Shelter from the Privacy Storm
On Monday, Roger talked about the looming storm clouds of California Consumer Protection Act (CCPA.) This new act likely to portend a cluster… munition… for a few reasons:
- Even before the CCPA takes effect on January 1, 2020, there’s already a push to hold a new California referendum calling for even greater regulation. This on the grounds that CCPA is insufficiently draconian. (I probably should have mentioned this, but if you don’t like the Agitator posts where opinion creeps, or stampedes, in, this one may not be the one for you.)
- The push for privacy regulation is increasing in other states. Many of the proposals are potentially contradictory. Some proponents claim that the ultimate privacy right is the right to be forgotten where an organization is required to delete all data they hold on you, at your request. Others focus on “the right to know” what your data is and where it comes from – e.g., how did this organization get my name? Under this type of regulation, an organization would be required to retain all data–and the sources from which it’s acquired, for a certain amount of time.
Given these alternatives the possibilities of contradictory outcomes are endless. North Dakota could say you are required to delete data that South Dakota says you are required to retain. There would be nothing you could do to avoid breaking the law, much like being a Trump Administration official. (rim shot)
The best solution to this would be national bipartisan legislation on privacy that preempts state legislation (seeing as this is interstate commerce). However, given the current U.S. political environment, the near-term likelihood of this is close to my near-term likelihood of winning the Kentucky Derby (Note: I neither have nor am a horse).
It’s important to get up to speed on all of this. So, for the latest on the one new law that’s now on the books –the CCPA– we want to once again recommend the TNPA’s free webinar that will be held later today called Data Privacy. Are you ready?. Registration is free.
AND…it’s just as important we learn from those who have already traveled a bit down this road. That would be our brethren in Europe who have now gone through the first year of the EU’s General Data Protection Regulation (GDPR) that went into effect in May, 2018. The suffering and losses by charities who failed to prepare and test is an object lesson for nonprofits in the U.S.
Yesterday, the Royal National Lifeboat Institution (RNLI) moved back from its stance that it would meet the GDPR by contacting only those who proactively chose to opted-in to receive their communications and appeals. Although RNLI predicted the opt-in move would cost it £35.6 million over a five-year period, they went with it. They actually had a £28.6 million gap (from both reduced income and increased costs) in one-year — 2018 — as the number of opt-in donors who could be contacted fell from 2 million to 500,000.
RNLI was not the only nonprofit flummoxed by GDPR and privacy regulation. (At the time, the Agitator was decrying the lack of foresight and the need for testing opt-in vs opt-out alternatives preparing for the GDPR.
All the flummoxing and confusion came about in large part because the lawyers got involved. So much sturm und drang about how to comply with X law or what Y regulation means. Far too little focus on the good intent behind oft-perplexing laws: 1) giving the donors the opportunity to tell us what they want and 2) then giving it to them.
There is an enormous opportunity in this regulatory morass, the silver lining in privacy regulation cloud: we can use this looming storm as an excuse to focus in on our donors.
As I’ve written in my book, The New Nonprofit (available at Amazon!):
“The picture I hope you are seeing is that government-led permission marketing systems can be messy and operate on artificial timelines. Those not already covered by this regulatory regime give you the advantage of creating your own rubric. For example, you may determine that anyone who has donated to you twice or more by mail should receive mail. You’ll of course give the donor copious clear ways to opt out – by ticking a box, using your app, going to your web site, etc. – and continually checking in with her. But you have a legitimate reason to believe this person wants to receive this communication.
On the other side of the coin, new donors are… well… new. You can start with a clean slate and operate off an entirely permission-based opt-in system for communication media, frequency, and topic preference. Over time, those in the old system will age out of your file and you will have transitioned into an opt-in system gently.
The goal, then, is to start now. You can start small or start big, but the more you meet your donors on their terms with their permission, the more you will raise from them, the more of them you will have, and the more you will differentiate yourself from those who do not.
You want your donors to love you. No good love story happens without mutual consent.”
So how do you get started? The first thing would be to start an Agitator-recommended onboarding that 1) happens immediately– ASAP –after acquisition and 2) asks for four critical things (that I’v now nicknamed ” PICS” ):
- Preferences: how do you want to be communicated with?
- Identity: what is the underlying reason for your gift?
- Commitment: how committed are you to the organization?
- Satisfaction: how was the interaction you just had?
This process starts you down the road to your own data garden. Once you have that, you should be relatively invulnerable to government regulation because the donors’ data were freely given, received, and used.
As part of cultivating your data garden, you’ll need to test your opt-in/opt-out mechanisms and approaches. Roger will cover this more on Friday, using Crisis UK’s example of how testing helped significantly increase the number of people who opted into that organization’s communications.
Suffice it to say, failing to prepare for the coming privacy storm is preparing to fail. HOWEVER…those who use the storm warnings as an opportunity to build more constructive, consent-based relationships with their donors will not only weather the storm but thrive.
Nick