two water buffalo butting heads
PHOTO: Rod Waddington

Customer Data Platforms (CDP) have stirred up a substantial amount of confusion over the last few years as people struggle to answer what exactly a CDP does and who qualifies as a CDP vendor. Let's clear up some of that confusion. 

To start, here's a basic CDP definition: A CDP is essentially a hub designed to ingest all data from all sources related to customer marketing and branding activities. It is driven by, and generally owned by, the marketing team. It must then make that data actionable by ensuring it is constantly cleansed, standardized, matched and linked together in a way that makes it easily consumable by other parts of the marketing stack. This includes reporting/BI, analytics and modeling, and message orchestration across inbound and outbound channels and media.

However, when some companies began to include analytics and message orchestration that lines became blurred and the CDP definition morphed. Then, more and more companies with roots in data management platforms (DMP), tag management, cross-device tracking, cookie pooling and even bid sniffing — participating in real-time bidding auctions and then collecting data and information on devices over time whether they won the bid or not — entered the CDP game. These companies were essentially blurring the definition to shout that they, too, were a CDP.

GDPR Adds to the CDP Confusion

To further add to the uncertainty, all of this happened in tandem with GDPR preparation. 

The thought of a platform ingesting “all data from all sources” made marketers wary that a CDP could make them susceptible to a data leakage or non-compliance. Now, with GDPR in effect, confusion still lingers, and people are asking whether the CDP has a role in a GDPR-centered world. While it’s a fair question, it isn’t hard to answer.

The answer is yes. Marketers can use a CDP and still be GDPR-compliant. While concerns have emerged about “data leakage,” it is not something that should be pinned on CDPs. “Data leakage” is essentially a euphemistic term used by the industry to describe companies who should ideally admit: “We can’t keep track of all the different kinds of first party (and other) data, who saw it, who kept it, who is using it and what they are using it for.” 

In general, data leakage has never occurred from the third to first party direction, but always from first to third, where personal details about people and the devices they used have been broadcast on real-time personalization platforms (parallel header bidding) or shared selectively (waterfall bidding). The CDP's immediate ancestor, the marketing database, was always seriously engaged in opt in/out tracking and data lineage. The first regulation of customer choice was in the direct mail and email channels. It’s therefore been a natural progression for the new channels to the CDP architecture.

Related Article: How GDPR and AI Turned Unified Data Into a Business Imperative

Are CDPs and GDPR at Odds?

Oftentimes, data leakages stem from a lack of privacy thought (in the context of GDPR or device behavior in general) in the current processes used for display bidding, to ensure all recipients of the information are properly accounting for its usage and opt-in status, as GDPR requires. Yet some still suggest that the core strength of a CDP — that is, the merging of first, second and third party data into a single marketing-owned repository — isn’t advisable under GDPR because of the new strict lineage tracking and opt-in tracking requirements. The argument goes that this is too risky, particularly for those in the second and third party management business.

However, the reason the path of leakage has never been from third to first party is because a proper CDP always knows the source of the information coming in and the source is discrete and well-understood, whether first, second or third party data. Schema-on-read is an invitation to privacy mischief.

Thus, the GDPR has zero effect on CDP functionality. If done correctly — and it must be done correctly in order to comply — each party in the chain of personal information must themselves comply with GDPR data lineage and tracking requirements. That compliance information must be provided as preference sets and stored with appropriate metadata to know the who, what, when characteristics of each choice. In my view, it should even be provided to the CDP, as the true hub of customer information and customer/device state and status. Therefore, if each provider of information to the CDP is itself GDPR compliant, the CDP remains compliant in its work.

A good CDP will also support some form of customer-specific master data management so that it can respond to requests for all information — dates, times, channels, opt in/out sequences — held by a company about its customers. Many of us in the data business understand this can be an even more onerous task than the also-difficult “right to be forgotten,” but it’s something a CDP can accomplish.

So, any company looking to name its solution a CDP must be sure it’s in compliance and able to link all sources and data together. Otherwise, it's failing to deliver what true CDPs offer: fulfilling the “anonymous” and “known” at the same time and being able to reveal this information on demand.

Related Article: Customer Data Platforms: The Truth Beyond the Hype