GDPR privacy regulations from the European Union bring new marketing challenges and new marketing opportunities that we review in this 90 minute workshop for the eduWeb Digital Summit conference. Topics include (1) Advertising, (2) Inquiry forms, (3) Email and text marketing, (4) College Board "Student Search" data, and (5) the new California Consumer Privacy Act.
2. Who is Bob Johnson?
Higher education marketing since the 1980s.
Bob Johnson Consulting, LLC since 2006… 87 clients.
Gerry McGovern “Top Tasks” partner at Customer Carewords, Ltd.
“Your Higher Education Marketing Newsletter” monthly to 3,200 subscribers +
“Link of the Week” websites.
Chair of AMA Symposium for the Marketing of Higher Education, 1994-2003.
Twitter: @highedmarketing
LinkedIn: www.linkedin.com/in/bobjohnsonconsulting/
LinkedIn top task group: www.linkedin.com/groups/8478858
BOB JOHNSON CONSULTING, LLC 2
3. What are we doing today?
1. A cartoon to get started.
2. Key GDPR Rules
3. GDPR in the USA
4. Lemons to Lemonade
5. Advertising
6. Inquiry forms
7. Email & text marketing
8. College Board “Student Search” examples
9. And in California
BOB JOHNSON CONSULTING, LLC 3
8. The short term future…
“The major issue is that nobody really understands
the law, or how it should be enforced. It certainly
seems like when the dust settled we'll find a lot of
the GDPR opt-in emails were absolutely unnecessary
and as a result, we could find that it takes some suits
to set precedent before we get some consistency.”
BOB JOHNSON CONSULTING, LLC 8
10. Who does the GDPR affect?
https://www.eugdpr.org/gdpr-faqs.html
“The GDPR not only applies to organisations located
within the EU but it will also apply to organisations located
outside of the EU if they offer goods or services to, or
monitor the behaviour of, EU data subjects.
“It applies to all companies processing and holding the
personal data of data subjects residing in the European
Union, regardless of the company’s location.”
BOB JOHNSON CONSULTING, LLC 10
11. What constitutes personal data?...
“The GDPR applies to ‘personal data’ meaning any
information relating to an identifiable person who can be
directly or indirectly identified in particular by reference to
an identifier.
“This definition provides for a wide range of personal
identifiers to constitute personal data, including name,
identification number, location data or online identifier,
reflecting changes in technology and the way organisations
collect information about people.”
BOB JOHNSON CONSULTING, LLC 11
12. What is the difference between a data
processor and a data controller?
“A controller is the entity that determines the purposes,
conditions and means of the processing of personal data,
while the processor is an entity which processes personal
data on behalf of the controller.”
…ACT, College Board, NRCCUA are “processors”
…Enormous State U & Friendly Private College are
“controllers” when they buy data to recruit
And when running “custom” ads on Facebook, etc.
BOB JOHNSON CONSULTING, LLC 12
13. Do data processors need 'explicit' or
'unambiguous' data subject consent – and what is
the difference?
“The conditions for consent have been strengthened, as companies will
no longer be able to utilise long illegible terms and conditions full of
legalese, as the request for consent must be given in an intelligible and
easily accessible form, with the purpose for data processing attached to
that consent - meaning it must be unambiguous.
“Consent must be clear and distinguishable from other matters and
provided in an intelligible and easily accessible form, using clear and plain
language. It must be as easy to withdraw consent as it is to give it. Explicit
consent is required only for processing sensitive personal data - in this
context, nothing short of “opt in” will suffice. However, for non-sensitive
data, “unambiguous” consent will suffice.”
BOB JOHNSON CONSULTING, LLC 13
14. Right to be Forgotten
https://www.eugdpr.org/key-changes.html
“Also known as Data Erasure, the right to be forgotten entitles
the data subject to have the data controller erase his/her
personal data, cease further dissemination of the data, and
potentially have third parties halt processing of the data.
“The conditions for erasure, as outlined in article 17, include
the data no longer being relevant to original purposes for
processing, or a data subjects withdrawing consent. It should
also be noted that this right requires controllers to compare the
subjects' rights to "the public interest in the availability of the
data" when considering such requests.”
BOB JOHNSON CONSULTING, LLC 14
15. GDPR in the U.S.
BOB JOHNSON CONSULTING, LLC 15
16. COMPLIANCE IN THE U.S.?
If you recruit students in Europe who are citizens of a EU
country for online programs or U.S campuses. Yes.
If you have alumni who are citizens of an E.U. country. Yes.
If you operate campuses overseas located in EU countries
who enroll EU citizens. Yes.
If you do other business in EU countries and collect
personal information in a database. Yes.
If you have faculty & staff who are EU citizens. Yes.
BOB JOHNSON CONSULTING, LLC 16
17. Campus Technology magazine is calling? OMG!
“Several universities have set up working groups to steer
campus efforts on GDPR, but most are in the early stages of
identifying impacted systems and processes, and that fact
seems to make them reluctant to speak about it.
“Campus Technology reached out to five universities that have
GDPR working groups. Two did not respond to requests and the
other three declined to be interviewed about their efforts.”
https://campustechnology.com/articles/2018/05/24/what-gdpr-means-for-us-higher-
education.aspx
BOB JOHNSON CONSULTING, LLC 17
18. But two U.S. universities were ready…
https://www.massachusetts.edu/gdpr... https://www.stfrancis.edu/about/your-right-to-know/online-privacy-policy/
BOB JOHNSON CONSULTING, LLC 18
19. St. Francis GDPR consent form…
https://www.stfrancis.edu/about/your-right-to-know/gdpr-consent-form/
Clear and simple language…
“The purpose of the GDPR is to protect
all EU citizens from privacy and data
breaches by allowing citizens to maintain
control of the personal data kept and
processed by organizations. The GDPR
stipulates that consent to process personal
data must be freely given in an intelligible
and easily accessible form, using clear and
plain language. The form below is for EU
citizens to provide or withdraw consent to
USF to process personal information.”
BOB JOHNSON CONSULTING, LLC 19
21. First reaction to GDPR privacy rules…
BOB JOHNSON CONSULTING, LLC 21
22. Key points (some) marketers hate…
https://live.prolificnorth.co.uk/2018/02/23/comes-gdpr-time-separate-myth-fact/
Explicit consent…
◦ “You need to tell people what you’ll be contacting them about,
how often and in what format.”
Right to be forgotten…
◦ “Individuals have the right to request complete erasure of their
personal information.”
Relevance & accuracy…
◦ “Only collect and store data you actually need.”
BOB JOHNSON CONSULTING, LLC 22
23. Celebrate data security, privacy on one page…
http://www.ligca.org/we-are-gdpr-compliant/
BOB JOHNSON CONSULTING, LLC 23
24. Can both of these be right?
2016 SURVEY RESULT… MARKETERS NOT AFRAID…
BOB JOHNSON CONSULTING, LLC 24
25. Don’t ignore privacy concerns…
https://www.consumerreports.org/privacy/americans-want-more-say-in-privacy-of-personal-data/
BOB JOHNSON CONSULTING, LLC 25
26. Major marketing point… Security + Privacy
People more concerned about data security
than data privacy.
Present GDPR & California compliance with
emphasis on security.
Add ability of people to control how their data
is used.
BOB JOHNSON CONSULTING, LLC 26
29. Retargeting ads…
https://www.criteo.com/insights/industry-wrong-about-gdpr-consent/
Different types of consent allow
different types of ads.
“Explicit consent” required for ads
based on sensitive personal data: name,
race, gender, sex, politics, health
income, etc.
“Unambiguous consent” allows
retargeting ads: “Active behavior from
which consent can be reasonably
concluded. For example, when the
individual continues to browse a
website and thus accepts the use of
cookies to monitor their browsing.”
BOB JOHNSON CONSULTING, LLC 29
30. Facebook custom advertising…
https://www.facebook.com/business/products/ads/ad-targeting
Facebook requires that people in a
database have given consent to use
their data to advertise to them in a
“custom” ad.
For most data controllers, this will
require contacting everyone in a pre-
GDPR database to get permission &
deleting from “custom” advertising
anyone who does not give it.
In future, ask new leads for
permission to do this.
https://www.reshiftmedia.com/gdpr-
facebook-privacy/
BOB JOHNSON CONSULTING, LLC 30
31. Inquiry forms…
GDPR: NEW REASONS TO KEEP FORMS SHORT & SIMPLE
SHORT FORMS = MORE COMPLETIONS
BOB JOHNSON CONSULTING, LLC 31
32. Undergrad vs. graduate inquiry forms…
UNDERGRADUATE INQUIRY DATA… GRADUATE INQUIRY DATA…
BOB JOHNSON CONSULTING, LLC 32
34. At the end of an inquiry form…
http://bit.ly/2O6Nj4X
BOB JOHNSON CONSULTING, LLC 34
35. “Privacy Policy” isn’t very private…
http://bit.ly/2zXyPRF
BOB JOHNSON CONSULTING, LLC 35
36. Email & text marketing…
BOB JOHNSON CONSULTING, LLC 36
37. Target Marketing’s 4 steps to email growth…
http://bit.ly/2NtDLQ5
Hunt Down (and change) Any Stray Pre-checked Forms
Be Clear About the Benefits Subscribers Will Get From
Your Emails (and texts)
Be Equally Transparent About How You Collect, Secure and
Delete User Data
Force Consumers to Choose (with “yes” or “no” options)
BOB JOHNSON CONSULTING, LLC 37
39. College Board “Student
Search” examples…
CB REQUIRES “REASON” FOR OPTING OUT OF STUDENT
SEARCH PROGRAM
BOB JOHNSON CONSULTING, LLC 39
40. Student Search service…
https://collegereadiness.collegeboard.org/about/benefits/student-search-service
Points to note:
◦ “Students… asked if they want to participate.”
◦ “By opting in, they give the College Board
permission to share their names and limited
information with colleges and scholarship
programs looking for students them.”
◦ “Most students opt in to Student Search
Service so they can get information about
more than 1,100 colleges and scholarship
programs without being solicited by
commercial entities.”
◦ “Students say that as much as they like
hearing from colleges they already know, they
really like hearing from colleges they were
previously unfamiliar with.”
BOB JOHNSON CONSULTING, LLC 40
41. Data available for purchase…
https://studentsearch.collegeboard.org/about-your-data
BOB JOHNSON CONSULTING, LLC 41
44. Major points…
You can ask to see whatever data a company has about
you.
You can ask to have your personal data deleted.
You can request that your data never be sold.
Penalty only if an “intentional” mistake, i.e., data breach.
May lead to similar rules in other states… or at national
level.
BOB JOHNSON CONSULTING, LLC 44
45. Differences with GDPR…
https://www.firstsanfranciscopartners.com/blog/california-consumer-
privacy-act-of-2018-vs-gdpr/
Some points to note:
CCPA: individual can sue & be awarded up
to $750 (data bread penalties would
increase).
CCPA: “Clear and conspicuous” home page
link to “Do Not Sell My Personal
Information” page.
CCPA: Data definition includes “inferences”
made from data “to create a profile about a
consumer reflecting the consumer’s
preferences, characteristics, psychological
trends, preferences, predispositions,
behavior, attitudes, intelligence, abilities
and aptitudes.”
BOB JOHNSON CONSULTING, LLC 45
46. Limitations of 2018 CCPA…
https://searchsecurity.techtarget.com/blog/Security-Bytes/Is-the-new-California-
privacy-law-a-domestic-GDPR
Applies to larger organizations…
Annual gross revenues in excess of $25 million
Process information of 50,000 or more consumers, households or
devices
Derive at least 50% of their annual revenues from the sale of
personal information
Changes expected between now and implementation
Passed unanimously to forestall more stringent November
privacy referendum
BOB JOHNSON CONSULTING, LLC 46
48. Take away points going forward…
Organizations will benefit from reducing data collection.
Privacy + security concerns will continue to grow.
In the GDPR world, consumers are more important than
organizations.
Online advertising will continue.
Expect inquiry pools to shrink but to convert at a higher
level.
BOB JOHNSON CONSULTING, LLC 48
49. Thanks for being here in
San Diego!
BOB JOHNSON, PH.D.
BOB@BOBJOHNSONCONSULTING.COM
WWW.BOBJOHNSONCONSULTING.COM
@HIGHEDMARKETING
BOB JOHNSON CONSULTING, LLC ... @HIGHEDMARKETING 49
51. GDPR webinar series for higher ed…
http://bit.ly/2mvBokr
BOB JOHNSON CONSULTING, LLC 51
52. GDPR is good for marketers…
https://www.criteo.com/insights/gdpr-white-paper-criteo/
BOB JOHNSON CONSULTING, LLC 52
53. What is Google doing?
https://adexchanger.com/online-advertising/google-plans-to-join-the-
iab-europe-gdpr-framework-but-the-devil-is-in-the-details/
BOB JOHNSON CONSULTING, LLC 53
55. One month later… 1,300+ complaints
https://www.emarketer.com/content/assessing-gdpr-s-impact-on-its-
one-month-anniversary?ecid=NL1009
BOB JOHNSON CONSULTING, LLC 55
56. ASU “European Union Supplement”…
https://www.asu.edu/privacy/
BOB JOHNSON CONSULTING, LLC 56