They used to say that when America sneezes, Europe catches cold. But when it comes to privacy and data protection, the germs seem to be going the other way.
State privacy legislation, often a vote-winning tactic, has spread widely. Now it seems that legislation with national U.S. coverage has been proposed for the first time, in the shape of the Personal Data Privacy and Security Act of 2005, which is designed to prevent the kind of large-scale personal data thefts that have hit the headlines in recent months. To me, a law that includes criminal penalties for identity theft, limitations to the buying and selling of Social Security numbers and a requirement for customers to be informed if the security of their personal data may have been breached is not too far from what we have in Europe. So what lessons can be learned from the European experience, and is this infection likely to be fatal?
Don’t defend the indefensible. The U.S. direct marketing industry already bears the scars of the national do-not-call debacle. In Britain, 44 percent of the residential population is registered with the Telephone Preference Service, and signups are still escalating. Why? Widespread abuse of the medium and the menace of silent calls have led to 67 percent disapproval from consumers who simply have had enough. Even the most silken of lobbyists would find it hard to argue against that one.
A law based on broad principles is easier to work with. If the principles reflect good database practices, this is eminently preferable to proscriptive detailed regulations. Let the business, through its industry association, interpret the law and introduce self-regulation to implement it.
Lobby hard to limit the legislative scope so that it cures real ills. Most European data protection legislation covers business-to-business communications as well as business to consumer. Can’t businesspeople look after themselves as they do under the more recent e-mail legislation? Britain so far is the only (or maybe the first) country to have a Corporate Telephone Preference Service. Is that really necessary?
Engage with the regulator. In countries like Britain where a constant dialogue exists with the data protection regulator, DMers have negotiated more freedom. By contrast, the Italian regulator is being taken to court by the industry to challenge a strict interpretation of what is already a very strict law.
Whatever the outcome for U.S. direct marketers of the current legislation, there are basic tenets of good privacy practices that can be applied now to dealings with customers and prospects. In general, these are about respecting the individuals’ wishes, offering choice and being straight about data use. This is probably not a bad way to improve your image as well as your return on investment.
So maybe the privacy germs will do your business good. European marketers have sneezed a bit over the past 20 years, but very few healthy companies have died as a result of data protection.