Picture this nightmare scenario: It’s the closing weeks of a tight race in California. Polls show your candidate with a narrow lead in the homestretch.
Then in a modern day “October surprise,” your campaign email list of donors and supporters is leaked. A hacker spams that list with endless emails and texts launching salacious attacks against your candidate. Thousands of fraudulent transactions are made against your donors’ credit cards.
The press and your opponent have a field day with this massive breach, especially when they learn that all this data was easily findable in a non-password-protected Google Doc. If your candidate can’t protect the privacy of their supporters’ personal data, how can we trust them to protect millions of their constituents?
A few days later, your candidate loses the race in a squeaker. Then, to add insult to injury, your political consulting firm finds itself facing a $50 million class action lawsuit from the 100,000 supporters whose personal data was breached.
Especially in the wake of the hacking of Hillary Clinton’s campaign, this is not a far-fetched scenario.
So why is no one in political consulting talking about privacy? Because most political consultants are misreading public sentiment on privacy — and because they don’t think new privacy regulations apply to them.
Privacy is a huge issue for Americans. A recent Consumer Reports study showed that three out of four consumers are concerned about the privacy of their online data, and a whopping 96 percent of Americans believe more must be done to ensure that companies protect their privacy.
I’ve seen the same sentiment in my own research: Consumers consistently rank privacy as a very important issue (~8.5 on a 10 point scale) — and they increasingly want to take back control of their personal data.
Now regulation is catching up with consumer sentiment: The EU launched the landmark General Data Protection Regulation (GDPR) in 2018. California passed its own consumer privacy law (CCPA) in 2019. This year, Virginia and Colorado followed suit — and dozens more states, as well as Congress, are considering their own privacy legislation.
When it comes to the law, there’s certainly a long history of political campaigns and government entities exempting themselves from this kind of regulation. Take the CAN-SPAM Act, which was passed to reduce the flood of spam emails crowding people’s inboxes. That law expressly regulates commercial email, but exempts non-commercial email from non-profits and political campaigns.
But when you look at California’s privacy law, here’s why political consultants should stand up and pay attention: According to the California Attorney General’s office, “the CCPA applies to for-profit businesses that do business in California and… buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.”
Under that provision, virtually any consultant handling personal data in a California political campaign — or advising any California non-profit or advocacy group — could be liable for negligence in a data breach, with penalties ranging from $100-$750 per consumer affected. As more states pass similar laws, that same privacy risk will extend nationwide.
Furthermore, consumers don’t distinguish between commercial and non-commercial data privacy. Privacy means being able to decide, for yourself, what information you want to disclose to which people and entities, across the board. It doesn’t matter whether that’s a business, a neighbor, a government agency, a political campaign, or a non-profit organization. A leak is a leak. A breach is a breach. And the reputation risk to whatever entity violates consumer privacy rights can be severe.
So whether it’s the economic risk to your own firm, the reputation risk to you and your clients, or — let’s face it — just doing the right thing to respect the long overdue privacy rights that Americans are now demanding, it’s time for political consultants to take privacy seriously.
What does that mean? Here are a few recommendations to start:
- Rigorously restrict access to personal data. Only the small number of people who need to actually see or edit personal data should have access to it. Review the access list frequently; delete access for people who no longer need it.
- Carefully secure personal data. Don’t upload personal data to shared documents in the cloud. Keep it all in a database with strong security and rigorous access control. If you need to transfer data, don’t email it — use a secure file transfer service like Sharefile or Tresorit.
- Minimize the data you collect and store. Yes, you need to collect name, address, email, and phone number in your database, but you don’t need Social Security and credit card numbers. Don’t add to your risk exposure by collecting data you don’t need. Additionally, make monthly sweeps of your computer to delete any stray files of personal data you — or your staff members — may have downloaded.
By documenting your approach to privacy, clearly communicating your expectations to staff and partners, and taking reasonable steps to protect the personal data of donors and supporters you have access to, you can significantly reduce the legal exposure you face under new privacy regulation.
It’s time for the political industry to start taking privacy seriously. The reputation and economic risks are too great to ignore any longer.
Brent Blackaby is a co-founder of Confidently, a company offering a subscription service to help consumers manage their privacy and take back control of their personal data, all across the internet. Previously, Brent was a partner at Trilogy Interactive, a leading digital political agency for progressive political campaigns and public affairs.