Thanks to cable TV and Christopher Guest’s hilarious Best In Show mockumentary, even cat people are familiar with the snobby, persnickety world of dog competitions. 

The Westminster Kennel Club Dog Show is the second-longest-running sporting event in the United States, second only to the Kentucky Derby. Every year since 1877, when a group of rich “sporting gentlemen” decided to put the tall tales they told each other in an NYC hotel bar about their canine companion’s hunting exploits to the test, the Westminster Dog Show has brought dog lovers together to celebrate man’s best friend.

What might surprise you, however, is that the show wasn’t originally focused on pampered purebreds. In fact, at the first show, there was a Miscellaneous Class that included, according to the Westminster Kennel Club site, a dog that was a “cross between a St. Bernard and a Russian Setter and a dog named Nellie, born with two legs only.”

So how did a dog show that basically started as a drunken bragfest turn come to represent perfection, and what does dog judging have to do with privacy? 

It all has to do with how dog shows are judged. Most people don’t realize that judges at these shows don’t judge the dogs against each other but rather against what the ideal dog of that breed should be based on standards that have evolved over time.

Just like the dog shows of the late 19th century, early consumer privacy programs were a hodgepodge of whatever businesses could (or would) pull together at the time. 

But just like the first dog show, which was so popular that “the streets outside were blocked with livery carriages . . . almost at the opening hour . . . until the close,” the fight for individual digital privacy rights caught on.

In the dog world, standards developed around what a labrador should look like and how tall a poodle should be. When it comes to privacy, laws like the European Union’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA) established principles for collecting and managing user data.

One of the most effective practices to emerge from the privacy movement is the use of preference centers, dedicated pages on your website or in your app where users can tell you what they want you to do with their information.

Preference centers are like—to continue a metaphor—the herding dogs of the privacy world. They can help you corral all your data, gather all your consent needs for GDPR and other laws like CASL. Because of the very specific requirements for laws like GDPR, these softwares are a huge compliance help. 

What’s more, these softwares can also help you improve the quality of the data you collect from your users. These first-party data collection processes will become increasingly important as more privacy legislation comes online and as browsers eliminate the use of third-party cookies.

Preference centers are especially effective for helping manage email subscribers for your digital marketing campaigns. Here’s how you can develop preference center best practices that are Best in Show.

Get your pedigree paperwork in order

Dog show entrants have to provide proof they’re registered with the American Kennel Club. This paperwork often gives details about the dog’s pedigree going back at least three generations, breeder verification, and medical records, all of which are used to demonstrate the dog’s right to participate.

In privacy, AKC registration papers are a lot like a data inventory, also known as a data map. A data inventory gives you the ability to follow a single data record through the entirety of its journey through your system. It will show you:

• What types of data you’re collecting and from whom
• Why you’re collecting it
• What you’re doing with it
• Who you’re sharing it with or selling it to
• Where and how long you’re storing it
• Where it’s at risk of exposure

Data maps can also track and manage a user’s history of consent to the collection and use of their sensitive personal information.

You need to know all of this information to efficiently and effectively manage your preference center. After all, it won’t do you much good to let your users tell you how they want their information used if you can’t make sure you’re following through.

Explain the rules of the game

Like any competition, dog shows have strict rules that everyone, participants and judges alike, have to follow. These rules provide transparency and help reduce confusion about the results. 

When it comes to a privacy program, your company’s privacy policy is the rulebook everyone should use as operating instructions. A good privacy policy is easy to understand, and clearly explains your data collection and processing practices.

Your privacy policy should be front and center in any well-designed preference center.

Your users are the trainer, not you

From both a legal and a best practices standpoint, a preference center page has to have an unsubscribe option. One of the best ways to get people to opt in to receiving marketing materials is to allow subscribers to choose the types of emails they get from you. Some users may only want sale information, some may want to know when new products drop, and some may want your full newsletter.

The more diversified and specific content types are in email preferences centers, the more likely people are to join an email list.

This principle also applies to frequency options for email contact. One of the main reasons people unsubscribe from email marketing is because they get tired of their inbox being full of the can’t miss, don’t forget, best deal emails that seemingly show up all day, every day. You’re more likely to be given a user’s email address if you let them tell you how and how often they want to be contacted.

While historically email marketers have believed that more contact is better, allowing users to pick and choose the types of content they want and when they want it has the potential to improve engagement and decrease unsubscribe rates. 

Pick your event

Dog shows have multiple events, and entrants don’t have to participate in every event. Some dogs specialize in obedience, some in agility, and some are just really good at sitting still and looking pretty.

In addition to an unsubscribe button and content options, your preference center should give users the ability to select the channels you use to communicate with them. You can give them options for SMS or text messaging, email, regular mail, or phone calls based on the type of information being shared.

For example, a user may want sale information via text and email but want a phone call for recall information. 

Get the right tools for the job at hand

You wouldn’t train your dog on an agility course built for horses, and you shouldn’t build a preference center using outdated technology.

Recently, major corporations have started shifting from using customer relationship management platforms (CRM) to process their user data to using customer data platforms (CDP).

A CDP is like a fancier, upgraded CRM that creates a single source of truth by collecting and unifying the customer data you’ve collected (first-party data for the win!) into a complete user profile that includes both their consumer behaviors and their marketing preferences.Using a CDP, companies can run simultaneous micro-campaigns based on highly specific criteria while still maintaining compliance with privacy regulations.

You don’t need to use a CDP to have a preference center, though. It’s important to consider what you really are looking to accomplish. Do you need all the bells-and-whistles of a CDP? Or would a streamlined, standalone product accomplish your goals without the expense, commitment, and stress of a fully loaded solution? 

If the latter sounds, there are many effective stand-alone preference centers that can integrate with your various marketing platforms out there from companies like OneTrust, SalesForce, or Securiti, to consider. 

Best in Show is yours for the taking

No matter where your business is in its privacy journey, creating a preference center can put the blue ribbon within your grasp. Red Clover Advisors have years of experience helping companies build practical preference centers that work with their operations.

Contact us today to see how we do it.

From picking the color scheme to writing SEO copy to integrating your payment platforms, building a website or app is a huge project. After you’ve tested all your links, worked out the UX bugs, and built an interactive chat function, the last thing you want to do is think about a privacy policy.

Putting a privacy policy on your website or mobile app is like finishing the trim when painting your house—it’s not fun. No one wants to do it. 

But the job isn’t done without it. 

Do I legally need a privacy policy?

Whether or not you legally need a privacy policy depends on a number of factors.

If you operate in or collect data from customers who are residents of the European Union, your business is subject to the General Data Protection Regulation (GDPR). The GDPR, passed in 2016 and enacted in 2018, strictly regulates how companies collect, use, and share personally identifiable information collected from customers online. 

If your company only operates and sells to customers in the United States, data privacy law gets more complicated. Other than the Children’s Online Privacy Protection Rule (COPPA), which governs the online collection of data from minors under the age of 13, the US does not have a federal data privacy law. 

Instead, states are driving the privacy conversation for people living in the US. California, always happy to set trends for the country, passed the California Online Privacy Protection Act (CalOPPA) requiring websites and online services to post privacy policies almost 20 years ago in 2004. Since then, others including Delaware and Nevada, have followed suit. 

In addition to individual state statutes, it’s important to be mindful of Section 5 of the Federal Trade Commission Act. If you’re gathering user information and you use it for a purpose you didn’t disclose to the site visitor, you’d be in violation of the Act’s prohibition on deceptive marketing practices. 

California was also the first state to follow the EU when they passed the GDPR-lookalike California Privacy Protection Act (CPPA) in 2018. Since then, California has passed a second consumer privacy law that closed CCPA loopholes, and Nevada, Virginia, and Colorado have also approved comprehensive privacy legislation.

So if you operate in or collect personal information from consumers in those states, yes, legal requirements for your business mean you must put a privacy policy on your website.

Every business needs a privacy policy. Full stop. 

BUT! (There is definitely a but.) Exactly what a business’s privacy policy contains or how in-depth it needs to go varies. 

The United Nations named online privacy a fundamental human right in 2019, and at least 30 states currently have privacy bills proposed, in committee, or being studied by a task force. Legislative bodies aren’t the only groups focusing on protecting consumer privacy. Thanks to years of serious advocacy by consumer rights organizations, transparent privacy practices have also become a standard best practice for many industries. 

Major companies like Apple, Google, Mozilla, Microsoft, Monday.com, Indeed, Netflix, and Fitbit have implemented privacy practices that extend beyond legal requirements for user data protection.

At this point, all businesses are required to have a privacy policy—it’s just a matter of how complex the policy needs to be in order to be compliant. And even if it takes a few years for your governor to sign a privacy bill, your customers already expect you to have a solid privacy program.

What needs to be in my privacy policy?

If you don’t know what happens to data after you collect it, you can’t write a good privacy policy. 

What you disclose about how you collect, use and share information in your privacy policy needs to exactly match the actual process and should align with your business activities. For example, do you include a customer’s email address in multiple databases? Do you share their phone number with third-party services or vendors? Do you ever sell personal data to partner companies?

The biggest mistake companies make with their privacy policies is using a cut-and-paste template from random internet websites or, even worse, a competitor’s site. Your privacy policy is a legal document. In the event of a data breach, you can be held liable if your practices don’t match your policy.

Privacy policy must-haves include but are not limited to (important note here: there are sometimes more requirements depending on which  law you have to adhere to):

1. The types of information you’re collecting (names, addresses, phone numbers, email addresses, geolocation, etc.)
2. Your reasons for collecting this information
3. How the information is being collected (cookies, logs, surveys, forms, registrations, etc.)
4. Who will have access to the information (vendors, marketing teams, partners, random people you plan on selling it to, etc.)
5. Who you will share the information to (this can include third parties, legal requirements, a sale of the company, bankruptcy,)
6. What type of digital identifiers or cookies may be on the site and the type of digital advertising or analytics the company engages in
7.  What choices and individual rights users have
8. What safeguards will be used to protect data (access limitations, cybersecurity programs, etc.)
9. Other items may include if the company follows Do Not Track or Global Privacy Control, and International Transfer of Data
10. Contact methods if users have concerns
11. How users will be notified of changes to the privacy policy

What makes a good privacy policy?

You can include everything from our must-have list and still have a marginal privacy policy. If you really want to stand out, here are our top tips for a good privacy policy:

• Complete a data inventory

A data inventory is required for GDPR compliance, but even if it isn’t mandated for your business, it’s definitely a best practice.

When you complete a data inventory, you track data records, from collection to deletion, on their entire journey through your system. This process helps you understand what you’re collecting and why, where you’re storing it and for how long, and who has access to it. Which, if you read over our privacy policy must-haves again, is information you need to know.

As a bonus, mapping your data also shows where your data is vulnerable to exposure, allowing you to strengthen your security measures and reduce your risk.

• Keep it simple

It might make your lawyers cringe a little, but your privacy policy shouldn’t be pages of legal jargon no one can understand. Instead, use easy-to-understand language to give a straightforward explanation of the hows, whys, whos, and wheres of your data privacy program.

Another option to make it easy to understand: create a visual, easy-to-read summary section of the privacy policy. You should still have your typical long-form one, but think of this as the tl;dr for your privacy policy. 

• Links/instructions for opting out or opting in

Depending on which privacy laws your company is subject to, you may have to allow consumers to opt-in (the most privacy-friendly option!) or opt-out (a good option) of having their data collected, processed, shared, or sold.  Most data privacy laws also give consumers the right to correct or delete certain categories of sensitive personal information from corporate databases.

Your privacy policy needs to spell out how consumers can take advantage of these rights. Many companies include a link to a webform to complete these or to a preference center. 

We’re masters with a privacy paintbrush

Red Clover Advisors believes passionately that privacy gives businesses a powerful way to connect with their customers and grow revenue.  Wherever you are on your site’s or app’s privacy journey, we can help you create everything from a simple privacy policy to a full-blown privacy program.

Give us a call to set up your consultation today.

Software as a service is vital for businesses, but so is privacy and data security. SaaS providers must deliver for their customers or risk a dangerous credibility gap, plus data breaches, fines, fees, and everything else that goes along with compliance failures.

Where does a SaaS start protecting their business and their customers? They start with these 10 steps.

1. Prioritize privacy in your business

Privacy won’t do you or your customers much good if it’s always last in line. Work with your decision-makers to implement privacy policies into your business values and practices: how and why you’re collecting data; what privacy and personal data means for your products; and how you talk about privacy with your customers and your employees. 

It’s never too late to start. And if you need help, a fractional privacy officer is just an email away (for the fraction of the cost of in-house specialists.)

2.  Limit the information you’re gathering

Let’s loop back to the whys of your data collection. Privacy regulations widely require you to minimize the data that you’re collecting by having a reason for collecting it in the first place. If you limit your collection, you decrease the risk of data loss and breaches; you decrease costs of storage and protection; and you increase the likelihood of customer trust. 

Another benefit to minimizing the data you collect? If you keep a streamlined data collection program, you’ll be able to keep up with regulatory changes more easily.

3. Encrypt your data

Always. In today’s remote working, online shopping, social media-ing world, you can’t not encrypt your data and expect to avoid repercussions. Encryption should happen throughout all parts of your technology to protect your business and your customers. 

But it's more than protecting against data breaches (although yes, that's a big reason.) It's also about maintaining consumer confidence. Communicate your encryption practices to show them that you value their trust. 

And as a side note, not taking sufficient measures to protect data can land your business in regulatory hot water with CCPA and GDPR. These privacy acts don’t specifically require encryption, but it’s far easier to just encrypt your data than getting into legal debates. 

4. Data inventorying — it’s a good thing

A data inventory is a line item for GDPR, but it’s an important piece of your privacy practices even if you aren’t required to comply with any particular privacy regulation. A data inventory gives you an organized overview of what data you’ve collected, how you’ve been using, sharing, processing, and storing it. You can then use that overview to track your data flow, help manage vendor relationships, keep your privacy notices up-to-date, and support a streamlined data collecting process. 

5. Offer your customers transparency

You may know why you’re asking your customers for their data, but do they? Chances are, they’d like to know. That’s where transparency comes in. Thankfully, there’s lots of room to communicate with them because your customers are presented with lots of privacy touchpoints in their relationship with you. Don’t miss these opportunities to clarify:

• Why you’re asking them for their personal information
• How and why you’re going to use it
• Who you’re going to share it with
• And always, how it benefits them

Be as specific as possible — no one gets warm fuzzies from vague legalese. 

6. Get your employees privacy-ready

If you don’t train your employees to handle privacy issues, then you’ll quickly run into compliance problems. Your customers' data is handled by your employees. But do they know what your privacy policies are? Do they know why they're in place and what it means for their jobs? Employees need thorough training on any regulations that apply to your customers, your workplace, your business, and your industry. 

7. Back it up in multiple locations

We like the ancient idiom: Don’t put all your data in one basket. This can limit damages in cases of data breaches, although it's important to be diligent about your backup processes: you want your data to be current and useful across all locations. 

This goes for when a customer requests that their data is deleted — consistency is important for honoring these individual rights requests. 

8. Put individual rights into your policies

Speaking of individual rights, don’t assume that honoring them is a one-size-fits-all task. Each regulation defines and honors individual rights differently, so you need to use a targeted approach for upholding them. The best place to start? Start by getting familiar with what the rights are in the first place. The more well versed you are, the easier it will be to come up with appropriate solutions. 

9. Marketing teams should be a priority

Marketing is a multifaceted, ever-changing industry. To meet privacy goals, you need to know how marketing activities intersect with privacy regulations. This means looking at how your business approaches its website(s), apps, email and social media marketing, any point at which data is collected. 

A few key points to remember: 

• Rules vary by channels and tools. An email operates under different laws than websites. 
• Regulations vary from country to country. What you can do in the US is different than what you can do in Australia or Brazil. 
• Whatever you do, make managing how they share information easy with a preference center.

10. Trust is a long-term project

A business needs the trust of its customers, employees, and stakeholders to thrive. Privacy is part of that trust. And honoring privacy is an investment in it.

Start by developing solutions that support trust. Don’t just tell people they can trust you — show them why.

What are your goals for privacy in your Saas? If they are just to tick off the boxes on a compliance checklist, that’s definitely something you can do — but is that the best solution? 

Ultimately, what will get you further? A quick-and-dirty compliance plan that you have to scramble to change each time regulations shift? Or a thoughtful long-term strategy that focuses on nurturing customer trust and growing your business through privacy practices?

Software as a service is an essential part of business operations, but just because it offers value doesn’t mean that you should take a shortcut with privacy practices. Starting with these basics, you can achieve your goals and exceed everyone’s expectations for privacy standards.