David J Evans of the Information Commissioner's Office explains how to avoid legal and reputational damage when collecting and using consumer information from social networks.
2010 has proven to be the year that the implications of the carefree sharing of personal information began to dawn on many users. The days of posting with wild abandon in a supposedly consequence-free environment are over. Now the topic of privacy is hardly out of the headlines.
Facebook was forced into a u-turn over its privacy settings as concerned users revolted. Google has hardly been out of the news for its approach to personal information. Newspaper reports of social media monitoring technologies have further stoked public outrage. And as recently as last week, Google boss Eric Schmidt warned people to give greater thought to the consequences of posting so much personal information about themselves online.
Businesses, meanwhile, find themselves conflicted. With so much information in the public domain, there are great benefits to be had. Private sector, public sector and non-profits alike could all use social media data to identify new customers or target products to existing ones. Services such as Rapleaf mine social networks, forums, blogs and review sites for public information, which it then uses to help clients better understand their customers and personalise their experience. Social media monitoring tools are being deployed by an increasing number of firms as they seek to identify and address customer service grievances being aired on social platforms.
But with privacy such an incendiary issue, the risk of backlash is huge. Monitoring social networks is interpreted by some as spying. Mining social network data is viewed with suspicion. Many organisations are concerned that even the most well-intentioned actions involving the use of public information on social networks could be deemed inappropriate. And with the regulatory landscape continuing to adapt to the new channel, there are of course also legal issues to take into consideration.
All of these issues were reflected last month by the UK’s Information Commissioner, Christopher Graham, when he appealed to businesses, charities and public bodies to ensure they follow best practice when dealing with consumers’ personal information.
"The benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience. But there are risks too. A record of our online activity can reveal our most personal interests," said Graham. "Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO."
The eight principles
Anyone who processes personal information must comply with eight principles, according to the Information Commissioner's Office. Organisations must make sure that personal information is:
- Fairly and lawfully processed
- Processed for specified purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with consumer rights (including the right to prevent processing for direct marketing)
- Not transferred to other countries without adequate protection
MyCustomer.com spoke with the ICO’s Group Manager for Business and Industry David J Evans, to elaborate on some of the principles and provide more detailed advice on the appropriate collection and use of data from social networks.
Be transparent about collection and use
"If an organisation doesn’t plan things properly then they could end up breaking the law," explains Evans. "One important part of the law is the ‘expectation rule’. This is a rule in data protection that you must collect and use information about people fairly, and an important element of this is ensuring that they know what they are getting into when they give you their data.
"We have a code of practice for any organisation about what they should tell people before they collect data about them. It is about privacy notice and fair processing and all those bits which we used to call ‘small print’ which we hope is less small these days. It should explain who you are, the data you need to do what the user wants you to do for them, and how you are going to use it. If you go beyond people’s expectations or mislead them then that is when there is a danger of breaking the law. Furthermore, users won’t trust you again. And that is where compliance of the law is good business sense in terms of explaining what you are doing with people’s data, particularly online where people may not have a detailed appreciation of all the wonderful things that businesses can do with it."
The data should be processed for appropriate purposes
"One of the things that businesses often forget is that people put information on the internet for a reason. That reason is often purely social – keeping in touch with friends, arranging nights out, whatever it might be. As soon as an organisation collects that information and uses it for their purposes, people start to think ‘that‘s not why it’s there!’ This links to one of the fundamental principles of data protection which is about limiting the purpose for which information is used. Information has been put in the public domain by an individual who has certain expectations about how it will be used and why people might see it.
"Organisations have to be sensitive as to what the platform is for so that they don’t leap in without first thinking why people are using it, and whether they would be happy if the company suddenly got in touch with them based on the information that they have been posting online. A lot of good practice is around trying to make an informed judgement about people’s expectations. Companies are often very good at doing that because that is why they have got loyal customers – they are good at working out what customers want. However, sometimes social media is viewed as this big pot that you can dip in without thinking about all the things you would normally think about in terms of your customers or potential customers. Businesses will often shy away from making aggressive sales calls because it doesn’t work as people get annoyed and find them intrusive. Well actually in terms of social networking platforms, you’ll end up doing the same thing if you think that users are fair game just because they are on the internet.
"Taking the attitude that everyone who puts something online is fair game just because they have wiped away their privacy rights is not going to work. People won’t accept that."
Be sensitive to the type of data you are collecting
"If it is via a company website then the law would expect the business to provide information so that users can make an informed choice about how much information to pass over. However, where an organisation is using a social networking platform, where users are using it for their own purposes, then things are slightly more difficult.
"Obviously if the social platform offers people a way of keeping things more private or less public then clearly companies need to respect where somebody is deliberately taking steps to ensure that only their friends, for instance, can see something. We have heard examples of companies pretending to be a friend in order to collect information and obviously that is far less likely to be acceptable than using information which has been made public.
"Another issue related to the nature of the information is that if somebody has made public something that may be particularly sensitive then just because it is public it doesn’t mean that it is OK for a company to use it. Obviously here we are thinking about the fact that people often make information public relating to their health or their marital status, for instance. There is a need to address each different type of information according to the risk of invading someone’s privacy. In terms of social media we place a lot of emphasis on advising users to make sure they understand what the privacy settings are to ensure that they are aware of how to keep things as private as possible where they wish to. However, sometimes people forget and people will divulge information that is perhaps more sensitive than they would want out in the public. Where people make those mistakes we advise organisations to ensure that they are not exploiting that."
Keep customer contact in mind
"If a company wants to email me, there are rules in the privacy and electronic communications regulation around how they can contact me. If, for example, they want to send me an email, they can only do so with my prior consent or if they have collected it in the course of a burgeoning relationship with me as a potential customer. Now clearly if they have harvested my email address from my Facebook profile, that is not going to fall into either of those categories so an email will be out of bounds.
"Businesses need to think about how they are going to collect the data from people in such a way that they would expect further contact from the firm. The difficulty of using social media would be the fact that the user hasn’t had a direct contact with that company, therefore if they collect the user’s email address it is going to be very difficult for them to use it legally."
"Marketers must clarify which third parties have access to data and also ensure that any information held unnecessarily is disposed of securely.
"The guidance in our two codes of practice on privacy notices and collecting information online is generally about being upfront with people. Explain to them what you are doing with their data and make sure that where you give them a choice, it is a meaningful choice, not simply all or nothing – either you give us all this data or you can’t use our tool or website. It is really just about being open with people and saying ‘we are going to collect this data, we are going to use it for these purposes, and these are the choices you have’.
"Clearly companies are spending a lot of time and effort and putting a lot of expertise into these great marketing campaigns. But they also need to spend just as much time working out how they are going to get this right and ensure they don’t go beyond the expectations of individuals."