By Jay Cline, CIPP

If you're in marketing and you want to show you're current on the latest trends involving personal data, slip this in at your next team meeting: "We need to have a point of view on Privacy by Design."

Privacy by design--or PbD for short--has gained more traction lately as the recommended solution for technology companies releasing new products. As marketing and technology increasingly overlap, however, the potential use of PbD in marketing departments is also growing.

Just ask Apple and Google. They recently came under congressional scrutiny for designing smartphone operating systems that didn't fully minimize the use and protection of location-based data. Critics claimed that inserting privacy requirements into the design phase of these systems could have prevented these privacy shortfalls, which created a media frenzy that drowned out their product-marketing campaigns.

This idea of incorporating the fair information principles (see box) into the design requirements for software applications, hardware components and user devices isn't new. Compliance and audit professionals have long preached the virtues of thinking about controls before launching new projects instead of as a more costly afterthought. 

About the Fair Information Principles

A 1973 advisory committee to the U.S. Department of Health and Human Services identified the following principles as core to ensuring personal privacy. These principles influenced the development of similar and expanded lists of principles in Canada, Europe, Latin America, Asia and now Africa.

  • Notice - inform individuals about how their data may be collected, retained, secured, used, and disclosed
  • Choice - provide individuals control over secondary uses of their information and minimize the collection, use, and retention of data for primary uses
  • Access - provide individuals a way to review and correct what data has been collected about them
  • Security - maintain the confidentiality and integrity of personal data
  • Enforcement - hold the organization collecting personal data accountable to these principles through internal and external oversight mechanisms

The difference with Privacy by Design is it has a high-profile champion--Ontario Privacy Commissioner Ann Cavoukian. Although a number of corporate privacy officers were practicing privacy by design before Cavoukian coined the term, she’s been the voice most responsible for formalizing the concept and advancing it with industry and fellow regulators. Cavoukian’s efforts have caught the attention of Forbes, which, in an article this summer, praised Intel, the Graduate Management Admissions Council and Location Labs as early adopters of the PbD approach.

Inside 1to1: PRIVACY caught up with David Hoffman, Intel’s director of security policy and global privacy officer. Hoffman explained that Intel has integrated privacy into its Secure Development Lifecycle (SDL) for product development, new data processing and marketing campaigns. This integration takes the form of assessment and reference documents as well as champions in each business unit who validate the completed assessments.

It’s easy to see how Privacy by Design can help technology companies, but what does Privacy by Design have to do with the marketing agenda?

As marketing campaigns increasingly leverage social media technologies and mobile devices, their chances of making highly visible privacy blunders have also escalated. If marketing departments wait for their IT or legal departments to fully brief them on the privacy aspects of their planned campaigns, they could end up explaining to their executive team why they have been called to appear before Congress.

How can marketing co-opt PbD? Follow these five steps.

1. Change the mindset

If your marketing team views privacy as an obstacle that legal exaggerates, think again. Privacy in the new media is a consumer expectation. Moreover, privacy laws are here because citizen-consumers demanded them.

What's a better mindset? Be curious about the privacy interests of your target audience. Start adding privacy-related questions to your research of target audiences. Tap into this data and use it to your advantage to generate higher engagement and retention. Lead with privacy instead of ducking from it.

2. Build a PIA into your BRD

How do you systematically design to the privacy interests of your target audience and offer them privacy as a service? Convert your target audiences' privacy interests into a "privacy impact assessment" (PIA). A good PIA is a decision-tree-based checklist of questions that asks you how your product or campaign is going to collect, store, use, disclose and destroy personal data. Using a well-crafted PIA based on audience-member research can help you weigh the campaign risks and trade-offs of sharing data with different systems and third parties.

3. Add a micro-notice to that micro-site

One-page micro-sites have become the crossroads of social media marketing campaigns. They're the landing pages for consumers who've clicked on a link, and they bring them one step closer to completing the call to action. For many campaigns, the micro-site is also the first step toward collecting or pre-populating personal data from the audience member. The micro-site becomes a privacy point of interest. If consumers have even the slightest hesitation about the information being asked of them, they could drop out of the process.

Prevent that drop-off by adding a short privacy notice or "micro-notice" to that landing page. Tell the consumer why you need the data you're asking for and that you won't share it with others for marketing purposes, and include a link to your full privacy notice.

4. Create privacy self-service

You've heard of software-as-a-service. Offer your audience members privacy as a service. This could include options such as just-in-time privacy notices; a personal profile and permission-management center, and live chat for privacy questions. Enable consumers to dial up and down the level of frequency for marketing communications instead of just having an all-or-nothing on-off switch. Offering privacy as a defined service level can help you avoid leaving money on the table from consumers who want to micromanage their privacy experience like they do on Facebook.

5. Test and refine

Measuring impact is a daily reality for marketing departments. Spend X dollars on a campaign to generate Y dollars in sales. Privacy's role in improving or worsening your marginal returns shouldn't be overlooked in this measurement process. Run "A/B" tests, where you take one privacy approach with audience segment A and another with audience segment B. Document your findings and lessons learned, and keep them available in a shared area so that your future campaigns can start a leg ahead.

Up until about a year ago, if you announced at a party that your job was data privacy, people would think you tinkered around with computers all day. All that has changed. High-profile privacy debacles have popularized what privacy, or the lack thereof, means to the average person. The question is, will your marketing campaigns take advantage of this development?


Jay Cline, CIPP, is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.



Read more by Jay Cline:

Inching toward consensus: A roundup of U.S. privacy legislation
Broadening definitions of personal data portend greater scope of concern for privacy offices

GMAC: Navigating EU approval for advanced biometrics
IBM's Privacy Strategy: Trust Enables Innovation
Privacy and the Pharma Chain of Trust
Xcel Energy: Building privacy into the smart grid
Creating a privacy gameplan for your social media strategy
Privacy Consent Glossary
Opt In Or Opt Out For Global Direct Marketing?
Ubiquitous Identification Series: Will Other Countries Join the Canadian Debate Over the Privacy of Public Records?
Best Buy: Using Privacy Awareness to Build Customer Centricity



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»