Keys to a Customer-Centric Privacy Experience
Keys to a Customer-Centric Privacy Experience
Customer relationships have always been at the heart of a successful business.
Companies that craft exceptional customer experiences outperform the market by 107.5%, due to higher revenue and lower expenses. When customers believe a company has been serving them well and made them feel special, over 40% are willing to forgive the occasional mistake.
What Does Customer Experience Mean for Privacy Teams?
Customer service has been the traditional domain of marketing, sales, and support teams, not privacy and security leaders. For the most part, legal, compliance, IT operations, and infosec teams focus on strengthening internal processes, rather than creating an exceptional experience for external customers.
The latest privacy laws have made consumer privacy experience a core requirement. Both EUGDPR and California’s Consumer Privacy Act (CCPA) are designed to bolster consumer understanding and control over how personal data is collected, processed and shared. To achieve compliance, privacy teams now need to consider the end-to-end privacy experience, from the very first touch a customer has with a brand to the potential interactions that may follow.
Communication about data privacy must be fast, friendly and above-all, customer-centric.
Privacy Notices and Preference Centers
Privacy notices and preference centers are critical communication vehicles to build customer trust and understanding. “As companies start to think through their customer preference center and how they are going to address individual rights, having some granular choices that show real transparency is going to be important,” says PwC’s Jocelyn Acqua, an expert on cybersecurity, privacy and regulatory risk.
As soon as your customers visit your website or interact with your product, you have the potential to collect data (including user behavior and preferences) that can become personal information.
At or before the point of data collection, businesses subject to CCPA must notify consumers of categories of personal information collected (bought, rented, obtained, received, or accessed) and the purposes – or potential purposes – for which that information will be used. CCPA doesn’t explicitly say how companies should communicate this information, but guidance from privacy experts provides clear direction.
“A consumer can only truly consent to the collection, use and the sale of their personal information – including the terms of service and privacy policies they readily click to agree to – if they understand what information is being collected,” Mary Stone Ross, co-author of the CCPA initiative, writes in an article for IAPP.
GDPR Shows its Teeth: Enforcement of Transparency Requirements
Recent developments with GDPR underscore the importance of transparency when communicating data privacy information with consumers. At the start of this year, the French Data Protection Authority (CNIL) issued a fine of €50 million against Google for infringing GDPR’s principle of transparency.
Although Google’s information regarding privacy was posted publicly, according to CNIL, it wasn’t sufficiently accessible or understandable to a typical reader. As the finding states, key information was “excessively disseminated across several documents, with buttons and links on which it is required to click … implying sometimes up to 5 or 6 actions.”
TO DO: As European regulators seek ways to show the GDPR has some teeth, review your own privacy communications from the perspective of a first-time visitor seeking information. Is it clear? Can you get what you need?
Data Subject Access Requests (DSAR)
“Data subject access is coming up all the time,” Jocelyn notes. “The question that we’re getting is how to be responsive to customers in an efficient way.”
As a first step, companies need simple ways to receive subject access requests from customers. When they receive them, they also need automated ways to manage the collection of data and get it ready and approved internally. Finally, they need a secure method to efficiently and reliably deliver information back to the requestor.
“Companies need technology to work collaboratively across their enterprise,” explains Jocelyn, so they can streamline the DSAR process internally, ensure accuracy and accelerate response time. If requests take too long to process, customers may wonder about the accuracy of the information and lose trust. Worse, they may share their concerns with others or escalate using the courts.
TO DO: Test your own DSAR process from a customer perspective. How long does it take to process a request? How do you feel about the results?
How Can You Make Your Privacy Interactions with Customers More Human and More Helpful?
We’ve put together recommendations to improve the customer privacy experience with the Ultimate Guide to Data Subject Access Request (DSAR) Management. Get your copy to learn more about privacy portals, DSARs, and CCPA and GDPR requirements for privacy communications.