The fines have started. $233 million for British Airways. $123 million for Marriott. And now, an eye-watering $5 billion for Facebook. After long speculation, it appears that this is the year of serious penalties, coming from enforced privacy regulations in Europe and the U.S. 

While these sums may or may not force the companies that receive them to change, they are warning signs that anyone in the marketing industry should be worried about. No one wants to be on the receiving end of such a penalty — or face the injury to a brand for being poor custodians of their customers’ data.

The combination of consent, privacy, data protection and management is a complex issue that requires an interdisciplinary approach. Too often, marketing departments are willing to let this be someone else’s problem. They don’t worry about privacy policies or consent notices, thinking the lawyers will tell them what to do. They don’t worry about the passive data aggregation on their sites, apps and digital properties, relying on IT to take care of it.

But the fact is what data marketer’s collect, how they ask for permission, how they treat that data — all of that is really part of the customer experience. And while customer experience is the responsibility of every department in an enterprise, the marketing department cannot abrogate its responsibility as the cornerstone of that stewardship.

Marketing brings together many technologies to track, monitor and monetize prospects and customers: from marketing automation and web analytics, to personalization engines, optimization tools, CRMs and more. Marketers have a responsibility to pay attention to the design, operation and maintenance of these tools, and the experiences they power and provide. They must be the ones to ensure that, from the beginning to the end, their customers’ privacy, consent and data are treated with respect.

There are so many different ways that marketing tools can interact with others that a full treatise on each one would be too long for this space. But, since this is CMSWire, I’d like to focus on how your choice of a CMS (and your choices on how to use your CMS) can affect your privacy and data experience.

Related Article: Marketers Are Missing the Point of GDPR – and the Opportunity

Platform Security

A baseline element of your ability to safeguard your customers’ data is the security of the underlying platform. It’s impossible for a marketer to evaluate the security of the code they’re running, but you can look for third-party certifications. These certifications give you the confidence that your selected CMS vendor has been properly vetted — not just their software, but their people and processes, too.

Some key certifications to look for:

  • SOC2: Managed by the AICPA, this certification evaluates the organization’s systems for security, availability, processing integrity and confidentiality. It gives you confidence that the CMS vendor has the right operational controls to safeguard your, and your customers’ data.
  • ISAE 3042: Evaluates the internal controls of an organization to ensure it complies with data retention, processing and management regulations.
  • FISMA or NIST-800: The standard of the US Federal Government on the data and system security measures required by third-party contractors. Evaluates the computer system inventory, risk management, security plans and controls.
  • EU-US and Swiss-US Privacy Shields: Requires the organization to put the correct measures in place to properly move data between the US and Europe while complying with laws, regulations and keeping data safe.

Related Article: Staring Down the Intersection of ePrivacy, GDPR and Privacy Shield

Cloud-Native/No Upgrades

Part of taking data security and privacy seriously is keeping software completely up to date at all times. Organizations need to apply security patches and fixes as quickly as possible. Unfortunately, most CMSs today call themselves “cloud” but are actually traditional on-premises software installed on cloud-based servers from Microsoft Azure, Google Cloud or Amazon Web Services. So, not true cloud. 

Look for CMS providers that are truly cloud-native and can ensure updates and upgrades are applied seamlessly and transparently across all clients. If there’s a security patch that needs to be released immediately, updates happen for all users at the same time. Having to grind all operations to a halt or pull your website down to make an unplanned security patch is not welcome in anyone’s day. 

For a marketer, it may be hard to tell the difference between a true cloud product and a legacy on-premises software installed in the cloud. To avoid this, ask your vendor or supporting agency questions like:

  • How quickly can we install security updates and patches?
  • Will we experience downtime while the patch is installed?
  • Which organization is responsible for data security issues? You? The software vendor? The implementation agency?

Related Article: Is Your CMS GDPR Ready?

Learning Opportunities

Data Aggregation

One of the key issues with management of data privacy and security is having control of the data you collect. Marketers have become too used to gobbling up all the data and tracking information available on prospects, visitors and customers to fuel analytics and personalization engines. Keep in mind that you are responsible for every piece of data you collect, including tracking information — and the more you collect, the greater the burden.

Make sure that if your CMS has a data aggregation process or tracking database, you’re in control of what data goes in to that database, you can expunge it easily, and the data collection process is compatible with the GDPR. Also think ahead about other possible regulations you might need to operate under in the future, such as the CCPA and NY Privacy Act, and plan how you will become compliant.  


While all of the above issues are critical when evaluating or managing a CMS system, as customer experience professionals, one of the key privacy fundamentals to keep in mind at all times is the quality of the digital experience on your websites, apps and other channels.

Look for a CMS that (while retaining the workflow, governance and operational controls you expect from an enterprise-grade tool) lets you execute with maximum agility and flexibility. You need to be able to tune, change and update your visuals, designs and experiences to keep up with customer expectations and respond to data collection issues.

You’re looking for CMS tools that let front-end developers and designers operate independently of the back-end systems so you can rapidly develop and deploy new experiences as needed. You’ll also want a tool that can deliver final HTML to any device so you can get to your customers wherever they are with a consistent brand experience, including those around consent.

Related Article: Will There Still Be Marketing After GDPR?

Headless Consent

Not only is it critical to treat the data you’re collecting responsibly, you also need to find ways to get that data in the first place. With the GDPR, CCPA, NY Privacy Act, and other legislation either in place or being developed, businesses will face increasing pressure to capture consent to data collection or persuade users from opting-out of the data collection. We are also seeing the continued rise of ad-blocking software that pulls users out of your tracking, measuring, ad-tech and martech tools.

The answer is ultimately to move privacy consent requests and management under the customer experience umbrella. Look for tools that:

  • Allow you to create consistent, on-brand messages and requests.
  • Enable headless consent so you can request and manage consent across every device.
  • Factor in progressive consent so you can request additional consent and tracking information as you develop a relationship with the user.
  • Maximize affirmative consent via a/b testing so you can find the right requests, language and design that works.
  • Personalize consent so you can deliver the right message to the right segment at the right time.

Integrate Data Security With Customer Experience Design

Organizations that don’t take an interdisciplinary approach to privacy, consent and data security leave themselves at a disadvantage in the market. Those that integrate these issues into their customer experience design and their digital experience footprint will find they gain more trust, more consent and leave less opportunity for data breaches. Thoughtful design, collecting just the data that’s needed to do your job, and prioritizing the needs of your users and customers will yield growth dividends. Ensuring you understand how to select the best tools to support your privacy strategy will allow you to reap the benefits — and not the penalties.

fa-solid fa-hand-paper Learn how you can join our contributor community.