GDPR: New Privacy Rules, Digital Communications, Marketing Opportunities

GDPR:
New Privacy Rules, Digital
Communications, Marketing
Opportunities©RobertE.Johnson,Ph.D.2018
BOB JOHNSON, PH.D.
EDUWEB DIGITAL SUMMIT
SAN DIEGO, CA: JULY 23-25, 2018
BOB JOHNSON CONSULTING, LLC 1

Who is Bob Johnson?
Higher education marketing since the 1980s.
Bob Johnson Consulting, LLC since 2006… 87 clients.
Gerry McGovern “Top Tasks” partner at Customer Carewords, Ltd.
“Your Higher Education Marketing Newsletter” monthly to 3,200 subscribers +
“Link of the Week” websites.
Chair of AMA Symposium for the Marketing of Higher Education, 1994-2003.
Twitter: @highedmarketing
LinkedIn: www.linkedin.com/in/bobjohnsonconsulting/
LinkedIn top task group: www.linkedin.com/groups/8478858

What are we doing today?
1. A cartoon to get started.
2. Key GDPR Rules
3. GDPR in the USA
4. Lemons to Lemonade
5. Advertising
6. Inquiry forms
7. Email & text marketing
8. College Board “Student Search” examples
9. And in California

Europe first, then California…
https://www.eugdpr.org/.... https://www.caprivacy.org/

Immediate reactions…
http://bit.ly/2L4FGOi

Immediate reactions…
http://bit.ly/2mv8L6Z

The short term future…
“The major issue is that nobody really understands
the law, or how it should be enforced. It certainly
seems like when the dust settled we'll find a lot of
the GDPR opt-in emails were absolutely unnecessary
and as a result, we could find that it takes some suits
to set precedent before we get some consistency.”

Key GDPR rules…

Who does the GDPR affect?
https://www.eugdpr.org/gdpr-faqs.html
“The GDPR not only applies to organisations located
within the EU but it will also apply to organisations located
outside of the EU if they offer goods or services to, or
monitor the behaviour of, EU data subjects.
“It applies to all companies processing and holding the
personal data of data subjects residing in the European
Union, regardless of the company’s location.”

What constitutes personal data?...
“The GDPR applies to ‘personal data’ meaning any
information relating to an identifiable person who can be
directly or indirectly identified in particular by reference to
an identifier.
“This definition provides for a wide range of personal
identifiers to constitute personal data, including name,
identification number, location data or online identifier,
reflecting changes in technology and the way organisations
collect information about people.”

What is the difference between a data
processor and a data controller?
“A controller is the entity that determines the purposes,
conditions and means of the processing of personal data,
while the processor is an entity which processes personal
data on behalf of the controller.”
…ACT, College Board, NRCCUA are “processors”
…Enormous State U & Friendly Private College are
“controllers” when they buy data to recruit
And when running “custom” ads on Facebook, etc.

Do data processors need 'explicit' or
'unambiguous' data subject consent – and what is
the difference?
“The conditions for consent have been strengthened, as companies will
no longer be able to utilise long illegible terms and conditions full of
legalese, as the request for consent must be given in an intelligible and
easily accessible form, with the purpose for data processing attached to
that consent - meaning it must be unambiguous.
“Consent must be clear and distinguishable from other matters and
provided in an intelligible and easily accessible form, using clear and plain
language. It must be as easy to withdraw consent as it is to give it. Explicit
consent is required only for processing sensitive personal data - in this
context, nothing short of “opt in” will suffice. However, for non-sensitive
data, “unambiguous” consent will suffice.”

Right to be Forgotten
https://www.eugdpr.org/key-changes.html
“Also known as Data Erasure, the right to be forgotten entitles
the data subject to have the data controller erase his/her
personal data, cease further dissemination of the data, and
potentially have third parties halt processing of the data.
“The conditions for erasure, as outlined in article 17, include
the data no longer being relevant to original purposes for
processing, or a data subjects withdrawing consent. It should
also be noted that this right requires controllers to compare the
subjects' rights to "the public interest in the availability of the
data" when considering such requests.”

GDPR in the U.S.

COMPLIANCE IN THE U.S.?
If you recruit students in Europe who are citizens of a EU
country for online programs or U.S campuses. Yes.
If you have alumni who are citizens of an E.U. country. Yes.
If you operate campuses overseas located in EU countries
who enroll EU citizens. Yes.
If you do other business in EU countries and collect
personal information in a database. Yes.
If you have faculty & staff who are EU citizens. Yes.

Campus Technology magazine is calling? OMG!
“Several universities have set up working groups to steer
campus efforts on GDPR, but most are in the early stages of
identifying impacted systems and processes, and that fact
seems to make them reluctant to speak about it.
“Campus Technology reached out to five universities that have
GDPR working groups. Two did not respond to requests and the
other three declined to be interviewed about their efforts.”
https://campustechnology.com/articles/2018/05/24/what-gdpr-means-for-us-higher-
education.aspx

But two U.S. universities were ready…
https://www.massachusetts.edu/gdpr... https://www.stfrancis.edu/about/your-right-to-know/online-privacy-policy/

St. Francis GDPR consent form…
https://www.stfrancis.edu/about/your-right-to-know/gdpr-consent-form/
Clear and simple language…
“The purpose of the GDPR is to protect
all EU citizens from privacy and data
breaches by allowing citizens to maintain
control of the personal data kept and
processed by organizations. The GDPR
stipulates that consent to process personal
data must be freely given in an intelligible
and easily accessible form, using clear and
plain language. The form below is for EU
citizens to provide or withdraw consent to
USF to process personal information.”

Lemons to lemonade…

First reaction to GDPR privacy rules…

Key points (some) marketers hate…
https://live.prolificnorth.co.uk/2018/02/23/comes-gdpr-time-separate-myth-fact/
Explicit consent…
◦ “You need to tell people what you’ll be contacting them about,
how often and in what format.”
Right to be forgotten…
◦ “Individuals have the right to request complete erasure of their
personal information.”
Relevance & accuracy…
◦ “Only collect and store data you actually need.”

Celebrate data security, privacy on one page…
http://www.ligca.org/we-are-gdpr-compliant/

Can both of these be right?
2016 SURVEY RESULT… MARKETERS NOT AFRAID…

Don’t ignore privacy concerns…
https://www.consumerreports.org/privacy/americans-want-more-say-in-privacy-of-personal-data/

Major marketing point… Security + Privacy
People more concerned about data security
than data privacy.
Present GDPR & California compliance with
emphasis on security.
Add ability of people to control how their data
is used.

Advertising…

Personalization decreasing…
https://digiday.com/media/personalization-diminished-gdpr-era-
contextual-targeting-making-comeback/
Audience-based advertising: relies
on personal data known about
people targeted to received ads.
Agencies now wary of this because
of difficulty of proving consent.
Contextual advertising:
advertising based on where people
visit online. TripAdvisor or CarGurus
ads do not require personal data.

Retargeting ads…
https://www.criteo.com/insights/industry-wrong-about-gdpr-consent/
Different types of consent allow
different types of ads.
“Explicit consent” required for ads
based on sensitive personal data: name,
race, gender, sex, politics, health
income, etc.
“Unambiguous consent” allows
retargeting ads: “Active behavior from
which consent can be reasonably
concluded. For example, when the
individual continues to browse a
website and thus accepts the use of
cookies to monitor their browsing.”

Facebook custom advertising…
https://www.facebook.com/business/products/ads/ad-targeting
Facebook requires that people in a
database have given consent to use
their data to advertise to them in a
“custom” ad.
For most data controllers, this will
require contacting everyone in a pre-
GDPR database to get permission &
deleting from “custom” advertising
anyone who does not give it.
In future, ask new leads for
permission to do this.
https://www.reshiftmedia.com/gdpr-
facebook-privacy/

Inquiry forms…
GDPR: NEW REASONS TO KEEP FORMS SHORT & SIMPLE
SHORT FORMS = MORE COMPLETIONS

Undergrad vs. graduate inquiry forms…
UNDERGRADUATE INQUIRY DATA… GRADUATE INQUIRY DATA…

Suspicious 3rd party “opt out” activity…

At the end of an inquiry form…
http://bit.ly/2O6Nj4X

“Privacy Policy” isn’t very private…
http://bit.ly/2zXyPRF

Email & text marketing…

Target Marketing’s 4 steps to email growth…
http://bit.ly/2NtDLQ5
Hunt Down (and change) Any Stray Pre-checked Forms
Be Clear About the Benefits Subscribers Will Get From
Your Emails (and texts)
Be Equally Transparent About How You Collect, Secure and
Delete User Data
Force Consumers to Choose (with “yes” or “no” options)

Target Marketing recommendation…
https://www.typeform.com/

College Board “Student
Search” examples…
CB REQUIRES “REASON” FOR OPTING OUT OF STUDENT
SEARCH PROGRAM

Student Search service…
https://collegereadiness.collegeboard.org/about/benefits/student-search-service
Points to note:
◦ “Students… asked if they want to participate.”
◦ “By opting in, they give the College Board
permission to share their names and limited
information with colleges and scholarship
programs looking for students them.”
◦ “Most students opt in to Student Search
Service so they can get information about
more than 1,100 colleges and scholarship
programs without being solicited by
commercial entities.”
◦ “Students say that as much as they like
hearing from colleges they already know, they
really like hearing from colleges they were
previously unfamiliar with.”

Data available for purchase…
https://studentsearch.collegeboard.org/about-your-data

Opt-out requirements…
https://studentsearch.collegeboard.org/opt-out

And in California…
January 2020 start
 CALIFORNIA CONSUMER PRIVACY ACT

Major points…
You can ask to see whatever data a company has about
you.
You can ask to have your personal data deleted.
You can request that your data never be sold.
Penalty only if an “intentional” mistake, i.e., data breach.
May lead to similar rules in other states… or at national
level.

Differences with GDPR…
https://www.firstsanfranciscopartners.com/blog/california-consumer-
privacy-act-of-2018-vs-gdpr/
Some points to note:
CCPA: individual can sue & be awarded up
to $750 (data bread penalties would
increase).
CCPA: “Clear and conspicuous” home page
link to “Do Not Sell My Personal
Information” page.
CCPA: Data definition includes “inferences”
made from data “to create a profile about a
consumer reflecting the consumer’s
preferences, characteristics, psychological
trends, preferences, predispositions,
behavior, attitudes, intelligence, abilities
and aptitudes.”

Limitations of 2018 CCPA…
https://searchsecurity.techtarget.com/blog/Security-Bytes/Is-the-new-California-
privacy-law-a-domestic-GDPR
Applies to larger organizations…
Annual gross revenues in excess of $25 million
Process information of 50,000 or more consumers, households or
devices
Derive at least 50% of their annual revenues from the sale of
personal information
Changes expected between now and implementation
Passed unanimously to forestall more stringent November
privacy referendum

Wrapping up…

Take away points going forward…
Organizations will benefit from reducing data collection.
Privacy + security concerns will continue to grow.
In the GDPR world, consumers are more important than
organizations.
Online advertising will continue.
Expect inquiry pools to shrink but to convert at a higher
level.

Thanks for being here in
San Diego!
BOB JOHNSON, PH.D.
BOB@BOBJOHNSONCONSULTING.COM
WWW.BOBJOHNSONCONSULTING.COM
@HIGHEDMARKETING
BOB JOHNSON CONSULTING, LLC ... @HIGHEDMARKETING 49

Resources…

GDPR webinar series for higher ed…
http://bit.ly/2mvBokr

GDPR is good for marketers…
https://www.criteo.com/insights/gdpr-white-paper-criteo/

What is Google doing?
https://adexchanger.com/online-advertising/google-plans-to-join-the-
iab-europe-gdpr-framework-but-the-devil-is-in-the-details/

Facebook and GDPR…
https://www.facebook.com/business/gdpr

One month later… 1,300+ complaints
https://www.emarketer.com/content/assessing-gdpr-s-impact-on-its-
one-month-anniversary?ecid=NL1009

ASU “European Union Supplement”…
https://www.asu.edu/privacy/

GDPR: New Privacy Rules, Digital Communications, Marketing Opportunities

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à GDPR: New Privacy Rules, Digital Communications, Marketing Opportunities

Similaire à GDPR: New Privacy Rules, Digital Communications, Marketing Opportunities (20)

Plus de Bob Johnson, Ph.D.

Plus de Bob Johnson, Ph.D. (20)

Dernier

Dernier (20)

GDPR: New Privacy Rules, Digital Communications, Marketing Opportunities