BLOG
Author:
|
|
|
Anthony Botibol |
When it comes to data protection, a storm has long been brewing. First came worries about Alexa eavesdropping in people’s homes and recording conversations (in November 2018 a New Hampshire judge ruled that audio captured in the home of a murder victim could be used as evidence in court). Then the Cambridge Analytica-Facebook scandal broke, with data harvested off people’s Facebook accounts being used to drive political advertising, potentially affecting the U.S. election result, GDPR came into force in Europe on 25th May 2018, then the California Consumer Privacy Act became effective in the state on 1st January 2020. Fast forward to today, and Google is removing the use of third-party cookies to track users across websites without their consent, following the example of other major internet browsers from Apple and Mozilla. Google is starting to require more consent from data controllers and intermediate data processors, Facebook is making changes specifically for EU citizens, and even email open and link tracking has been the subject of changes with iOS updates continually restricting how users are analysed on that channel too.
Data privacy guidelines will not stop here either, with Gartner stating that up to 75% of the world’s population will be covered by modern privacy laws by the end of 2024. Furthermore, regulators are finally showing their muscle and enforcing penalties for breaches of privacy legislation or data processing, for example the €746 million fine for Amazon in 2021 by EU regulators, a €1.2 billion fine for Meta from Ireland in 2023, and multiple other fines for Google, Facebook, TikTok etc. It’s not just the tech juggernauts either as seen with the 2020 fines for Marriott International and British Airways (€20.5 million and €22 million respectively). (Fines data taken from www.enforcementtracker.com)
Despite this, marketers are increasingly using data to improve their campaign audience segmentation and targeting, but needing to focus away from the use of third-party cookies and any data that doesn’t have the required explicit consent to use it for marketing and advertising purposes. (For any EU brands still relying on ‘legitimate interest’ as a get out clause they should be re-organising their data processing strategies now!) While more stringent data privacy demands are creating some headaches for marketers and businesses as a whole, there is still optimism from CMOs, as seen in our 2023 ‘Rethinking Digital Marketing in a Post Cookie Era’ report, that a new privacy-centric world that correctly balances privacy with personalisation can be a positive step forward for the industry.
So, how can businesses navigate the fine line between gathering enough information about customers to engage them personally and risking a data breach or loss of reputation by collecting too much? A Customer Data Platform (CDP) like Relay42 can deliver the best of both worlds by helping marketers to create a unified customer record with all the required consent that will allow them to monetize data, whilst respecting customer preferences and making it easier to adhere to current and future data regulations. Furthermore, with real-time AdTech activation it can enable brands to use their first-party data to power their acquisition and advertising strategies without any reliance on third-party cookies. While the overall reach at the top of the purchase funnel will undoubtedly decline, through better collection and use of first-party data brands can start to make the entire marketing funnel more efficient and achieve the same or similar amount of conversions in the long run. The first step of compliance however is understanding the laws.
What is the GDPR?
The General Data Protection Regulation (GDPR) protects the data of EU citizens, regardless of where it’s processed. The law requires companies to have regulations in place to safeguard customers’ private information and demands that they keep flawless records of how data is used and who it is shared with. Declaring data breaches is mandatory and when it comes to consent, the consumer must explicitly ‘opt in’ to specified use, rather than unticking a box to ‘opt out’.
The six legal bases for possessing data are having consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement and a public interest. So, before you begin to stockpile any sort of Personally Identifiable Information (PII), consider whether you can justify it on these grounds. The other significant aspect of the law is that data subjects have the right to see what data is being held on them, ask for it to be transferred, object to its processing, or request that it be deleted altogether. Failure to abide by the law can lead to a hefty fine of up to €20m or 4% of global annual turnover. And as seen earlier in this blog there are some hefty fines being issued annually where brands are found to not be adhering to the guidelines.
What is the CCPA?
The California Consumer Privacy Act (CCPA) applies to companies doing business in the state of California that have an annual revenue over $25m, receive information on over 50k consumers, households or devices annually, or gain at least half their income from selling personal information. There is no obligation to gain consent before collecting data (except with children under 16), but consumers have a right to know what information is being collected and stored and how that data is being used or shared. They can also ask for it to be deleted or ban its sale altogether.
Crucially, consumers can personally sue companies that fail to comply with the CCPA guidelines, even where no breach has occurred. This means that organizations who collect, store, analyze and use Californian citizen data must do so with care, or risk being hit with a large penalty. If a breach occurs, not only will the company be fined $2,500 if it was accidental, or $7,500 if it was deliberate, but each affected consumer can claim damages of $100-$750 per instance, or actual financial damages, whichever is the greater. Similar laws are being considered across many US states.
How can a Customer Data Platform help with data compliance?
Staying compliant in the evolving world of data privacy laws can feel like an overwhelming task, particularly for multi-national brands who need to adhere to standards across regions, but this is where a CDP can pay dividends. By its very nature a CDP unifies first-party data from multiple sources, including a brand’s website, CRM, apps, social media, POS and loyalty schemes. It then removes duplicates and structures the data in a way that is easily accessible and rigorously audited. It enables all preferences, interactions and behaviors from all online and offline marketing channels (and the individual consent) to be captured and maintained in one unified database. As a result, this provides marketers and their compliance teams with a central place to govern the data meticulously. The CDP essentially provides a single source of truth throughout the entire business and makes the use of data both accountable and visible.
By unifying, centralising and deduplicating all your first party customer data from disparate silos, you can ensure that the record you are seeing is the latest, most up-to-date version of the information held. For example, if a customer decides to unsubscribe from direct mail via an email preference center or form, your CDP will store this information and build them into a direct mail suppression list. This will guarantee that they won’t be bombarded with unwanted content, not only via email but any other channel. Similarly, there are CDPs like Relay42 which provide levels of encryption and the obfuscation of PII to ensure that personal data can only be accessed by the relevant people in the business, and protects against issues related to consumer data being exported, transferred or lost accidentally.
A warning about Data Governance when investing in CDP solutions
This level of data governance from a CDP is one that compliance teams need to take seriously and any business investing in a Customer Data Platform should use the opportunity to re-address their approach to data privacy and compliance. With many new ‘composable’ and ‘reverse ETL’ solutions claiming to provide full CDP benefits, this can further complicate the issues around data governance, where instead of having a ‘packaged CDP’ that provides one place for analysing how and when customer profiles are being used, what offers they’re receiving and how consent is being managed, instead these emerging solutions are bypassing some important governance requirements to use micro-services and stream data from a Data Warehouse through APIs to marketing channels with no central and accountable tool to govern from and answer essential compliance questions.
Use of PII and upholding the rights of your consumers
Another compelling reason to invest in a unified, persistent database is the right to be forgotten and the obligation to fulfil Subject Access Requests, potentially for a large number of people at very little notice in the event of a breach. With both GDPR and the CCPA, just 30 days is allowed for companies to compile and produce all data held on an individual. The CDP means all information can be found in one location, in a structured, clean and accessible format.
Taking the issues of privacy and security one step further Relay42 also uniquely obfuscates PII within the Customer Data Platform itself too. CDPs are not CRM or contact management solutions, but instead use unique IDs and identity resolution to persist a unique customer record over time. Once connected to marketing or advertising channels, and operational and customer services systems that require the data, these then use PII for the last-mile personalized message.
Conclusion
A Customer Data Platform like Relay42 will help you to remain compliant to the laws of the regions in which you conduct business, making it less likely that you will face a hefty penalty. Across a variety of regulations the solution can apply different logic and regulations based on a consumer’s location or specific laws that regulate how you can or cannot process their data. It also adds a level of assurance that you’ll be able to navigate any future privacy changes too. In fact, our compliance team at Relay42 regularly runs workshops with our multi-national global clients to help improve their data processing and compliance strategies to fulfil our dual obligations together as data processors and data controllers.
Although CDPs are purchased to help track and activate customer data, they simultaneously have the capacity to offer invaluable assistance with protecting that data. They can also help marketing teams to optimize the use of first party data, making it less necessary to rely on third party data and cookie tracking, and put more emphasis on zero-and-first-party data capture. In an era where trusted companies are rewarded with repeat custom and Google has pledged to phase out third-party cookies, this capability will see the use of CDPs becoming more widespread for advertising and acquisition use cases, replacing Data Management Platforms (DMPs) and other AdTech solutions, while also maintaining adherence with ongoing/evolving regulations.
