“I cried all day.”
“That’s what Krystal Phelps of Owasso, OK told The New York Times after she logged into the IRS website to check on the status of her family’s stimulus funds and found that they had already been claimed by a cyber criminal. According to The Times, she and her family are a month away from being unable to pay her mortgage and had cut out everything but the basics, canceling cable and eliminating snacks for the kids. She added, “It is a little relief, and then you find out it isn’t happening.”
As COVID-19 pushes more services moving online, and as identity theft increases, the issue of consumer data privacy is only becoming more urgent and more relevant. While credit unions don’t typically sell consumer data, they collect a lot of member data and are, of course, subject to data breaches. We believe this issue of data privacy may evolve on a trajectory similar to the application of the Americans with Disabilities Act (ADA) to online technology, becoming a source of frustration, confusion, lawsuits, and internal acrimony as credit unions try to stay ahead of squishy and rapidly-evolving trends.
The First Tremors
In the constant alphabet soup that is our lives in the technology and marketing space, you may have heard the first tremors: GDPR, CCPA, TPPA and WPA.*
GDPR was the first major regulation of this kind, but it only applied to EU citizens and those doing business with them, so most credit unions were unaffected. That all changed with California’s CCPA Act, which went into effect on January 1, 2020 and will start being enforced on July 1, 2020. And CCPA is only the first of a coming wave of consumer regulation, expectations and empowerment around who owns an individual’s data. Is it the companies that collect it, use it, and (sometimes) sell it or is it the property of the individual? We believe that the answer is not simple, but that credit unions need to be prepared to react to regulations as they are enacted and amended (CCPA has already been amended more than 20 times).
People are going to keep reading articles about their data being stolen and not being able to do anything about it and get frustrated. The continued publicity will drive ongoing pressure for regulatory change.
Bottom line: You need a plan for how you manage your member data and how to give your members more control over it.
A CCPA Primer
CCPA is a California law that impacts credit unions right now, assuming they have at least 50,000 visits a year (tracked by unique devices visiting your site) from California. It is the first in a wave of similar regulations that, like ADA, will keep growing in strength and complexity. In a nutshell, it says that you have to give consumers the ability to opt out of having their data tracked on your website, including the ability to request that all the data you have collected on them in the past be forgotten.
What kind of data is covered?
Basically this is any data that could be used to identify the visitor, including ad pixels from Facebook, Google, etc. that are used to serve up targeted ads elsewhere on the internet, email addresses for email marketing for tools like MailChimp or HubSpot, information in your customer relationship management (CRM) system, and more.
How should I prepare?
Even if you are not in California, you should still make preparations because the regulations will likely soon be extended to many other states or become a national regulation. Here are four basic steps to being prepared so you don’t get caught flat-footed:
- Consult your legal counsel
- Do an audit of your current data collection practices and map out what is actually being tracked
- Create a policy for data collection and consider sharing on your website
- Add a tool to your website to let visitors have more control over what data is collected and/or to have their data forgotten
There are a number of tools that we have seen recommended to help with Step #4, including Civic (civiccomputing.com). We are also building our own tool because some of our clients are unhappy with the options that are out there.
Consumer data privacy isn’t an issue any one department can work on: it touches legal, marketing, IT, and compliance. This means that you will need a cross-functional team working on this.
You will want to be thoughtful about adding tools that give visitors more control over their data, because it will make your marketing work harder on multiple levels. You will have lower quality data about what is working and what is not working, and it will be more difficult to personalize messaging to a visitor on your website, emails, and other channels. There are very significant impacts on the quality of website and other marketing analytics when consumers are given the option to opt out of data collection, and we marketers want this data because it is useful. It helps us to create a more relevant and personal experience, as well as to learn about what our audience wants from us.
Like website accessibility, giving your members greater control over their data is the right thing to do, and credit unions can build member trust by being out in front of this and being leaders in ethical data practices.
As the old adage goes, if the product is free… then you are the product. Well, much of the Internet Era has been built on this business model. But consumers are starting to wise up to it, and treating members like a product is the antithesis of the cooperative spirit and principles. So now is our chance to take a leadership position and be there for our members in the way that they expect us to be.
*General Data Protection Regulation for EU citizens, California Consumer Privacy Act, Texas Privacy Protection Act, Washington Privacy Act respectively. Only the first two were passed into law…so far.