Most large organizations have employees hired specifically to worry about things like risk and liability. They’re the ones throwing red flags all over the place when you come up with a really good content marketing idea (be nice…it’s their job!).
The rest of us — those who are self-employed or work at SMBs — wander along in blissful ignorance. There’s nobody on the sidelines monitoring our web content and yelling, “Hey, you can’t do that!”
Sounds like a good thing, right? Wrong.
As the internet embeds itself ever deeper into our daily lives (my southern girl imagination sees kudzu taking over everything in sight), the more regulated it becomes. That’s a good thing in terms of privacy and security, but it’s also a content minefield for organizations that don’t have a risk management expert on staff (you know, the party pooper who’s constantly telling you what you can and can’t do).
The reality is that, while you may consider yourself to be a law-abiding citizen, your digital content could be breaking laws you don’t even know exist.
Content scofflaws: The most likely suspects
There are many ways your web content can transform you from law-abiding citizen to unknowing criminal. Here are some of the most common.
Does your digital content meet accessibility requirements?
While the Americans with Disabilities Act doesn’t specifically address online activity (which is no surprise, since few people in 1990 envisioned the internet becoming as omnipresent as it is today), some courts have since ruled that the law’s requirements apply to digital spaces as well as to physical spaces. What does that look like in real life? Here are a few examples:
- The videos you post online should have captioning so that they’re accessible to people who have hearing loss
- Ensure that the contrast between the text and the background or other elements is sufficient for people with low vision (no faint text on busy backgrounds, for example)
- Make sure the website can be navigated by a keyboard
- Add captions and alt-text to images so that they can be “read” by assistive devices (which, strictly interpreted, means alt-text should be descriptive rather than optimized for SEO)
Do you use gated content to build your email lists?
Using gated content (or content upgrades) to build your email lists is one of the gold standards of content marketing. You make some kind of offer that people are willing to trade their email address for, and then you use that address for promotional emails, whether that means notification of your latest blog post or a coupon for 10% off the recipient’s next purchase.
Well, the EU is about to throw a huge wrench in that marketing tactic.
The General Data Protection Regulation (GDPR) goes into effect May 25, 2018 (yep, that’s this year). The law is detailed and complex. In terms of list-building activities, it says that personal data you collect for one purpose can’t be used for another purpose without the consumer’s explicit permission. That means that, if somebody gives you their email address to download a white paper, you can’t use it for promotional emails unless they check a box stating that you have their permission to do so. And giving them the opportunity to opt out doesn’t cut it; they have to actively opt in.
Think you’re in the clear because you’re not in the EU? Well, maybe…but maybe not. The law isn’t bound by geography. So if any of your customers are EU citizens (even if they’re currently living in the U.S.) or live in the EU (whether they’re citizens or not), you’re bound by the GDPR. If so, a core marketing tactic could be illegal after May 25. And the penalties are nothing to scoff at: up to 4% of global annual revenue or $24 million, whichever is greater.
And what about the data you already have? Unfortunately, there’s no grandfather clause. You’ll have to either get explicit permission that satisfies GDPR requirements or dump the data and start over.
Do you accept online payments?
If you accept online payments, you’re obligated to comply with the Payment Card Industry Data Security Standards (PCI DSS). These rules were designed to combat costly data breaches and secure the storage and transmission of customer payment data from start to finish. What does that look like in action? Here are some examples:
- Don’t store any more customer data than is absolutely necessary. The 3- or 4-digit security code on the back of a credit card is a good example. You can request that code to authorize a transaction, but you can’t keep it once the transaction is complete, since it’s not necessary for recurring or card-on-file transactions. And encryption doesn’t count — the information must be completely deleted so that there’s no longer any association with the customer’s other data. If the connection can be reconstructed, you’re in violation.
- Don’t send payment data via email, text, or other unencrypted channels. Even handwritten notes — if a busy customer service agent jots down payment information to process a transaction when things slow down, for example — would be a violation, since anyone who walked by could see the information (and possibly take a picture with their phone).
- Make sure that the vendors you use to process payments are PCI-compliant. If you’re PCI-compliant but use a shopping cart provider who isn’t — you’re not compliant anymore.
PCI-DSS standards are guidelines, not laws. However, local laws regarding secure payments are common, so that doesn’t mean you’re out of the woods. And, even if you’re not breaking a law via unsecured payments, there are other consequences to worry about:
- The card brands (Visa, MasterCard, American Express, etc.) can fine your merchant bank, who will likely pass that fine on to you (in addition to terminating your account)
- Handling the negative PR can distract you from focusing on your core business processes
- PCI-DSS compliance helps protect you from data breaches (most data breaches and cyber attacks can be blamed on either a lack of security protocols or an employee’s failure to follow security protocols). That’s important, because approximately 60% of small businesses that suffer a data breach shut the doors within 6 months. Between fines, penalties, work stoppages, lawsuits, customer loss, and having to pay for a forensic investigation, most small businesses just don’t have the capital resources to weather the storm.
Should I start panicking?
Not quite yet. While it’s important to be aware of the risks associated with your online content, you don’t want to go so far in the other direction that you miss opportunities.
Digital governance advisor Kristina Podnar (we’re not related!) explains it like this: “Every organization has to find its own optimal balance of risk and opportunity when it comes to digital content. Deciding to live with the risk is a legitimate choice, especially, for instance, with an American company that only has one or two clients from the EU. Another company in the same situation, however, might conclude that the profit generated from just a few EU customers isn’t worth the risk and, therefore, choose to stop doing business with those customers.”
“Similarly,” she continues, “one company might decide to make the investment needed to bring their digital content into compliance with ADA requirements while another concludes that their chances of showing up on the ADA’s radar are slim to none — so they decide to accept the risk.”
The point of this post isn’t to convince you to go take action right now (I’m not a lawyer and am in no way qualified to hand out advice on how to make sure your content isn’t breaking any laws). The point is to make you aware that there are risks in the digital world that can sneak up behind you and turn your business’s world upside down before you even know they’re there.
Countering that, the digital realm offers opportunities that would have never been possible otherwise. And you don’t want to miss out on those opportunities by being overly cautious.
So my message for the day is to simply be aware. Stay up-to-date on any digital risks associated with your content, weigh them against the potential payoffs, and make the decision that makes the most sense for you and your business goals.
If you need help with your content, I’d love to talk about how we could work together.
If you need help protecting your organization via digital policies, I encourage you get in touch with Kristina Podnar. We’re still not related (although I kind of wish we were!), but we do work together frequently. And I can honestly say that I have yet to ask her a question about digital governance that she hasn’t been able answer in depth right off the top of her head. And her “risks vs. opportunities” approach is very business-friendly. You won’t find anyone better.