and deliver improved products and services,” says Bill Magnuson, CEO & Cofounder of Braze (formerly Appboy).
The difference between personalized email marketing and the Facebook scandal, however, is critical: consent.
Magnuson says that personalized marketing requires the collection, storage, and usage of customer data. For example, retail brands utilize customers’ historical purchase data to deliver email campaigns with recommend purchases that fit subscribers’ interests and media companies utilize past engagement data to promote more relevant content in their digital ads.
This collection, storage, and usage of data for personalized marketing should only be used to a certain extent, says Magnuson, and only with the prior consent of the customer.
“Brands should be held to a high standard of transparency and accountability in their handling of personal data, and it should never cross the line into the sharing or sale of personal data on groups of customers without their individual consent,” he says.
Email marketers are familiar with the need for customer consent in marketing due to the CAN-SPAM Act in the United States, and other similar email privacy legislation around the world. The problem, however, is that companies currently do not face consequences for the misuse of personal data on newer communications channels like social media.
Until May, that is.
The General Data Protection Regulation (GDPR), set for implementation in the European Union on May 25, clearly outlines how companies can or cannot use personal data, and sets strict rules on how customer data is collected. American companies will need to adhere to GDPR privacy standards for their European customers, regardless of their physical location.
No data can be collected without a customer’s prior consent, per GDPR, and marketers need to clearly outline to customers how their data would be used. Furthermore, customers have a “right to be forgotten,” meaning customers can request a document from any company that outlines what data that company might have on them, and then request that data be edited or deleted.
If the United States had GDPR-like legislation, Facebook would be at fault for how Cambridge Analytica used its data in the Presidential election. GDPR clearly outlines the difference between data processors, like Facebook, and data controllers, their customers like Cambridge Analytica, so that both entities face consequences for either party’s misuse of personal data.
Furthermore, GDPR requires companies to notify customers of any data breach or face financial consequences. Companies that delayed telling consumers about massive data hacks -- like Uber, Equifax, and Yahoo -- would have faced financial fines under GDPR, a warning to other companies like Facebook to get their personal data security and privacy issues in order.
GDPR was approved in 2016 and will be implemented in two months time, but Facebook has yet to hire a Data Protection Officer. A current job listing for the position lists GDPR advising, training, monitoring, and compliance among its responsibilities.