Clearly articulating what data is being captured, how it is being used, and who has access to it is the baseline to easing your customers’ concerns.
However, the subscription industry is in a unique position where companies are expected (and required) to go above and beyond to protect their customers’ data.
“As the [subscription] industry is growing exponentially, the FTC, the State Attorneys General, the class-action lawyers are all over it,” said Linda Goldstein, Partner & Co-Leader at BakerHostetler, during her SubSummit 2022 session. “It has actually become one of the most heavily regulated industries we have – both at the federal and the state level.”
Here are six tips to protect your subscription business while cultivating loyal, trusting customers.
Avoid Legal Jargon and Speak to Your Customers Like Humans
That said, if you want to show your customers you care about their privacy, you need to tell them, not just your lawyers. Keeping the language simple and writing at an 8th-grade reading level will ensure that users can understand the policy without having to consult a lawyer.
Try to break up your content so it is not a huge block of text. It can be intimidating and off-putting for many users.
Get Clear Consent or Agreement
The days of assuming the user is granting consent just by visiting your website are over. Even if you do not specifically have to adhere to those laws, it is a good standard to follow and protect your subscription.
- Checkout pages
- Webpage footer
- Sign-up forms
- Log-in forms
This can include changing the structure of your subscription (re-bill dates, cancellation policies, etc.) or if you introduce third-party systems or subscription bundles with other companies.
Nearly half of consumers who stay up to date on data privacy issues said they have switched companies or providers due to disagreements with a brand’s policies.
If you do share data with third parties or partners, add a section in your policy that identifies the third party, what data they collect, and what they use it for.
Using Standard Templates Without Changing
Using standard templates can be helpful, but it is important to customize them to your business and industry.
Templates are typically filled with long-winded legalese and general policies and may be missing clauses that you are required to have. Depending on what country and/or state you are doing business in, there are a lot of required items you need to include that might not be covered in a standard template.
It is also important to disclose any third-party data access and avoid third parties altogether if possible. If using third parties, add a section to the policy that identifies it or them, what data they collect, and what they use it for.
Understanding International and Local Privacy Laws
The General Data Protection Regulation (GDPR) provides several rights for individuals in the EU concerning their personal information, with the specific rights dependent on the type of data, particularly highly sensitive data.
While the U.S. laws vary in detail, the rights are essentially similar to those established in the GDPR, including the right to access, correction, portability, erasure, consent, and appeal.
In addition to these rights, the GDPR outlines specific governing principles, such as privacy or data protection by design, record-keeping, data minimization, transparency, informed consent, legitimate uses, data protection officers, best cybersecurity practices, data breach notifications, employee training, and requiring appropriate contractual language.
It is important to note that these lists are not exhaustive, as GDPR has 99 articles covering various aspects of data privacy. However, understanding these rights and legal principles can help in analyzing the rapidly changing data privacy laws in the U.S. and anticipating upcoming changes.
The following are the upcoming state data privacy statutes expected to take effect in 2023:
- The California Privacy Rights Act (CPRA) came into force on Jan. 1, 2023, with most of its provisions. The CPRA modified the California Consumer Privacy Act (CCPA) and introduced individual rights like the GDPR. The CPRA also established a new state agency responsible for enforcing the GDPR, like data protection agencies in EU countries.
- The Colorado Privacy Act (CPA) will take effect on July 1, 2023. In addition to providing GDPR-like individual rights, the CPA mandates data security and contract provisions for vendors, and “high-risk” processing assessments.
- The Connecticut Data Privacy Act (CDPA) will also go into effect on July 1, 2023, like Colorado’s privacy law. It also creates GDPR-like individual rights and requires data minimization, security, and assessments for “high-risk” processing.
- The Utah Consumer Privacy Act (UCPA) will become effective on Dec. 31, 2023, and includes specific GDPR-like individual rights. It also requires data security and contract provisions but does not explicitly mandate risk assessments.
- The Virginia Consumer Data Privacy Act (VCDPA) took effect on Jan. 1, 2023, and provides certain GDPR-like individual rights. However, in 2022, the “right-to-delete” was replaced with a right to opt-out from specific processing.
It is important to keep up to date on legislation and laws that are being passed in areas where you do business; this is just the beginning of states becoming stricter with data protection policies.