Now many US state legislatures and the Federal government are considering various options for enacting more stringent data privacy laws and regulations. It’s quite likely that in the next few years, or sooner, either Congress will enact nationwide data privacy regulations, or we’ll be dealing with a patchwork of state-level laws.
A delicate balance is required
This shifting legal environment means that membership associations will need to adjust their processes to comply, while avoiding negatively impacting their ability to recruit members or to generate revenue from their membership. Most global associations have already dealt with these issues as they prepared for the GDPR, but now US-based associations with a regional or national focus are finding themselves in a similar position thanks to laws like CPPA.
In this post, we’ll explore how to align your strategy with emerging data privacy best practices and demonstrate to members that you’re a good steward of their personal information without negatively impacting your marketing and revenue generation efforts.
Data privacy regulations 101
Let’s take a step back to better understand the GDPR, CPPA and similar proposed regulations. Their focus is primarily on people’s personal data, specifically name, date of birth, address/phone/email, employer, location data, race/ethnic origin, and gender among other details. Although details differ from regulation to regulation, the overarching goals are to provide people with more visibility into the data organizations hold about them and more control about how that data is used. In general, these regulations require:
- People about whom you are collecting data, referred to as data subjects, must have the ability to provide consent regarding the data that is being collected about them, and how that data will be used. You cannot use their data in any way that is inconsistent with the consent given.
- Organizations must document why people's information is being collected and/or processed, descriptions of information that's stored, how long it's being retained, and documentation of security measures in place.
- Personal data you store must be effectively protected and you are required to provide notification if the personal information you store has been subject to a data breach.
- You must have processes in place that allow data subjects to contact you to learn what information you are storing about them as well as to request that any data stored be permanently deleted; which is commonly referred to as the right to be forgotten.
What this means for your association
Earlier, I outlined how this affects recruitment and data management in the higher education space. In a similar way, these regulations also impact how an association manages data and uses it for both recruiting prospective members and marketing products or services to members and non-members alike. The key dimensions we need to consider are how member data is held and controlled by the association, as well as how opt-in/opt-out choices are managed.
Security and control of member data
Many associations would have a difficult time complying with all these requirements. A big reason why is member data is often maintained in multiple disparate systems – some controlled by the association and some by the association’s vendors or business partners. For instance, member records are typically stored in an association management system (AMS) as the central repository. But subsets of that data also tend to end up in:
- Marketing automation tools like Hubspot or RealMagnet
- Learning management systems
- Event management platforms
- The databases of other association business partners, sponsors and advertisers
Frequently there is no single source, or data map, that identifies what member information is stored, where, or for how long. As a result, it’s very difficult to protect that data, accurately inform members how their data is being used, or to delete it completely if needed. Gaps in this area can present significant risks to data security and ultimately to the associations’ reputation in the case of member data misuse or a breach.
Consent and opting-out of communications
If your association is subject to GDPR, you’re already familiar with opt-in requirements for marketing communications. Similar, but slightly looser, requirements are part of CPPA and other legislation under consideration in the US. CPPA requirements are focused on making it easier for people to opt-out rather than requiring opt-in for marketing communications. The ability to opt-out of email marketing is built into most marketing platforms, but that information doesn’t always flow to other systems storing or managing user data.
For example, if someone opts out of your marketing communications, does that request make it to your event management platform or your learning management platform? Both could also potentially send out marketing emails. Consider how well your systems are integrated and how readily you can get a global view of member or prospect consent for the various ways you may be using their data.
While laws and regulations are still very much evolving in this space, we have outlined best practices for data protection based on provisions in the GDPR and CPPA. Taking these measures will help associations better prepare for more stringent regulations that we expect to be enacted in the near-term.
Make it clear to prospects and members what information you will collect from them and how that data will be used. Get affirmative opt-in (and store a record of that opt-in in case you need evidence later) from members of their understanding and agreement with how you will use their data. Disclosure information should be outlined in plain language rather than buried deep in legalese-laden terms and conditions. A critical piece of this disclosure also entails making clear whether member data will be shared with third parties, and if so, with whom and for what purposes. Also, make sure the opt-out process is clear and if someone opts out, that person’s data should be either deleted or marked as opted-out, based on any specific requirements, across all applicable systems storing member data or communicating with members.
Create a data map to ensure a clear understanding of the data your association stores about members and prospects, where it’s stored and for how long. Process should also be created around responding to data subjects’ requests for information or for deletion of data. Processes and methods will also need to exist to expunge that data from all systems, both systems controlled by the association and systems controlled by partners or vendors.
Having effective information security measures is critical for multiple reasons. The association should have documented and enforced policies, procedures and technical controls in place to adequately protect personal data. Processes should also exist around handling security breaches to effectively analyze and address the breach, as well as to notify affected parties. It is also the association’s responsibility to ensure that any third parties storing or processing member personal data have security measures in place that meet industry guidelines and any other regulatory requirements your association may be subject to.
Too often there’s a tendency to store data indefinitely for fear of losing anything important. But a key tenet of current data privacy regulations is to limit how much data we’re retaining, only that which is necessary to meet the business need and only keep it for as long as required. What this means is creating processes and procedures to delete data once it’s no longer needed, for instance in the case of prospects who have not become members or individuals who are no longer members.
Coordination with partners and vendors
Most associations are hosting applications with cloud providers and working with third parties for various services related to marketing, education, events, etc. As a result, association member data is shared with these providers. First, care should be taken to share no more data with the third party than required for the business need. For example, don’t share the complete member record if only a name and email address are needed.
The association is still responsible for ensuring that these providers follow generally accepted standards for protecting the data in their care. To make that happen, vendor contractual agreements should include provisions around:
- Data security – the association’s expectation around the provider’s measures to secure member data
- Notification – procedures around notification from the provider if any breach occurs to member data in their care
- Data retention – how long the third-party provider retains member data and what happens to member data if/when the association’s relationship with the provider ends
This post outlines best practices based on data privacy regulations and legislation under consideration. Of course, any final rules or regulations may differ. Regardless, the data privacy wave is fast approaching. Taking these recommended measures will improve your association’s control of, and visibility into, member data management processes. Equally important, you will be in a better position to stay ahead of necessary changes as they occur instead of reacting in haste. Please reach out to me to learn more or if I can help you with any of your association’s related digital challenges.
Please note that this post is for informational purposes only and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine how data privacy laws and regulations might apply to your specific organization.