Woman having a private conversation with a child
Marketing Marketing Technology

Customer Information and Private Matters: How to Talk About Your Customers’ Sensitive Data

6 Minute Read

I don’t typically look forward to conversations about customer information and consumer privacy at work—not because I dislike the topic but rather because of the insane amount of acronyms there are to keep track of.

When I started out in email marketing, I remember reading through pages of CAN-SPAM documentation on my second day of the job (and then reliving that exhilarating experience again this past year with the release of CASL). Today, marketers are steeling themselves against the soon-to-be enforced GDPR and its wide-reaching implications for marketing practices. And all of this is in addition to industry-specific information acts like HIPAA for healthcare marketers, FERPA for education marketers, and FCRA for financial services marketers.

It’s a bit of an alphabet soup, but one that marketers must keep track of if they don’t want to face serious legal consequences.

Meanwhile, on the opposite side of the conversation, marketers have to contend with audiences that can range from apathetic to full-on paranoid when it comes to data tracking and customer information. Who can blame them? Web users push around tons of digital information every day, and unless you have a strong technical background, it’s likely that you don’t know much about what is actually happening to your data.

Marketers exist at the center of this push–pull dynamic, working to comply with laws, alleviate customer concerns, and somehow collect data that enables them to tell better stories. But while there are a hundred-and-one resources about how to better comply with regulation, there seems to be a lack of conversation around how we speak to our audiences about data and privacy.

Is it possible for brands to share their data practices in a way that informs and reassures their audience?

Closeup of a vault lock and knob

Image attribution: Leeroy

Four Foundations for Talking About Data

The scope of this challenge for marketers may be wider than we want to admit. Just two years ago, more Americans reported being worried about their data security than losing income. This sentiment has only expanded in more recent time, with Gigya (now part of SAP) reporting that 69 percent of Americans and British consumers express concerns over data security with Internet of Things devices and 68 percent don’t trust brands to appropriately use their personal data.

Let that sink in: 68 percent of the audience doesn’t trust your brand to handle their data appropriately.

These are sentiments we see mirrored in response articles when large brands like Apple release privacy updates or in the detailed analyses that crop up whenever popular software products update their terms of use. There’s a huge gap that marketers have to cross to earn trust from their audiences where their data is involved.

Some data collection and treatment best practices can help. The Department of Homeland Security actually released an excellent guide to privacy compliance auditing that lays a nice foundation for marketers. If your brand isn’t hitting these four points in some way, it’s likely your ability to communicate with your audience is going to be hamstrung from the start.


Let your audience know when you’re collecting data. For many use cases, marketers already do this—if your user is filling out a form on your site, it’s assumed they understand you’re collecting this information. But this becomes a fuzzier matter with regard to information that is collected automatically like web-session data or cookies. A good rule of thumb is if the data collected can individualize a person’s information (even if not identifiably), then you should provide some kind of notice or access to notice.


Email marketers are well aware of the idea of opt-in and opt-out management, but in the broader marketing data landscape, it can become a little more complex. Opt-in, at the very least, can be easily achieved again with situations where a user is actually providing their info—just throw up a correctly worded checkbox or two and you’re covered. But consider also providing means of opting out of some data collection.


Give access to your users to see what data you have on them. Like notice, this primarily applies in cases where user data can be used to single out a user or affects the user’s experience with your brand. Facebook, for instance, offers users a way to read through their ad targeting attributes and erase them at will.


This is by far the most catch-all category of the four, but simply put you should make an effort to secure your customer data, explain in plain terms how your users’ data is secured, and in the event of a breach, immediately and continuously communicate with your customers.

Close up of a pile of antique keys

Image attribution: Leeroy

The Good and the Bad

But what does it actually look like when a brand communicates with their users about data in creatively good (and bad) ways?

One of my favorite examples of good data communication sounds like it comes straight out of a Cold War spy novel. Social site and aggregator Reddit might have one of the highest concentrated audiences of Terms of Use readers. With each new release of the company’s legal documentation, a whole slew of armchair consumer-privacy legal analysts pour out of the digital woodwork to see how one of their favorite sites might be changing their experience.

Included in their agreement documentation, Reddit provided their community with a warrant canary: a special clause that basically says, “As of this date, we haven’t been asked to secretly hand over any user data as part of a surveillance effort.” The importance of a warrant canary doesn’t come with its inclusion in a privacy statement; rather it becomes important when it pointedly disappears, like it did for Reddit in March of 2016. This was a creative way for Reddit to meet their audience—a crowdsourcing, highly fastidious (even to a fault) group of readers—on a hard data topic that they weren’t legally allowed to talk about.

This is an extreme case (your brand probably doesn’t need a canary statement), but it illustrates a powerful example of how to take a frightening and technical conversation and turn it into a way to build brand trust.

Privacy and surveillance

Image attribution: Arvin Febry

The Equifax data breach last year, conversely, provides a textbook study in how not to handle customer data concerns—from not notifying customers immediately to trying to cover their legal bases with misleading content (this was reversed after much public outcry) to eventually revealing that data outside the scope of what customers knew was being tracked had also been compromised.

It was a big, ugly mess for Equifax, and one that marketers should learn from. Trying to sequester information in the event of a failure doesn’t only harm your customers’ trust, it also extends the bad PR cycle for your brand as information trickles out over time, rather than just landing at once, giving your brand room to release content and statements over time meant to repair and heal.

All this conversation really boils down to a simple idea: Try to make topics of privacy and data more of a conversation than just a statement to your audience. It doesn’t have to dominate your content, but making it available to those who want to engage can go a long way towards earning the trust of your audience.

For more stories like this, subscribe to the Content Standard newsletter.

Subscribe to the Content Standard

Featured image attribution: London Scout

Kyle Harper is a writer, editor, and marketer who is passionate about creative projects and the industries that support them. He is a human who writes things. He also writes about things, around things, for things, and because of things. He's worked with brands like Hasbro, Spotify, Tostitos, and the Wall Street Journal, as well as a bunch of cool startups. The hardest job he's ever taken was the best man speech for his brother's wedding. No challenge is too great or too small. No word is unimportant. Behind every project is a story. What's yours?

Recommended for you