Collecting Sales Data While Staying In Line With The Law

October 29, 2015 Leah Hamilton

Most countries around the world have some form of data privacy legislation in place, and most of this legislation covers not just the use of that data, but any dealings with it, which includes collection. Any time you collect the data of an individual person, particularly for marketing purposes, sales purposes, analysis, or tracking, you’ll likely need to comply with this legislation.

When using Datanyze, you collect publicly available information; however, if you collect information in other ways, such as through web forms or lead-gen marketing, you need to be aware of these privacy laws.

Let’s take a look at some of the different privacy laws around the world, what they require, and how to make sure that you comply. Compliance is, for the most part simple, and with a few steps such as becoming aware of your legal obligations, setting up a privacy policy, and displaying that privacy policy clearly on your website or in your software, you’ll be collecting data in line with the law.

Privacy Law In The US vs. The EU

Flag

Image: US vs. EU (information intersection)

First let’s take a look at privacy laws in two of the major jurisdictions you may be based in: the United States and the European Union. If you are based in the UK, don’t worry: UK law follows EU law, so those two can be examined together.

There are a number of large differences between US and EU law, but your compliance measures should be the same for both, particularly if you have an international client or user base.

At a high level, EU law is strict and broad, while US law is patchy and weak. The only general data privacy law that the US has in place is a state law rather than a federal law: the California Online Privacy Protection Act of 2003.

The California Online Privacy Protection Act

The California Online Privacy Protection Act only applies when you are the operator of a commercial website, and you are dealing with the data of individual consumers residing in California.

This Act requires that your Privacy Policy must be conspicuously displayed on your website, and must detail:

  • The kinds of information gathered;
  • How the information may be shared with other parties;
  • How you respond to “do not track” requests;
  • The process the user can follow to review and make changes to the information you have on them; and
  • The policy's effective date and a description of any changes since then.

Even if you are based outside of California, if your website collects the data of individuals in California, you must comply with the above law. If you have any American customers, consider the fact that some of them may be from California and it may be prudent to comply with the above requirements.

The EU Data Protection Directive

In contrast, EU law is covered by the EU Data Protection Directive. Later this year (2015), it is expected that the Data Protection Directive will be replaced by the Data Protection Regulation, but this is not currently in force yet. We’ll take a look at what the current law is, as many of the rules in the Directive will stay the same under the Regulation.

Under the EU Data Protection Directive, when your website or software is collecting or processing "personal information" you need to comply. You may be collecting information when customers or potential customers fill in their information on a lead-gen landing page for example, and then you process that data when you store it and use it later.

Personal information is any information that could identify an individual (can include information on its own - e.g. name, email address), or information in combination with other information, (e.g. IP address, physical address, product key). For the purposes of the Directive, "personal information" includes "any information relating to an identified or identifiable natural person". This could be:

  • User’s location
  • Contacts
  • Unique device identifiers (such as mobile numbers)
  • Identity of the data subject
  • Identity of the phone (name of the device)
  • Credit card and banking data
  • Call logs
  • Text messages, emails, or other forms of messaging
  • Browsing history
  • Pictures and videos
  • Biometrics data

The Directive requires that if you are collecting this "personal information", and you are an EU-based company (i.e. if you have a business based in the EU, or a branch office, or your company is incorporated there), then there are a number of principles and criteria under the Directive that you need to comply with. For instance, you should:

  • Identify who is collecting the data (you);
  • Notify your users of what information you are collecting, and why;
  • Ensure that all data collection is collected only for specified, explicit and legitimate purposes;
  • Ensure that any data collected is adequate, relevant and not excessive;
  • Ensure that data collected is accurate;
  • Allow users to view what data you hold on them and allow them to change or update it;
  • Notify your users of who else can view the data you hold on them; and
  • Keep the data safe and secure.

To do this, the best way is to set up a comprehensive Privacy Policy and display it on your website or in your software.

Let’s take a look at what your Privacy Policy needs to cover. We’ve already looked above at what the California Online Privacy Protection Act requires, but as EU law requires a little more. We’ll go over what a comprehensive policy would cover that would be compliant with both jurisdictions.

Setting Up A Privacy Policy

A Privacy Policy is easy to set up, either by writing it yourself, using a lawyer, or using an online generator. However you create it, you need to ensure that it covers everything required by the laws that apply to you and your business.

To comply with the US and EU laws that we outlined above, your Privacy Policy needs to cover:

  • What types of information you will be collecting;
  • How you will protect and store the information;
  • How you will respond to “do not track” requests (you can hyperlink to another policy if you wish);
  • What you will do with that information and in what circumstances you will release it;
  • How the customer can review the information you hold on them;
  • How the customer can change or delete that information;
  • The policy's effective date and a description of any changes since then; and
  • Dispute resolution information if your customer wants to lay a complaint or raise an issue.

How To Display Your Privacy Policy

The best way to display your Privacy Policy to make sure you get agreement to it - is to use Clickwrap boxes on all web forms on your website, or use pop-ups in your software installation process. Clickwrap is a method of getting legally binding agreement to your legal documents. It means that the user has actually clicked "I Agree" to the Terms of Use and Privacy Policy or shown that they explicitly agree in some way.

Here’s an example of Clickwrap from PayPal during the user sign-up process:

paypal consent user agreement privacy policy

Image: PayPal Clickwrap agreement 

Here’s another example for use on web forms:

Form Assembly Clickwrap Tick Box Web Form

Image: Form Assembly Best Practice 

For displaying your Privacy Policy in software, you can use pop-ups in your installation process. This is most commonly used with software End User License Agreements (EULAs), but there’s no reason why you can’t do this for your Privacy Policy as well. Here’s an example of what I mean by the pop-up:

Ask Toolbar Checkboxes

Image: Ask Toolbar Checkboxes 

You can see that in all of the examples above, the legal documents that the user is agreeing to are hyperlinked within the checkbox text. It’s important to ensure that your user has easy access to the documents and that it is clear what legal documents they are clicking "I agree" in relation to.

Clickwrap is a much stronger method than what most websites typically use, Browsewrap. This is where the user does not click "I agree" to anything, and instead is simply presumed to have agreed to the terms by implication.

The terms are usually displayed at the bottom of the webpage, and the user must browse to read them. There is no certainty for the website owner that the user has read the terms. Here’s an example of Browsewrap from VentureBeat:

Venture Beat Browsewrap

 

Image: VentureBeat footer (VentureBeat)

You can see that the text is in very small writing, and not drawn to the user’s attention at all.

Courts have generally held that Clickwrap methods are legally enforceable, while Browsewrap methods are not. This means that Clickwrap is the best method for ensuring that your customer is legally bound by your Privacy Policy.

Conclusion

Setting up a comprehensive Privacy Policy in line with the above suggestions is not hard to do, but it ensures that you are compliant with both EU and US privacy laws. After you’ve set it up, make sure that your privacy policy is enforceable by using Clickwrap methods of agreement, and you can protect yourself from liability when collecting and using personal user data.

About the Author: Leah Hamilton is a qualified Solicitor and writer working at TermsFeed, where businesses can create their Privacy Policies and Terms and Conditions in minutes.

About the Author

Leah Hamilton

Leah Hamilton is a qualified Solicitor and writer working at TermsFeed (https://termsfeed.com), where businesses can create legal agreements in minutes using the Generator.

More Content by Leah Hamilton
Previous Article
5 Ideas for Making Sales Conversations at Trade Shows Less Awkward and More Productive
5 Ideas for Making Sales Conversations at Trade Shows Less Awkward and More Productive

So you’re standing at your company’s booth and some guy (naturally, his badge is flipped over) moseys up an...

Next Article
6 Qualities All Great Sales VPs Have in Common
6 Qualities All Great Sales VPs Have in Common

How can sales reps be fearless in targeting accounts and closing new business if they don’t have a fearless...

×

Get new posts sent to your inbox!

Great success!
Error - something went wrong!