Our SVP of strategic partnerships and global data supply, Marc Fanelli, reviews the misgivings, misunderstandings, and missed opportunities for data and privacy in the 2020s, from new privacy legislations to global technological innovations to substitute third-party cookies.
Privacy has become one of the most pressing issues facing our industry — it has been building for several years, and has absolutely reached a tipping point in 2020, showing up on CEO’s priority lists more than ever before. Consider the backdrop: in addition to a new wave of privacy legislation like GDPR, CCPA, and CPRA (with more on the horizon), the number of data breaches in 2020 is approaching 4,000 already, on pace to more than double the 2,103 recorded in 2019. Many of these security breaches involved well-known brands and exposed personal consumer data, including addresses and financial information.
Every company that collects data is already terrified of being a victim of a cyber-attack, and the added stress of trying to follow confusing privacy laws isn’t doing anything to make them feel more comfortable. In fact, privacy and compliance have become a minefield, to the point where brands have become paralyzed with fear of misusing data. This isn’t an exaggeration — if you remember when GDPR went into effect, there were plenty of ad tech companies that pulled out of Europe entirely because they didn’t think compliance would allow them to remain viable — or if they were capable of complying at all. Furthermore, many companies are learning that simply collecting user consent — initially thought to be the solution to compliance with many of these directives and laws — isn’t enough to protect oneself from issues related to data misuse, theft, re-identification which lead to brand reputational damage and may result in financial penalties. For example, obtaining user consent to share data doesn’t protect a firm from the data being breached and re-identified as it travels through the digital environment — e.g., known as “data in transit”. Hashing functions and encryption don’t completely protect the confidentiality of a user’s data, as pseudonyms can be reidentified through the matching of said keys to identity graphs “floating” in the ether - and that allow bad actors to find matches on the pseudonymous, tying it back to clear text and thus the identity of the individual. In addition, just because user consent has been obtained by a brand for example, what happens when that data is passed to a downstream partner? Did the user provide consent for that data to go from said partner to another party? The aforementioned examples are just a simple representation of the many complications associated with what being responsible stewards of data truly entails. Having said that, Marketers must find a way to protect their users, while satisfying regulatory frameworks and not opening themselves up for penalization. Today, due to a lack of full understanding of where all the risk points are, we see many organizations either pulling back and going conservative, or taking a “check the box” approach when it comes to believing they have satisfied regulatory mandates.
Data Is the Fuel for Personalization
The conundrum is that consumers want personalized experiences. If a customer looks at skis on a sporting goods store’s website, they’ll expect to receive emails about skiing, and see product recommendations related to skis — like snowsuits and goggles — when they visit the site. Without data, that sort of tailored experience isn’t possible. The shopper will instead be targeted with general ads for the store, and they may receive emails promoting skating or sledding, which aren’t among their interests. As a result, the consumer might feel that the store doesn’t “get” them and shop elsewhere.
Brands need data to successfully engage and win customers, and customers have historically been willing to share that data in exchange for those personalized experiences, great content, and money-saving offers. But recent legislation has made collecting and using data even more challenging and frightening for both consumers and brands.
It’s that fear that may keep many companies from taking advantage of the opportunities the market still has to offer. Between concerns about cookies, fear of hacks or breaches, re-identification due to the inadequacies associated with protections when data is “in transit,” misunderstandings around the limitations of first-party data, and fear of privacy rules, many brands have hamstrung their own digital marketing efforts.
Baking the New Cookie?
The loss of the cookie plays a big role here. Cookies represented an easy way to follow the customer journey. Given that browsers have limited marketers’ use of cookies and have forced the industry to focus on alternatives — and has also shone a spotlight on just how we use and protect customer data. Without cookies, we need to find a way to responsibly stitch together the customer journey through different identifiers or IDs that tie back to the consumer — and that most certainly will contain personal information. Furthermore, we must find ways that allow the linkage of these IDs without the risk of unauthorized re-identification of the consumer.
That’s where the privacy laws start to make brands nervous about working with data. CCPA, for example, introduced new language that bars companies from sharing data with partners — a departure from the original language that banned selling data (but implied that sharing was acceptable). In a world without cookies, that means that even in co-marketing efforts, brands have to be incredibly careful with any data that comes into their stores, ensuring they have permission and every safeguard in place to protect the consumer, from a record of consent to certainty that the data will not be exposed or identifiable during any process or transaction.
Innovation Ahead and Abroad
The good news is that these regulations are forcing the industry to innovate. We will move beyond the simple hashing or pseudonyms employed today that can put consumer data at risk. Innovation has already begun in Europe, undoubtedly spurred on by GDPR. We’ll start to see technology wherein custody of personal data doesn't have to be transferred or moved in order to obtain information from a trading partner or third-party data provider in order to attach insights and information that enable at-scale personalization. The customer can feel secure knowing their data isn’t actually moving anywhere, so they can enjoy tailored content and offers without the risk.
Until those new technologies are proven and broadly adopted, the key is to play by the rules and be honest with your customers. Ask them for their preferences and be straightforward in your explanations about how their data is being used — and demand the same of your partners. Data regulations are in place to protect consumers, not to hamper your marketing efforts. If you explain simply, clearly and honestly, what data you’re collecting from visitors and how you’re using it, they’re likely to opt-in for the better experience they’ll get in return.
Remember that by and large, people want better, more personalized experiences online. If you’re clear about what you need from your customers to deliver experiences, chances are they’ll give you permission to deliver.
Article originally published by the Association of National Advertisers on 02/10/2021.