As every self-respecting social media guru, ninja or shaman will tell you, the first rule in any social strategy is to listen to your customers (as if that was something revolutionary…)
But as the one to many outbound communications model is complemented by one-to-one engagement, the lines between communications and customer relationship management blur. This raises some interesting legal issues about the border between public and private data.
There has been quite a lot of big money action in the sector just lately such as prominent social media monitoring company Radian6 being acquired by Salesforce.com and the founder of Goldmine, one of the best known CRM products has set up a new venture called Nimble, sitting at the interface of Social and CRM.
Giants of the CRM world such as SAP are rapidly developing a Social CRM offering and I’ve been saying for a while that this is an area where the big technology vendors may muscle out the consulting boutiques as brands wrestle with the problem of scaling social customer response and find comfort in the software platforms offered by these global players.
One of the key questions arises when you begin to wonder at what point does listening to or monitoring conversations in social channels actually become customer profiling and trigger legal constraints on data storage?
I posed some of these questions to Steve Kuncewicz, one of the leading authorities in legal issues in social media.
Steve is a lawyer specialising in intellectual property and media law at Gateleys and is the author of Legal Issues of Web 2.0 and Social Media
You can read my review of his book here.
Q: If a business uses commercial monitoring software to search not only specific mentions of its brand names but also broader intentions for example “I’m thinking of taking a cruise holiday” and stores the user’s name, can they do this without this being covered by data protection legislation?
A: The Data Protection Act applies only to personal data. “Data” is defined as information which is being processed by means of equipment that operates automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment. The DPA therefore applies to automated data, such as that stored on a computer.
Q: But if I have stored a tweet from “@John101” about his desire to go on a cruise holiday, am I really storing ‘personal data’?
A: “Personal data” is data relating to living individuals who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Personal data includes, for example: names, addresses, phone numbers, job titles.
Q: But I can’t identify @John101 from his user name alone, so how does the DPA deal with that?
A: The definition of personal data also includes expressions of opinion and any indication of the intentions of the data controller or any other person in respect of the individual concerned. Data which is anonymous will not come within this definition if the data controller does not possess and is not likely to acquire the information necessary to enable it to identify living individuals. So, tweets which identify a specific user or which can be used to identify a specific user will be “personal data” for the purposes of the Act. How much personal data is obtained in any particular harvesting exercise will depend upon the kind of reports obtained.
Q: So if I file @John101’s tweet in a system as a “Potential Customer” and take steps to contact him or find out his true identity I need to be DPA compliant even if I don’t succeed?
A: Yes. You’ll still be “processing” his data.
Q: But if I’m using a commercial monitoring package, the data is on their server, not mine.
A: All of the obligations under the DPA fall on the “data controller”. This is defined as the person who (either alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed. For example, a company will be the controller of the data processed relating to its employees or customers. We can’t abrogate all risk for DPA compliance to the monitoring software supplier as the actual acquirer of the data.
Q: If I send a message to an individual in a social channel for example an @reply to someone who isn’t following am I creating a customer/prospect record?
A: The short answer is yes. Under the Privacy and Electronic Communications Regulations 2003
“a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.”
Q; Does direct marketing include helping someone with a product or customer service issue?
A: “electronic mail” means “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service; “This will include @messages and DMs. If the user in question follows a particular feed then this may be enough to show consent.
There are some exceptions. Messages can be sent where:
(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;.
(b)the direct marketing is in respect of that person’s similar products and services only; and.
(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication..
So, the best way to monitor is to only look at users who have signed up to receive further messages from the client and consented to the use of their data for further monitoring or to be sent future promotional messages.
Q: How far beyond storing a public username can they go before it becomes a data record covered by legislation? For example if they store @NigelSarbutts and then categorize me as a fan or a critic of the brand is this sufficiently unique an identifier to mean that I should be told that this information is being stored? What if the user name is very common like @JohnSmith
A: The rule of thumb is that pretty much any information you obtain from a social network which is covered by the definition of “personal data” will be caught by the DPA and the Electronic Communications regs. The only way to get around the point is to ensure that none of the data in question could be defined as “personal”. Usually most profiles will contain some reference to their owner and as such the area should be treated with extreme caution.
I have to say I’m fairly shocked at the constraints that this suggests and makes me think that a lot of businesses running engagement programmes through social channels may face some difficult questions.
The evangelist in me feels intuitively that me tweeting “I’m about to throw my (insert product name) through the window” and then being contacted by that brand to offer genuine solutions is entirely legitimate and the natural response of a brand that cares for how its customers feel about the brand.
I feel it would be a harsh verdict to identify this as spamming or conflicting with the aims of data protection legislation, but in practical terms I think it highlights the need to understand and embrace data protection legislation in the drafting of social media policies.
Many of the examples of policies I see are focussed on getting tone of voice right and protecting the company from inadvertently making claims or promises that cannot be supported. I can’t recall seeing one that anticipates an action under the DPA.
What do you think?