December 21, 2021
This episode explains how brands can respect consumers and the law by following responsible data privacy guidelines.
Our episode guest is Sharon Toerek, intellectual property and marketing law attorney and owner of Toerek Law, a national law firm based in Cleveland, Ohio.
Five things you’ll learn from this episode:
- Common data compliance mistakes companies make
- What General Data Protection Regulation (GDPR) is and its effects on marketers in the United States
- The importance of a team that can look at consumer data from a marketing, legal, and technological point of view
- Questions brands should be asking to ensure responsible data practices
- Why marketers should have a response plan in place for data inquiries
- “If listeners could come away with one thing from this conversation, it would be to remember that it doesn't matter where you are. It doesn't matter where your agency is. It matters where your consumer is sitting. And so, if you're that unlucky company who maybe has 10, 20, 100 consumers in Germany on your list, you've got to comply with GDPR.” — @SharonToerek
- “Ultimately, all roads are going to point back to the brand when it comes to being responsible for complying with the law.” — @SharonToerek
- “Have a plan ready for how you're going to respond to consumers before you even launch the campaign.” — @SharonToerek
- “I love it when we take responsibility and we do things ethically as an industry, and we push others to do the same thing. Even if we're dragging people along and trying to get them to come along with us (kicking and screaming), I think it's the right thing to do for the industry.” — @JasonMudd9
- “The increase in restrictiveness of the data privacy rules are actually an awesome opportunity for brands to expand and deepen their relationships with their customers – the customers who really want to hear from them and who they can really develop long-term ties with.” @SharonToerek
If you enjoyed this episode, would you please share it with others and leave us a review?
About Sharon Toerek
Our episode guest is Sharon Toerek, intellectual property and marketing law attorney and owner of Toerek Law, a national law firm based in Cleveland, Ohio. She focuses on clients in the advertising, marketing, and creative services industries, helping creative professionals protect, engage, and monetize their creative assets.
Guest’s contact info and resources:
Episode recorded: Nov 18, 2021
- On Top of PR is produced by Axia Public Relations, named by Forbes as one of America’s Best PR Agencies. Axia is an expert PR firm for national brands.
- On Top of PR is sponsored by ReviewMaxer, the platform for monitoring, improving, and promoting online customer reviews.
- Burrelles has a special offer for On Top of PR fans. Check it out at burrelles.com/ontopofpr.
About your host Jason Mudd
On Top of PR host, Jason Mudd, is a trusted adviser and dynamic strategist for some of America’s most admired brands and fastest-growing companies. Since 1994, he’s worked with American Airlines, Budweiser, Dave & Buster’s, H&R Block, Hilton, HP, Miller Lite, New York Life, Pizza Hut, Southern Comfort, and Verizon. He founded Axia Public Relations in July 2002. Forbes named Axia as one of America’s Best PR Agencies.
Find more On Top of PR episodes on:
- [Narrator] Welcome to "On Top of PR" with Jason Mudd presented by ReviewMaxer.
- Hello and welcome to "On Top of PR". I'm your host, Jason Mudd. Welcome. We're glad you're here. Today I'm joined by my friend and legal advisor, Sharon Toerek. Sharon, welcome to the show. Glad you're here.
- Thanks, Jason. I'm happy to be here with you.
- We're glad you're here too. So quick bio for our audience. Sharon is an intellectual property and marketing law attorney and owner of Toerek Law, a national law firm based in Cleveland, Ohio. She focuses on clients in the advertising, marketing creative services industry, helping creative professionals, project engage and monetize their creative assets. That sounds like a fun line of work to be in Sharon. Welcome to the show.
- It's very fun. Thank you. I'm thrilled to be here and it's work we really enjoy here for sure.
- Yeah, Sharon, I know that you've become a trusted advisor for me and for Axia. And so today we want to introduce you to our audience and get our audience just connected with you and your smarts. And so they can think of you as a resource, as we do, whenever they have legal questions or legal matters. So today we're going to talk about data privacy concerns for marketers, and that's a topic that I'm passionate about. Axia does a lot of cyber security type communications work both before, during and after a cybersecurity breach. So data privacy, data security, is always very important. And if it's not important right now to our audience, I'm glad they're here. I hope they stop what they're doing and really laser in on laser they're focusing in on this conversation because data privacy is not only a big deal today, but it's becoming a bigger deal and there are significant liabilities and risks and responsibilities that brands need to be considering not only right now, but even more so in the future, is that correct, Sharon?
- Yeah, this is great. I want to set the table by just taking a step back real quick and for our audience members who maybe aren't for sure what GDPR is, let's start there and kind of establish what that is and what it did. And then let's talk about California after that.
- Sure. GDPR is the European Union's set of privacy regulations that guarantee consumers who reside in a European Union certain rights to their own personal data. In other words, to know what you, what data you possess about them as a marketer. To be able to have that data deleted and similar rights. And the reason why that matters to US marketers, because initially we were getting a lot of questions about, well, why don't sell in the European Union. And we don't advertise in the European Union and it doesn't really matter. And our brand is not based in the European Union. And so there was a lot of education around the fact that what matters is where your consumer is located and it doesn't even matter if they've ever made a purchase from you or not. If you have their data, if they've ever subscribed to an email newsletter, have submitted their information to a contest portal. If you have their information and they are a European Union resident, then you became subject to GDPR. Shortly thereafter, the United States started looking at its data privacy regulations regarding the consumer data that every marketer has and start enacting sort of this patchwork of state by state laws about how to manage data for residents of those states and California, as I said before, enacted the California Consumer Privacy Act, CCPA. And as some of this is not new, I mean, most marketers know about canned spam. They know about other regulations in the US that have protected us from things like telemarketers and stuff like that. So this just relates to the data landscape in the electronic world. And so California's law required some adjusting too, because it is the most stringent in the US. And marketers are really by and large, not super prepared for, they understand by now what the law might require them to do, but they're not really sure whether they're subject to it. And they're also not really sure what to do if they get an inquiry from a consumer who lives in that state, how to react to it. And so there's a lot of education around that that needs to be done. And we're still in the process of doing, and now we have all this advent of cookies going away and what's it going to mean if we got our data from a third party, like we bought a list or we merged with another company and perhaps they didn't handle the opt-in properly, or we engaged an agency and they didn't understand the best practices to use to gather the data. So there's all this swirling around. And a lot of brands are, you know, they want to do the right thing, but they're not exactly sure what steps to take and what order they should be taking them in.
- Well, I hope this conversation helps them solve exactly that. So just curious, a little trivia question here. Do we have GDPR or CCPA to thank for all the times we'd go to a website, we have to click accept on the cookies?
- Neither actually, that, the cookie accepted. I don't know. I won't say that. I'll take that back. GDPR, I would say, made, I think most of us more sensitive about the need to get as much opt-in as possible from consumers. And so that, the timing seems about right where we started getting pop-ups a lot more often and a lot more marketers being a lot more scrupulous about recording our permission to drop cookies onto our servers.
- Well, I think it's annoying for everybody. I mean, just, you know, the fact that we have to click on it and say, okay, or whatever and all that, but it makes sense. It just something that, you know, kind of, you know, can drive you a little crazy, I guess. Every time you're hitting a new website, you gotta click okay.
- It is. And it's, you know, for the next 18 months to two years, it's a little bit of a, I don't want to say smoke screen, but it's a little bit of a hallow exercise because those cookies are going to go away very soon. And you're going to have to have, be able to prove that you got opt in from those people or their permission to use their data and other ways. And so won't be too much longer before most consumers are not going to have to worry about clicking those permission boxes.
- Yeah, yeah. Well, thank you for walking us through that. I agree, most marketers are going to be aware of this, but I'm always surprised by when people aren't aware and you know, sometimes you're so busy, you know, your head's down, you're grinding, you're doing your work and you're not going to seminars and webinars and conferences. And you're not hearing about that insightful information. I know you, you weren't, one of your expertise is influencer marketing. And one thing that just continues to blow me away is how either micro influencers, brands and even employees don't understand the criteria of having to disclose that when they're posting on social media, I work for this company or this company is a client of mine, or I was paid to post this content. That's not necessarily a privacy, a privacy matter, but it's certainly a disclosure matter. Do you want to talk about that for a moment?
- Yeah, I'm happy to talk about influencer marketing. I think that it is, we're in an interesting time right now because when influencer marketing first gained popularity as a tactic for brands, they primarily were interested in working with influencers who are either a celebrity level influencers, almost like endorsers of the product, or at least folks who had what we'll call macro influencers who have very large communities, very large followings. The folks you see on Instagram and now tik-tok who have huge numbers, but the way the practice of influencer marketing is really evolving and where brands are finding a lot of success is working with influencers with smaller communities. So those nano influencers, or even the micro-influencers who have a very niche audience, that just happens to be a perfect match for a particular promotion or a particular brand need at the time.
- [Jason] Right.
- And so, as we're working more and more with the micro and the nano influencers, many of whom don't have a lot of experience putting deals together with brands or really understanding what's required of them in terms of disclosure, transparency. Brands need to now get a lot more involved in the influencer education process. And the way you do that is either by booking the influencer through a talent agent who understands the rules and can be responsible for educating the influencer or by actually having that confidence that, that conversation one-on-one and providing a lot of written guidance to them about your expectations.
- Right, yeah, for sure. So I like how we've kind of transitioned because at the end of the day, it's about responsibility, right? It's the responsibility of the data and how you're going to use it. It's the responsibility of communicating about the relationship or the engagement or the whatever, and then the end of the day, it's just responsible marketing, right? It's using common sense to make sure the person understands that this is something that someone's been incentivized to do. This is something where you're giving us your information and we're going to use it in some way or for some purpose. And I love it. I love it when we take responsibility and we do things ethically as an industry and we push others to do the same thing, even if we're dragging people along and trying to get them to come along with us, kicking and screaming, I think it's the right thing to do for the industry. So Sharon, believe it or not, it's time for us to take a quick break and we'll come back on the other side and talk more about data privacy and kind of help some of these brands that are listening. Like you said, try to solve some of these challenges by at least outlining kind of either the steps they need to be taking, the questions they need to be asking so that they are operating responsibly with this data.
- All right. Thank you, Sharon.
- [Narrator] You're listening to "On Top of PR" with your host, Jason Mudd. Jason is a trusted advisor to some of America's most admired and fastest growing brands. He is the managing partner at Axia Public Relations, a PR agency that guides news, social and web strategies for national companies. And now back to the show.
- Welcome back to "On Top of PR", I'm your host, Jason Mudd, and I'm joined by Sharon Toerek today. We are talking about data privacy. We talked briefly about influencer marketing and certainly in the show notes, we're going to give you Sharon's contact information, if you want to talk more with her about influencer marketing. We've also done past episodes, a past episode on this topic. We'll put a link to that in the show notes as well, so that you can learn more about influencer marketing's and your responsibilities as a marketer to make sure you do that well. But without further ado, Sharon, welcome back.
- Thank you.
- We were just about to start talking about being proactive. So if you're sitting in the brand seat, maybe an agency person is listening to this episode as well. We identified when you have data, you have responsibilities to manage it and secure it and handle it with care, handle it responsibly. Let's talk about how brands can be proactive to make sure that they're being compliant and respectful.
- Right. You know, I think there are several things that a brand can do and your agency can be your partner in this to set yourself up for success on the compliance front, when it comes to data privacy compliance. I think, first of all, it's about knowing where did your consumer data come from? And the bigger the brand, the more consumer information you have, the harder this is to do, I'm not going to dismiss it as a challenge, but ask the questions. Where did the data come from? Is this data that we collected from actual purchasers of our products? Is this data submitted voluntarily by consumers who have requested information from us? Is this data from lists that may have been purchased either by us directly or on our behalf? Where did the data come from bottom line? Because, depending on it's origin, you can make some reasonable assumptions about whether the consumers opted in or not properly in the first place. So that's step one, know where your data came from. Ask your partners in gathering data about their knowledge level and their practices in terms of acquiring data. Does your agency or your production partner buy lists? What data are they using and how were they contacting these consumers and what information are they using to get in front of them? And then third, what is our plan to react to a consumer who reaches out to us with a question or inquiry about the data that we have of theirs? Are we gonna make it easy for them to contact us, which you should be doing? And when they do contact us, are we going to be prompt in responding to them? And do we have a procedure here internally so that we can make that easier and not so taxing? And so I think those are like three practical steps that brands of all sizes can think about. And I understand that the more complex the data is, and the more of it you have the slower this might be as a go, but those are three basic places to start so that you set a culture and a foundation for respect of your consumers and the law and being ready to be compliant.
- So Sharon, is there ever a situation where a brand can acquire an email list that people haven't opted into and still communicate with them maybe one time or something like that and still be compliant? Or is that just an never, ever, ever, ever buy lists? Because I'm sure everybody gets these emails where they're like, we haven't a list of all these people. And you know, of course I don't like to do business with people I don't know who have spammed me about how they can help you spam other people, I guess. But is there ever a scenario where you can acquire list and one time send an email asking, would you be interested in opting into something or talk to us about that?
- This, I don't know how, I don't know how members listening, of your audience, listening will perceive this, but I am not a fan of list buying at all. And frankly surprised that it's a practice. You can tell it's dying, but I'm kinda surprised it's not closer to its final days, to be honest with you, because it's not in alignment with the way the regulatory landscape is trending in terms of your responsibilities to consumer data. And so I have a sort of a no list policy. If my clients ask for my advice, that's the most compliant way to handle it and look at it from just from a marketing perspective. I'm not a professional marketer, Jason, you are, but it's not a good way to think. The increase in restrictiveness of the data privacy rules are actually an awesome opportunity for brands to expand and deepen and tighten their relationships with their customers, the consumers who really want to hear from them and who they can really develop long-term ties with. So I am not a fan of list purchasing. I don't advise it. And you are almost never going to be able to determine whether that list was properly opted in or not. You could assume the risk of buying the list, paying those people one time with a direct response campaign or something. And then if they don't opt in, you know, dump everybody else off that list. But that just seems like an awfully expensive time consuming and somewhat risky procedure from my point of view.
- Yeah, I totally agree. I totally agree. That's the way I recommend it as well. I've had some companies who are maybe a spin-off of another brand, or kind of a, for lack of better word, some kind of startup, but typically a well-funded startup, a well-established startup, if you will. And they've been like, but we have zero, we have zero people opted into our email list, where do we get started? And I'm like, well, let's talk about launching campaigns that ask people to opt in and we can target people. And there's certain things you can do to attract and build ultimately awareness of your offering, and then try to invite them into your funnel organically instead of paying them to become part of or paying someone else to manually or force them to be opted into your program. But yeah, I'm with you. I've never seen a scenario where that worked well. As both somebody advising companies, as well as someone who was just a consumer in the marketplace that's suddenly getting unsolicited emails from somebody and I don't know you and that kind of thing.
- And so, yeah, I think we're on the same page there. It doesn't seem like it's ever going to be a good fit.
- No, it's so little payoff really in exchange for you really can't claim unclean hands in the slightest, because you're kind of deliberately looking the other way about the origin of that information. And you won't be able to prove its provenance. You won't be able to affirmatively show a pattern of opting in. And so it's just not worth the hassle. And frankly, you're probably not going to get good results from it anyway. So I think we're on the same page there, Jason.
- Yeah, for sure. So let's say, we're talking about the great resignation right now, right? And so many people, so much turnover and things like that. So let's say you come to a new role at a company and maybe you're the chief marketing officer and the company has a list of thousands, maybe tens of thousands, hundreds of thousands, if it's a big enough brand, maybe even millions of people on their email list, what would you suggest that they might do now that they've got this significant level of responsibility on behalf of the brand? How might they go about auditing or cleaning up, or what would you do if that was your situation, Sharon?
- That's a really great question. CMOs have so much pressure on them now and it's one reason why one of many reasons why the tenure of an average CMO is shrinking over the time. I think that the first thing I would probably counsel a CMO to do is to put together a cross disciplinary team of people from marketing, from IT,
- [Jason] Legal.
- and from their legal and compliance, yes, to sort of jointly agree on a process by which they're going to evaluate the consumer data that they have. Segmented it into we know this is clean. We're not sure about this. We know this is definitely not good so that you at least do an assessment and then create a policy around what you're going to do from that point going forward to ensure compliance. So I say, first of all, get a cross disciplinary team together and involve outside consult as you need to. Outside vendors who understand this area from a marketing, a legal, and a technology point of view and attack it that way. Assess and create processes and procedures for a go forward strategy on dealing with consumer data.
- Perfect. Sharon, while we're here, I just feel like this would be a cool opportunity for you to kind of share maybe some common mistakes you see made both in the data privacy area. And I know you do a lot of influencer marketing type work, so maybe just kind of almost like an informal kind of off the cuff questions you might want to ask yourself if you're listening to this episode or maybe a make sure you've done X, Y, and Z. Can we just kind of a free flow a little bit about that?
- Sure, absolutely. I'd love to. So I can either tell you a couple of stories or of you can tell me a couple and I can react to them, whatever you want to do.
- Well, people love stories. So why don't we start with, with one. We need to keep it tight just based on time.
- I think one of the stories that illustrate a lot of this regarding data compliance is from a United States based company who wants to do a direct response campaign. And they want to incorporate the data from folks who they've met at trade shows, and they want to incorporate a couple of lists, and then they have all this other big pile of consumer data. And they're not really sure where all of it came from. We could assume some of it was opt in properly. We just didn't know. And so what to do, how to advise. And so what we did was, and this is not a completely risk-free strategy by the way, but it shows clean hands and it shows definitely steps in the right direction. They did a re-engagement campaign. They just decided to bite the bullet and try two to three re-engagement attempts with everybody on the list, quickly clean them off if they weren't getting opt-ins promptly, when they did that. And they did end up with a much smaller list at the end, but it was a list of potential consumers who were the most engaged with the brand, who actually wanted to hear from the brand and whom they could actually assume were interested in a transaction at some point in the future. So that was a project that, I'm sort of glossing over some of the hard conversations, which were, why do we have to drop these names off? What risks are we really assuming? And it took strength of leadership in the marketing area of the company to sort of say, this is going to be our go-forward culture, where we're not going to rely on junk data. And we hadn't, they'd not yet gotten to the place yet where they're completely thorough in their reactive process, but they did get one inquiry. It was somebody from California. And so then we help them walk through what they need to do to set up sort of a privacy center on their website. A place where consumers could go and submit a request for whatever they wanted done with their information. Delete it. Tell me what you have, et cetera. So that's probably, that's a good story. I don't have any horror stories, fortunately for you about data privacy compliance. I hope I never do, but we do have clients with various levels of cowboy mentality. Let's put it that way. They'd rather wait and see if something happens.
- Than, you know, be proactive.
- That's probably the stereotypical entrepreneur as well, right?
- It is.
- But I'm not sure of Gary Vaynerchuk was the first to say it, but he's known for saying marketers ruin everything. And I think this is a perfect example of how something as simple as email, which was a great technology advancement, but then marketers are like, hmm, you know, how can I use this? And then they abuse it. And now we find ourselves with issues and challenges and regulations to protect ultimately consumers because people, marketers are, I guess, ruining everything.
- And I think if I could just, if listeners could come away with one thing from this conversation, it would be to remember that it doesn't matter where you are. It doesn't matter where your agency is. It matters where your consumer is sitting. And so if you're that unlucky company who maybe has 10, 20, a hundred consumers in Germany on your list, you've got to comply with GDPR. It's just the way it is. So maybe segregate your list by state by state. we're hopeful in the US for federal standard on data privacy, marketers, and the corporate world are pretty much aligned about that, so that we don't have to look at a patchwork of 50 state laws.
- Yeah. Yeah, absolutely. Yeah, I've definitely been there where just recently we've added a new client who hasn't been
doing any email marketing whatsoever, but they have a list, that they've been building over the years and they just haven't done anything with it. And so we were helping them launch a basically a new product for a simplicity purposes. And so, we were like, do you have an email list that you can send this out to? And they're like, oh sure we do. And so we helped them create the messaging and then they sent out the email and it came back and they got kind of a slap on the wrist for so many soft and hard bounce backs from their email provider. And I was just kinda like, oh, so you didn't screen that list before you send it out? You know, like we just, we were just asked to write the content. We weren't really involved in the list selection and the list management, and then come to find out the list was just really dated that they used for this. So, now we know going forward, okay, let's scrub this list. Let's make sure it's up to date, but that's a real example. And I'll be sure we put in the show notes of a website or a company that we've used for this called NeverBounce. That seems to go in and really help manage those lists. That's reminding me just one closing thought I had Sharon, which is one of my personal best practices is always to share what I call minimum necessary with any third party. So in other words, if you're engaging an outside company to maybe manage your email list or send out a direct mail piece or do something with data, right? I'm a big believer in you only give that company the minimum necessary they need to do the job that they're doing.
- So, early in my career, we would do stuff for a bank and the bank would send us here's our customer lists to send out a direct mail piece to it. And we get that customer list and there's account numbers, there's balances, there's products that are enrolled in. And I'm like, ah, we don't need all of that. Like we just need you to give us the list of the customers that meet the criteria, their contact information. And so we would go through and kind of remove the content that we didn't want to send to the mailing house.
- And I guess back then people weren't as worried about it, as I was, but for sure now, obviously that's a big deal.
- And that's one of the reasons I'm very interested in cybersecurity type work, because most people think the cybersecurity threat is going to come from inside or outside, but it's typically happening inside through carelessness, maliciousness, but ultimately just no control over that, over that data, very loose use of the data.
- Right, yeah. I think, look who knew a few years ago, as recently as probably three to five years ago, that email would come roaring forward again. Everybody was about building their tribes on social media up until a couple of years ago when everyone realized that email is so much more profitable. And so it's here to stay at least for a while, but I don't want to as we sort of conclude our conversation, I don't want listeners to forget that data privacy responsibility also applies to your social media marketing. If you're building lookalike audiences to run campaigns on a social media platform, and those that look like activities built upon data that you house just remember, you've got to be careful about sharing that data with those platforms and all roads lead back to the brand ultimately, when it comes to liability and responsibility for privacy. You may try to shift some of that responsibility to your agency in your contract or to a third-party data warehouse, but ultimately all roads are gonna point back to the brand when it comes to being responsible for complying with the law, in this regard.
- And to the Cowboys that might be tuning in that are just kind of pushing along, hoping they don't get caught or whatever, there's significant fines and penalties and things like that that can be out there. Not to mention that you get enough complaints with your domain and your emails will stop going through and start getting blocked. And a lot of things like that that need to be considered. And so I'm thinking, you mentioned Tik-Tok earlier, I'm a big fan of Tik-Tok and there's a guy on there talking about how, if you get a text message from a company that's unsolicited, that could be a payday for you. If they don't remedy it when you tell them to stop. So, I think that we have to really be looking at this through the lens of what's in the best interest of the consumer. Therefore, what's in the best interest of the brand? And if you start getting penalized for abuse, whether that is the lack of ability to send or people actually maybe filing a lawsuit against your brand. Hopefully, hopefully this conversation woke you up to that before you get there. But if not, there'll be hefty fines to pay and you'll learn a lesson.
- Right, absolutely. And have a plan ready for how you're going to respond to consumers before you even launched the campaign.
- Yeah, that's good. And I guaranteed most people don't do that.
- I know, but hopefully a few of them will do that after they hear us.
- That's right, yes. Sharon, if an audience member wants to connect with you and engage you, or at least ask you some questions, how do they best get a hold of you?
- We'd love to hear from them. You can absolutely connect with me on LinkedIn or Twitter. It's @SharonToerek and my email and I do read and eventually respond to all my own emails personally is firstname.lastname@example.org.
- Sharon, just to toot your horn, you do a lot of speaking and educating in the industry. That's how you and I got connected and really glad we did this today. Thanks for all you do for the profession.
- It's my pleasure, Jason, thank you so much for having me today.
- Great, thank you. So that's been another episode of "On Top of PR". We want to thank our guest, Sharon, for joining us. If you enjoyed this episode, please share it with a colleague and invite them to be part of the conversation. And we invite you to be part of the conversation on one of our social media channels so that you might stay on top of PR. This is Jason Mudd from Axia Public Relations signing off. Thank you for tuning in.
- [Narrator] This has been "On Top of PR" with Jason Mudd. Many thanks to our solo cast sponsor, Burrelles for making this episode possible. Burrelles has a special offer just for "On Top of PR" fans. Check it out at Burrelles.com/OnTopOfPR.