Social listening and privacy: How can brands maintain consumer confidence?

Privacy is an incendiary issue. And while social media is a public environment, when brands involve themselves in this domain the risk of backlash is huge.

Even though the days of hysteria over social listening programmes are long gone, the monitoring of social networks is still interpreted by some as spying. Mining social network data is viewed with suspicion. Many organisations are concerned that even the most well-intentioned actions involving the use of public information on social networks could be deemed inappropriate. 

So how can brands ensure they don't overstep the mark when using social listening tools?

The simple fact is that if brands get privacy right, they can retain the trust and confidence of their customers and users. But mislead consumers or collect information they don’t need and they are likely to diminish customer trust and face enforcement action from privacy watchdogs.

In the UK, this watchdog is the Information Commissioner's Office (ICO). And it is from the ICO that brands can garner some valuable advice on how to ensure that brands can retain consumer confidence in social listening practices. 

The eight principles

Anyone who processes personal information must comply with eight principles, according to the Information Commissioner's Office. Organisations must make sure that personal information is:

1. Fairly and lawfully processed
2. Processed for specified purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than is necessary
6. Processed in line with consumer rights (including the right to prevent processing for direct marketing) 
7. Secure
8. Not transferred to other countries without adequate protection

Be transparent about collection and use

Unless your company has robust plans in place, it could end up breaking the law. One important part of data protection law to be aware of is the ‘expectation rule’. This is designed to ensure that organisations collect and use information about people fairly. And a key part of complying with this is ensuring that people know what they are getting into when they give you their data.

The ICO has a code of practice to guide organisations with what they should tell people before they collect their data. This concerns privacy notice and fair processing and everything relating to ‘small print’ - which should be less small these days! This should explain who you are, the data you need to do what the user wants you to do for them, and how you are going to use it.

Remember, if you go beyond people’s expectations or mislead them then not only is there a danger of breaking the law but users won’t trust you again. 

The data should be processed for appropriate purposes

People put information on the internet for many reasons, and often that reason is purely social - for instance, keeping in touch with friends or arranging nights out. If organisations collect that information and use it for their own ends, consumers can get upset because that was not why they posted it. Therefore, one of the fundamental principles of data protection is limiting the purpose for which information is used. Information has been put in the public domain by an individual who has certain expectations about how it will be used and why people might see it.

Organisations have to be sensitive as to what the platform is for so that they don’t leap in without first thinking why people are using it, and whether they would be happy if the company contacted them based on the information that they have been posting. A lot of good practice is around trying to make an informed judgement about people’s expectations. Companies are often very good at doing that because that is why they have got loyal customers – and they are good at working out what customers want.

But social media mustn't be viewed as a bottomless pot of information that can be plundered without thinking about all the usual things that businesses consider in terms of customers or potential customers. For instance, in the offline world, businesses often shy away from making aggressive sales calls because it doesn’t work as people get annoyed and find them intrusive. But you can do exactly the same on social networks, by making the misconception that users are fair game just because they are on the internet.

Taking the attitude that everyone who puts something online is a potential target just because they have wiped away their privacy rights is not going to work. People won’t accept that.

Be sensitive to the type of data you are collecting

When it comes to company websites, the law expects the business to provide information so that users can make an informed choice about how much information to share. However, where an organisation is using a social network where users are using it for their own purposes, then things are more complex.

Obviously if the social platform offers people a way of keeping things more private or less public then companies need to respect where somebody is deliberately taking steps to ensure that only their friends, for instance, can see something. Unfortunately, there are examples of unscrupulous companies pretending to be a friend in order to collect information - something that is clearly less likely to be acceptable than using information which has been made public.

Another issue to consider is that just because somebody has made some information public, it doesn’t mean that it is OK for a company to use it. For instance, people often make information public relating to their health or their marital status. Therefore, there is a need to address each different type of information according to the risk of invading someone’s privacy.

Companies should ensure they understand what the privacy settings are, so that they are aware of how to keep things as private as possible where they wish to. However, sometimes people forget and people will divulge information that is perhaps more sensitive than they would want out in the public. Where people make those mistakes, organisations must ensure that they are not exploiting them.

Keep customer contact in mind

If a company wants to email a customer, there are rules in the ICO's privacy and electronic communications regulation regarding how they can contact them. If, for example, they want to send the customer an email, they can only do so with his/her prior consent or if they have collected it in the course of a burgeoning relationship with the person as a potential customer. Clearly, if they have harvested the email address from his/her Facebook profile, that is not going to fall into either of those categories so an email will be out of bounds.

Businesses need to think about how they are going to collect the data from people in such a way that they would expect further contact from the firm. The difficulty of using social media is that the user hasn’t had a direct contact with that company, therefore if they collect the user’s email address it is going to be very difficult for them to use it legally.

Final advice

Marketers must clarify which third parties have access to data and also ensure that any information held unnecessarily is disposed of securely.

The guidance in the ICO's two codes of practice on privacy notices and collecting information online is generally about being upfront with people. Explain to them what you are doing with their data and make sure that where you give them a choice, it is a meaningful choice - not simply all or nothing such as "either you give us all this data or you can’t use our tool/website". Ultimately, it is about being open with people and saying "we are going to collect this data, we are going to use it for these purposes, and these are the choices you have".

Clearly companies are spending a lot of time and effort and putting a lot of expertise into these great marketing campaigns. But they also need to spend just as much time working out how they are going to get this right and ensure they don’t go beyond the expectations of individuals.