IAPP-GDPR Web Banners-300x250-FINAL

By Jay Cline, CIPP

If you're in marketing and you want to show you're current on the latest trends involving personal data, slip this in at your next team meeting: "We need to have a point of view on Privacy by Design."

Privacy by design--or PbD for short--has gained more traction lately as the recommended solution for technology companies releasing new products. As marketing and technology increasingly overlap, however, the potential use of PbD in marketing departments is also growing.

Just ask Apple and Google. They recently came under congressional scrutiny for designing smartphone operating systems that didn't fully minimize the use and protection of location-based data. Critics claimed that inserting privacy requirements into the design phase of these systems could have prevented these privacy shortfalls, which created a media frenzy that drowned out their product-marketing campaigns.

This idea of incorporating the fair information principles (see box) into the design requirements for software applications, hardware components and user devices isn't new. Compliance and audit professionals have long preached the virtues of thinking about controls before launching new projects instead of as a more costly afterthought. 

About the Fair Information Principles

A 1973 advisory committee to the U.S. Department of Health and Human Services identified the following principles as core to ensuring personal privacy. These principles influenced the development of similar and expanded lists of principles in Canada, Europe, Latin America, Asia and now Africa.

  • Notice - inform individuals about how their data may be collected, retained, secured, used, and disclosed
  • Choice - provide individuals control over secondary uses of their information and minimize the collection, use, and retention of data for primary uses
  • Access - provide individuals a way to review and correct what data has been collected about them
  • Security - maintain the confidentiality and integrity of personal data
  • Enforcement - hold the organization collecting personal data accountable to these principles through internal and external oversight mechanisms

The difference with Privacy by Design is it has a high-profile champion--Ontario Privacy Commissioner Ann Cavoukian. Although a number of corporate privacy officers were practicing privacy by design before Cavoukian coined the term, she’s been the voice most responsible for formalizing the concept and advancing it with industry and fellow regulators. Cavoukian’s efforts have caught the attention of Forbes, which, in an article this summer, praised Intel, the Graduate Management Admissions Council and Location Labs as early adopters of the PbD approach.

Inside 1to1: PRIVACY caught up with David Hoffman, Intel’s director of security policy and global privacy officer. Hoffman explained that Intel has integrated privacy into its Secure Development Lifecycle (SDL) for product development, new data processing and marketing campaigns. This integration takes the form of assessment and reference documents as well as champions in each business unit who validate the completed assessments.

It’s easy to see how Privacy by Design can help technology companies, but what does Privacy by Design have to do with the marketing agenda?

As marketing campaigns increasingly leverage social media technologies and mobile devices, their chances of making highly visible privacy blunders have also escalated. If marketing departments wait for their IT or legal departments to fully brief them on the privacy aspects of their planned campaigns, they could end up explaining to their executive team why they have been called to appear before Congress.

How can marketing co-opt PbD? Follow these five steps.

1. Change the mindset

If your marketing team views privacy as an obstacle that legal exaggerates, think again. Privacy in the new media is a consumer expectation. Moreover, privacy laws are here because citizen-consumers demanded them.

What's a better mindset? Be curious about the privacy interests of your target audience. Start adding privacy-related questions to your research of target audiences. Tap into this data and use it to your advantage to generate higher engagement and retention. Lead with privacy instead of ducking from it.

2. Build a PIA into your BRD

How do you systematically design to the privacy interests of your target audience and offer them privacy as a service? Convert your target audiences' privacy interests into a "privacy impact assessment" (PIA). A good PIA is a decision-tree-based checklist of questions that asks you how your product or campaign is going to collect, store, use, disclose and destroy personal data. Using a well-crafted PIA based on audience-member research can help you weigh the campaign risks and trade-offs of sharing data with different systems and third parties.

3. Add a micro-notice to that micro-site

One-page micro-sites have become the crossroads of social media marketing campaigns. They're the landing pages for consumers who've clicked on a link, and they bring them one step closer to completing the call to action. For many campaigns, the micro-site is also the first step toward collecting or pre-populating personal data from the audience member. The micro-site becomes a privacy point of interest. If consumers have even the slightest hesitation about the information being asked of them, they could drop out of the process.

Prevent that drop-off by adding a short privacy notice or "micro-notice" to that landing page. Tell the consumer why you need the data you're asking for and that you won't share it with others for marketing purposes, and include a link to your full privacy notice.

4. Create privacy self-service

You've heard of software-as-a-service. Offer your audience members privacy as a service. This could include options such as just-in-time privacy notices; a personal profile and permission-management center, and live chat for privacy questions. Enable consumers to dial up and down the level of frequency for marketing communications instead of just having an all-or-nothing on-off switch. Offering privacy as a defined service level can help you avoid leaving money on the table from consumers who want to micromanage their privacy experience like they do on Facebook.

5. Test and refine

Measuring impact is a daily reality for marketing departments. Spend X dollars on a campaign to generate Y dollars in sales. Privacy's role in improving or worsening your marginal returns shouldn't be overlooked in this measurement process. Run "A/B" tests, where you take one privacy approach with audience segment A and another with audience segment B. Document your findings and lessons learned, and keep them available in a shared area so that your future campaigns can start a leg ahead.

Up until about a year ago, if you announced at a party that your job was data privacy, people would think you tinkered around with computers all day. All that has changed. High-profile privacy debacles have popularized what privacy, or the lack thereof, means to the average person. The question is, will your marketing campaigns take advantage of this development?


Jay Cline, CIPP, is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.



Read more by Jay Cline:

Inching toward consensus: A roundup of U.S. privacy legislation
Broadening definitions of personal data portend greater scope of concern for privacy offices

GMAC: Navigating EU approval for advanced biometrics
IBM's Privacy Strategy: Trust Enables Innovation
Privacy and the Pharma Chain of Trust
Xcel Energy: Building privacy into the smart grid
Creating a privacy gameplan for your social media strategy
Privacy Consent Glossary
Opt In Or Opt Out For Global Direct Marketing?
Ubiquitous Identification Series: Will Other Countries Join the Canadian Debate Over the Privacy of Public Records?
Best Buy: Using Privacy Awareness to Build Customer Centricity



If you want to comment on this post, you need to login.


Related Posts


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»