hiding
PHOTO: Andy Morales

Here we go again. Another data privacy law. After having just poured countless hours and resources into getting GDPR ready, your compliance team is now asking you to prepare for the California Consumer Privacy Act (CCPA). And once you’re done with that, you’ll probably need to start preparing for the upcoming ePrivacy Regulation in the EU. Privacy laws are seemingly popping up everywhere. When will it end?

The truth is, it won’t. Because what’s missing in all of this focus on privacy legislation is what’s happening in the market. Consumers are expecting more privacy online, not less. And can you blame them? We’re only a few months into the year and we’ve already seen record levels of data breaches online. It’s no wonder that, according to a PwC study, only 12% of consumers say they trust companies more today than they did last year. Add in the high-profile data privacy cases like Facebook and Cambridge Analytica and the growing concern around data collection and tracking online. No wonder regulators across the globe are looking to clamp down on data privacy violations.

But in all of this madness lies opportunity. Because the smartest marketers and brands will look at all this and uncover the truth: what’s happening isn’t a sharp INCREASE in data privacy laws; it’s a sharp DECREASE in consumer trust. And trust, like any asset, can be measured, grown, and yes, can even help your bottom line.

The Risk Spectrum

As you start to identify your approach to data privacy laws, you’ll likely reach a better understanding of the tolerance for risk your organization has. Heavily regulated industries like finance and healthcare usually find their legal and compliance teams hold a significant amount of power, resulting in a very low risk tolerance. 

What that means is that laws like GDPR, CCPA and others can result in a massive disruption to the “business as usual” approach given a strict approach.

We plotted this out to illustrate the relationship of “risk tolerance” to “business impact” as it relates to data privacy laws.



privacy ux risk tolerance

What we see is organizations with a low tolerance for risk — such as healthcare — will usually experience a high, and negative, business impact as major data privacy laws come into effect. Anyone that’s gone through the process of getting GDPR ready and taken the strictest definition of the law has probably already experienced this. 

Don’t believe me? Count how many businesses have either shut down operations entirely or ceased doing business in Europe as a result. Of course, neither of those approaches are necessary, or even appropriate, to comply with even the strictest interpretation of the law, but hopefully you see the point.

Related Article: What if You Just Ignored the GDPR?

'Let’s Wait and See'

A large portion of the market will take a “high risk, low impact” approach to new data privacy laws. We also call this “wait and see,” wherein they make minimal changes to the business and bet on a lack of regulatory activity. The resultant impact to the business is minimal but their risk of non-compliance is high. GDPR, CCPA, LGPD, and other similar data privacy laws were meant to disrupt data-collection practices across the web, so taking a “business as usual” mentality is a gamble.

Nonetheless, until regulatory activity, case law, fines and decisions are handed out, this will remain a preferable option to the alternative.

Business as Usual Will Never Be the Same

But once that regulatory activity begins, you may find your legal and compliance team starts to reconsider their original stance on CCPA/GDPR readiness. Changing your approach will likely force you down the curve towards a lower tolerance of risk. But with that comes a higher likelihood of business impact. For example, perhaps your legal team is now asking you to start getting consent BEFORE you drop cookies on the user’s browser where before you'd relied on “implied consent.” The move towards the stricter definition will likely result in some friction from your marketing teams as they view this as a potential for losing valuable customer data and tracking. But your legal teams realize that business as usual's days are numbered.

So how do you meet this stricter approach, while still optimizing your marketing data collection and processing?

Related Article: Will There Still Be Marketing After GDPR?

Introducing Privacy User Experience

Privacy User Experience, or Privacy UX, is about taking best practices from the field of user experience and human-centered design and applying them to data collection and privacy interactions. Once you start looking for ways to optimize your opt-ins or reduce the bounce rates that have increased due to your consent experience, you’re already starting to think of the Privacy UX. 

As a business's tolerance for risk shifts towards a more conservative approach, you’ll find yourself pressed for ways to minimize the business impact.

privacy ux risk tolerance

Privacy UX encourages users to “opt-in” to marketing and increases the value of your data. How does it do this?

  1. Highlight the value exchange: Consumers are more than willing to share their data or consent to cookies, when they trust and value the relationship with the brand and understand the benefit. Imagine the customer asking “what do I get out of this” when confronted with a choice. If you’re not clear in your language or experience, expect them to opt-out (or never opt-in).
  2. Be human: Nothing turns users away like reading the words “we care about your privacy.” Why? Because that’s what everyone says, including the most egregious violators of data privacy rights on the web. It’s a meaningless term and certainly doesn’t sound like something your brand would say, so why say it? Review the copy and text you’re presenting in your consent experience and privacy policy and ensure that it matches your voice and brand. People are more likely to trust it was written by a human, and actually represents your values, when it sounds like something your company would say. And with that trust, they’re less likely to opt-out or withdraw consent for tracking.
  3. Be on brand: Just like “be human,” your users can tell the difference between an experience designed by your agency and one designed by your privacy officer. If you’re looking for users to opt-in, they have to trust you’ve taken the time to explain and outline the exchange of data collection in a way that matches your brand design. Your marketing team likely stresses about every pixel and font size on your site in an effort to present the best experience possible only to be told to drop an unsightly grey banner at the bottom of the home-page. If you’re looking for customers to opt-in show them that you took more than 30 minutes in designing the experience and make it match your brand. Consider the standard “grey banner” as the design equivalent of “we care about your privacy.”
  4. Use privacy as a differentiator: Apple is using privacy as a way to differentiate itself from its competition. It's capitalizing on a lack of trust in the tech space and recognizing the value of creating trusted experiences with its customers. You’ll likely see others follow suit as more focus is given towards consumer mistrust and sentiment around data collection. Use it to your advantage.

Great user experiences provide value and can drive your business growth. A good user experience can be the difference between a shopper and a passerby on your site. And as data privacy laws like CCPA and GDPR increase the value of personal data, you should look for ways to earn consumer trust and personal data by creating the types of experience that establish credibility and faith from your customers.

Related Article: Marketers Are Missing the Point of the GDPR — and the Opportunity