The rapid growth in the amount of data collected and used by businesses has spawned laws to protect the use and possession of that data. To learn more about how these issues affect equipment finance companies, Newsline interviewed Jacklynn Manning, CLFP, Vice President of Marketing for Amur Equipment Finance, and Robert S. Cohen, Esq., Partner at Moritt Hock & Hamroff LLP.

 

More than ever before, marketing is driven by collecting data to make business decisions and develop strategies based on that information. Many companies are gathering information at an alarming rate, and without regard to their actual needs or the potential downside to possessing it. New privacy laws are creating more responsibility for those in possession of “protected information,” the definition of which continues to evolve and broaden. NEFA Newsline spoke with two thought leaders on data privacy — Jacklynn Manning of Amur Equipment Finance and Bob Cohen of Moritt Hock and Hamroff LLP — about the collection and storage of protected information and, if used for marketing or other purposes, when it may trigger your legal obligations. 

 

Newsline: Jacklynn, can you please describe the types of marketing information companies are collecting in the equipment leasing and finance industry and the manner in which they are collecting that information?

Jacklynn Manning: Today, we are collecting data at an increasingly fast rate. Businesses are gathering personal identification information, including name, date of birth, address, Social Security number, driver’s license number, home phone numbers, personal cell phone numbers and email addresses. When someone visits a website, servers may automatically collect their IP address, the name of the domain they used to access the Internet, the link that brought them to that website and any links clicked within the website. Some popular thirdparty marketing tools can also collect information that may include browser type and operating system, IP address and general geographic location, the date and time of the visit, the content viewed on the website and website features accessed. The equipment leasing and finance industry collects additional information, including business and financial structure and history, past business transactions, ownership information, vendor information, broker information, guarantor information, financial statements, and credit explanations and credit histories. We also collect bank account statements and bank account details. Various types of personal and business data are being collected in several ways — from cookies on a website, filling out a form on a landing page, signing up for a newsletter or to obtain quote estimates, completing applications for financing, or simply leaving reviews on a company’s social media pages. Regardless of the way you are collecting customer data, you need to focus on three items: first, know exactly what type of data is being collected; second, understand how to analyze the data; and, finally, know how to safeguard the data.

Newsline: With social media playing such a large role in our personal and professional lives, what type of information is being collected through our interactions on social channels?

Manning: Social media is one of the most important aspects of digital marketing for businesses and a deeply embedded part of our culture. Social media channels show how users share, view or engage with a company’s content or profile. These numbers, percentages and statistics provide actionable insights that can help with your social media strategy. You can monitor social media or review sites and collect information posted in comments or reviews. When you post information on social media pages owned or controlled by a company, that company may collect information about the activities on those pages, including whether you visited or commented on the page and/ or provided a rating or review.

Newsline: Bob, does the collection of this data create any legal obligations on behalf of the company collecting it?

Bob Cohen: Yes. For at least a decade, privacy laws have been evolving and broadening the definition of protected information. Initially, it was what you would expect: dates of birth, Social Security numbers, credit card numbers, bank account information, etc. Now, depending upon the law that applies to a particular situation (for example, the California Consumer Privacy Act, General Data Protection Regulation, and/ or SHIELD Act), protected information may be defined as broadly as any information that can be associated with an individual. Although the ambiguity of these definitions has not yet been reduced to provide more guidance, on its face such a definition could include an address, an email address, a phone number and many other items. Literally, anything that would be set forth on a traditional business card would likely fit into that definition. Making matters worse is that there isn’t one uniform law. Many states have created, and many more states are in the process of enacting, their own privacy laws. A company collecting data is generally responsible to comply with applicable federal laws, the laws of the state in which the person providing the data resides, and, likely, the laws of the state in which the collecting company is located. This can make compliance a very tricky and cumbersome issue. Generally, if the data being collected is protected information, at minimum, reasonable safeguards must be taken by the recipient to protect it from unauthorized access. Although most people think of unauthorized access as a malicious third-party “hacker,” unauthorized access may also include simple human error — such as leaving an unprotected laptop in a taxi or an unencrypted flash drive on a table in a coffee shop 

Newsline: Jacklynn, are these laws impacting the type of data that companies are collecting?

Manning: No, I don’t believe they are impacting the type of data we collect, but these laws do impact how we collect it, store it, protect it and access it.

Newsline: Bob, assuming a company takes appropriate steps to safeguard this “protected information,” is it then free to use it as it wishes?

Cohen: Absolutely not: The current laws also regulate the use of protected information. A company cannot utilize any collected information for purposes not provided for in its privacy policy. Companies are required to create and disseminate a privacy policy, which provides notice to the individual about the information it is gathering and how it will use that information. Any deviation from that policy will require the consent and/or additional notice to the provider of that information, and without it, you run the risk of violating a law.

Newsline: So, what are the takeaways?

Manning: We are at the center of a paradigm shift, a data explosion, an AI revolution, a content renaissance. This shift represents a complete digital transformation, and everyone, especially marketers, must be both data proficient and compliant. The handling of data is an increasingly hot topic, and businesses dealing with data — for commercial reasons or otherwise — have a legal and moral responsibility to safeguard it.

Cohen: Take steps now to understand the data you are collecting and how to use it. Have an attorney familiar with privacy compliance review with you the laws that are applicable to that information and your intended use of that information. While there are numerous laws that may apply, their requirements may be similar. This will allow you to adapt your business practices to the broadest level of compliance, which should also be properly disclosed within your privacy policy. Finally, be careful in how you handle data: The laws in this area are evolving regularly and therefore should be monitored on a regular basis.

 

Read Full Article Here