It's no surprise that consumers are worried about privacy. In fact, according to the Federal Trade Commission's 2017 Consumer Sentinel Network Data Book, identity theft was the second biggest category, making up nearly 14 percent of all the consumer complaints. It was behind debt collection (23 percent of all complaints).
Legislation on customer's data is finally catching up with reality and it's proving a difficult maze for marketers to traverse. Lets consider the list of areas impacting marketing data for a moment.
- California Consumer Privacy Act of 2018
- Privacy Shield
- Vermont and data brokers
- Georgia and digital privacy
- India’s data privacy framework
So how can marketers can prepare for the onslaught of consumer privacy rights legislation?
Related Article: Why the Privacy Shield Won't Make You GDPR-Compliant
Adhere to the Toughest Privacy Laws
Your policy can exclude certain regions in which your business does not feel it can be competitive based on that region’s privacy laws. “But trying to thread the needle,” Frank said, “is just going to be increasingly difficult.”
Related Article: Staring Down the Intersection of ePrivacy, GDPR and Privacy Shield
Global Policy is Not Enough
While a blanket global privacy practice may be a good starting point, marketers can’t always depend on across-the-board compliance with all privacy matters. Understanding the major regulations and its provisions is still a practical approach, according to Jonathan Lacoste, Jebbit’s president and cofounder. “That’s the most important question on every organization’s mind — where do I start?” Lacoste said. “California’s privacy act is slightly different than the GDPR, so if you’re GDPR-compliant today, that doesn’t mean you’re compliant with California’s regulation,” Lacoste said.
Owning Data Vs. Renting Third-Party
The safest move for companies, Lacoste said, is to shift their data collection strategy from renting to owning their data. Take a “less is more” mentality to simplify your data stream. Renting third-party data is expensive, often outdated, irrelevant and inaccurate by the time an organization is ready to act on the data, according to Lacoste.
Parker Morse, CEO of H Code Media, backed him in a Forbes report. “Plus, competitors have access to the same information,” Lacoste said. Though well-intentioned, third-party data brings about questions around the source of the data, meaning the data might have been collected in a non-compliant way and is therefore illegal, according to Lacoste. Consumers may not have given consent to giving up their information.
Companies can comply with the California Consumer Privacy Act of 2018 and at the same time rebuild customer trust by collecting and applying data in the most transparent way, Lacoste said. “By owning data,” he added, “organizations know the source of the data they’re collecting on consumers, and can guarantee they’re collecting it from consenting individuals. First-party data will not only become a way to comply with regulation, but also a significant competitive advantage.”
Know Your Data Inventory
It’s been said before but bears repeating, take inventory of your data before you even begin to think about complying with requests that may come due to new privacy regulations. “To prepare for stricter data privacy laws, marketers should first determine what data they have and how it’s being used,” said Rob Perry, vice president of product marketing at ASG Technologies. “Both GDPR and the California Consumer Privacy Act of 2018 require organizations to obtain consent from individuals to collect and use their data, and then disclose how their organizations will use that data. Of course, to do this, marketers must know what sort of information they currently have.”
Utilize Data Mapping
Dave Swarthout, data privacy officer for Monetate, said the first thing you can do to prepare for privacy compliance is to data map. “And it doesn't matter how much you map, you will always end up talking to somebody and you find out data exists someplace else as well,” Swarthout said. “There have been entities that have asked for exceptions or extensions from the European Commission [which regulates GDPR] because they can't meet the GDPR’s 30-day turnaround time for a subject access request. My guess is it’s because they don't know where all their data is.”
A ‘System to Manage the Systems’?
What’s needed to get a handle on your organization’s customer and prospect data is “a system to manage the systems,” according to Jeff Nicholson, vice president, CRM product marketing for Pegasystems. “To illustrate,” he said, “the gap is not that you don’t have a data management system or a CRM system. It’s that you have data everywhere, and multiple CRM (and related) systems — often in 20, 50 or more locations where customers’ personally identifiable information (PII) is held. Unfortunately, much of this infrastructure is not connected because it never had to be, until now. And talks of a potential national data privacy law in the works, this challenge needs to be taken seriously.”
California Law Allows for Data Specifity
Under the California Consumer Privacy Act of 2018, consumers starting in 2020 will be able to request the following.
- That a business disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared (the bill would require a business to make disclosures about the information and the purposes for which it is used)
- That a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of third parties to which the information was sold or disclosed.
“The big thing for me is the access component to it,” Swarthout said. “This is going to allow an individual to write to a marketer and say, ‘I want you to tell me the data that you have on me.’ What type of data are you collecting?” It forces marketers and organizations to be much more accountable and responsible when it comes to data collection. It’s a good idea to include what you do with personal data on your privacy statement. Update your privacy statements with specifics on how you share data and with whom you share it. Monetate’s team had to include statements like data-sharing with Marketo and Salesforce, rather than just saying “third-parties.”
Take inventory on all the ways you collect and share data, whether it’s buying, collecting at trade shows through third-parties, etc. “You're going to have to disclose much more information to people and let them know more about your data practices,” Swarthout said.
Related Article: Was GDPR Opt-in Necessary or Not? And What to Do Next
Personification Over Personalization
Gartner’s Frank has long pushed for marketers and brands to seek personification over personalization. And that, naturally, has a lot to do with the data you collect. Personification is the “delivery and optimization of relevant digital experiences based on an individual's inferred membership in a customer segment and their immediate circumstances rather than their personal identity,” Frank wrote in his “Use Personification to Balance Personalized Marketing with Privacy and GDPR.” (fee required) “The idea is to try to separate the notion of personalized experiences from the notion of personal data,” Frank told CMSWire in an interview. “And that sounds a little paradoxical. But the idea is that you can do certain kinds of personalization without necessarily having personal data.”
Frank’s research supports the idea of using less of the data that GDPR is focused on (personal identity, etc.) and more of the data that determines what the person is looking at, is doing at the time or other kinds of ways they might be interacting that don't really have anything to do with their identity. That kind of information can be “more telling about what their intent might be at a given time,” Frank added. It’s less-risky data from a privacy standpoint but still has a great deal of marketing value. “And those are the ones that [marketers] should be focusing on,” Frank said.
Related Article: How to Address Consumer AI Privacy Consumers
Build Trust and Be a Better Data-Driven Marketer
Bottom line with all these privacy requirements? You need to build trust with your prospects and customers. “Customers want to know that if they’re willing to share with you their data they want to know that they can trust you, that you're not going to use it for the wrong purposes, you're not going to resell it and you’re not going to give it to the wrong people,” said Ashley Stirrup, chief marketing officer for Talend. “And so fundamentally whether you're looking at GDPR or the California Privacy Act, they're both saying the same thing. You need to have the right processes to manage your your customer data. You need to be able to share that with consumers so that the consumer can have confidence that you're actually managing their data.”
Use these privacy laws, Stirrup added, as an opportunity to become a better data-driven marketer. Good data-collection practices means better targeting, and that leads to effective marketing helps a customer shorten their buying cycle, Talend added. “Customers want to be educated, they don't want to be marketed to. And so as a marketer, you're investing in digital, you're trying to understand what the customer wants, and you're trying to use data to help you create this great customer experience. If you do it effectively, they learn what they need to know and get to a buying decision that delivers value for them.”