Marketing & the Era of Data Privacy
By David Booth of Cardinal Path
Thanks Brian. Really excited to be here. I hope everyone is enjoying the conference so far. I hope everyone will enjoy this session in particular.
This half hour or so we’re going to be talking about marketing and specifically what sorts of implications are happening in the data privacy segment. Obviously, that’s something that has gained a lot of attention here in this year and previous, and of course, I don’t think we’re seeing the end of it. I think what we’re probably going to do is end up at a place where we realize that this is just a tremendous opportunity for marketers and much less of a doom and gloom threat that we’ve all seen in the headlines lately.
I want to kind of start just by making the point that the GDPR component that got so much publicity here, coming into the May deadline for compliance, was really just one in a series of many many initiatives to try to tackle this large problem globally. We can trace this in the US all the way back to the CAN-SPAM ACT which was again trying to keep spam out of people’s inboxes and things of that nature. But of course, every where in the world, there’s been a lot of work here to try to understand and tackle this problem of this digital exhaust stream of data that’s being collected across these digital channels and then balancing all of the benefits that we can have and garner from that data through analysis and optimizations and targeting and all of that wonderful stuff that we as marketers are doing with the personal data concerns and the privacy concerns that are being targeted.
So, I think what we want to understand here is that GDPR is really just a continuation in this evolution of data privacy initiative and what not. It did get a lot of attention.
If we take a look at it, we can go all the way back to April 2016 when this came into play. Really we see that nobody really cared right up until we got to the point where compliance was coming. At that point, everyone here is probably very familiar with the kind of headlines that we were seeing here in the media. Ya know, big research firms that were predicting non compliance. And then we were seeing these huge hefty fines that were millions and millions of euros or percentages of global turnover that could bankrupt a company. And of course, there was confusion. Whether people were subject to this if they were outside the EU, inside the EU, if they did business in one part of the world or another. And we saw that very few people had a handle on this to the extent that they would be fully compliant by the time that May 25 compliance deadline came around.
So, what I think was interesting, is while we in this space were very concerned and watching this in a Y2K-esque fashion, what we also saw was that consumers continued to go along with their world and their days and understood that this was a problem that marketers were going to have to tackle. To put it all into perspective we can also come back to the Kardashians at every point in this entire cycle save that one type of doom and gloom that made the major news headlines still getting much more attention in the general mainstream than our data privacy concerns.
What I want to do is talk about what happened. GDPR was a continuation in an evolution of lots and lots of data privacy regulation and efforts and initiatives. It was one that got a lot of attention. It was one that did have some impact. So, what happened? What happened after compliance came into effect?
There were some impacts. We saw things like there were a number of websites that chose to rather than to become compliant and deal with all of the risk and complexity, they made the business decision to stop serving content inside of the EU.
And of course, this made again, major headlines and things. And we all waited for the big lawsuits to pile up. And of course, everyone was waiting to see how these things get litigated and get some clarity around a lot of the components that still have a little bit of gray area around them. And what we did see was the day after, there was a lawsuit that was specifically targeted at the big guys. This was to the tune of about 9 billion dollars they were seeking in this one.
Again, I think this is an interesting dynamic that played out. For those of us who watched this, we were seeing the different messaging that was coming out of these larger players. People taking every position from, “This doesn’t apply to us” to, “This does apply, and we’re 100% compliant in the way we interpret compliance” and everything in between.
And what’s going to be interesting is for all of us on the sidelines to watch and see what happens. I know this could be a long, drawn out battle. If we look at a 9 billion dollar settlement possibility.
It’s also interesting to look at some of these targeted organizations and their net income they reported in the year of 2017. We can see that that is a big chunk of cash obviously. There is tremendous risk here. It’s also worth fighting. I think what we’re probably going to see is some litigation that draws out some of the details that the rest of us are looking for.
I think beyond the larger organizations that do have a specific very vested interest in personal data, what we’re not seeing is the US based small business on the corner being targeted by EU legal organizations. That certainly has not happened. What I think we ended up with, was a place where a lot of expected that Y2K mushroom cloud of an impact with this one directive that was out there. What we ended up getting was more like this. I think that’s actually a good analogy. We got a spark. I think that more than anything else, GDPR was that spark. It was that catalyst that drives us as marketers into a mindset where we really really need to focus on data privacy and enlightening the consumers that we’re interacting with and adhering to their expectations and listening to their fears.
I think that those days are gone, and we do have to understand that whether we’re focused specifically on a set of legislation or directors of GDPR, most organizations are now starting to look at this and say whether or not there’s legal impact, we do need to start addressing this. Both to make sure that we are improving the efficacy of how we’re using the data we’re collecting, but also that we’re respecting and balancing that with the consumer’s expectations and calming the consumer’s fears.
So, what we’re ending up with now, is a situation where most folks have gone ahead and started to do something with respect to data privacy. Again, GDPR was a big catalyst for this, and what we can see in this particular piece of research is that unless you’re in that four percent who is kind of closing your eyes and sticking your fingers in your ears and saying, “I don’t want any of this to exist and I’m going to pretend that it doesn’t,” you have at least started going down this path to compliance.
Again, more than just GDPR compliance, this means you’ve gone down that path of starting to understand, disect, and put a plan into place around data privacy. And of course, there are some legal ramifications that are going to come at some point whether it’s in eu directives or others that are coming around the world. Mostly what we’re starting to look at is from the perspective not just from the businesses and regulatory landscape but from the consumer’s point of view.
I think this is some really really interesting research that was done by Janrain. A couple key graphs that I would call your attention to. The first one here being that 94% of people out there are at least somewhat concerned with data security and data privacy. I’m not sure who those 6% are, but the rest of us understand that when we are in an online world, there’s a tremendous amount of data that is being tracked. It’s being stored and it’s being used and it’s being passed around and it’s being thrown around a widely complex landscape to where we’re not really sure where it all goes. I think it’s right that most of us are concerned about this as consumers and people living our lives.
The second one I think is pretty interesting too which is nearly three quarters of people surveyed here believe that websites know way too much than they need to about me. I think that that’s interesting too because as marketers we’ve often taken that perspective that we’ll collect everything whether we’re going to use it or not, and we’ll decide if we want to use it later. There might be some use for it later on. What we’re starting to see is a real shift in that mentality to we’ll take the information that we need for specific types of initiatives and objectives that will balance the value we’re providing to consumers with that data as well as the privacy concerns that are out there.
Then again, the last one out here is probably my favorite. Almost three quarters again believe that even if companies and organizations want to do this responsibly, they either don’t care about it, which is what most of that group thinks, or they’re just so bad at it that they’re not doing it right. I think this presents a huge opportunity for us as organizations to manage this data properly. And understand that we are responding to the real situation on the ground with the consumer mindset of today.
And of course there is that regulatory pieces whether it’s GDPR or something different. This one done in the US found that over two thirds of people would like some kind of regulatory legislation like GDPR in the US. We’re starting to see that at the state levels already.
Again the idea being that we’re not necessarily going to just trust a for profit world to do what’s right by the data privacy standards. We do need to have some kind of oversight. Some kind of a stick along with the carrot of what it is that consumers want.
What’s interesting here is that organizations are responding to this. They are starting to do these things. Like we’ve said, just about everybody has some kind of plan in place in order to become compliant with some legislation or more broadly, start to address personal data and personal data privacy for their customers, partners, and the folks that they’re worried about.
I think this was also another interesting chart that came from the same piece of research here where we started to understand why. Why are all of these people starting to take note and starting to do something about data privacy? You can see that it’s not until we get down to the fourth reason why that we get to the legislative side of things. “I’m worried about getting sued.” “I’m worried about the fines that result in noncompliance.” It really doesn’t matter if their from the US, the UK.
The biggest reason people are doing this is because they realize that they need to in order to meet those customer expectations. It’s something of a moral victory here as well, and if we start to look at that number two, especially in the EU, this is something that consumers expect and that we want to do because it’s the right thing to do. And then, of course, it’s not just our consumers, it’s the third party partners and data processors and other folks that we’re working with in this large and complex ecosystem.
So, I think, suffice it to say, folks are at a place right now where they want to do something about this, and the biggest thing that we hear is that people don’t know what to do or how they should first approach it.
And that’s where we really want to focus the rest of this session on. What is it that I should be going after? This is such a wide, broad, and in some cases, still undefined area that we really need to prioritize. We really need to assess our risk, assess our priorities, and get together an action plan. And that can be a difficult thing to do.
This was a good piece of research that discussed, “What are the top things that you believe you need to do?” And specific to GDPR in this case. Again, I think a good broader indicator of data privacy. We see there’s three things that whether you’re in the EU, in the US, kind of rise to the top. The first one is preparation for a data breach. That’s one thing that does have some regulatory consequences. We do need to be able to tell people whose data was compromised, that it was compromised. I think that we’ve seen in the other news headlines from very large organizations who have been hacked or in other ways data breached. They did have to make some public acknowledgments of that. It’s still very difficult for the average consumer to figure out, “Was my data in there?”, “What exactly was compromised?” So that’s a big part of it.
The other one that I think is interesting is consent. This is a very tactical problem that needs to be solved. It’s one that we’re starting to see new technologies come to the forefront to address. We will come back to that in just a bit.
I think the one we want to focus the most on here is really that foundational one of data inventory or data mapping. This you can kind of consider the foundation for everything else that you see on this list. If you don’t know what data exists inside your organizational infrastructure, inside your partner ecosystem, then it’s very very difficult for you to do things like obtain consent for data that you don’t really know you have or are collecting. It’s difficult for you to know if that data that you didn’t know about was breached. And if you have to go and tell people, it’s difficult from a data portability perspective.
From any of these other objectives that need to be tackled at some point, we have to understand the data first. I think that’s what we want to focus on most. Mapping our technology landscape so that we understand what data is flowing in and out of our systems. And then we can use that as a foundation to assess which of these additional objectives we want to tackle as an organization and what priority we want to put to them.
The hardest part about this and why it’s such a challenge is because the MarTech landscape continues to become more and more complex. Now this of course presents lots and lots of great opportunities. This is how we’re able to get the new capabilities in marketing that we can to provide even better customer experiences. More relevant targeting that delights the consumers, but it’s powered by a very fragmented, very siloed, and in many cases, unintegrated, complex set of tools and vendors and data transfers and everything in between. Of course, the c marketer surveys are telling us just that. There are of course budget constraints to why organizations see barriers to marketing technology use, but what we’re largely seeing here is that it is just kind of a scatter shot. We do have a lot of these franken stacks that are out there. We do have still a lot of organizations still making mergers and acquisitions trying to build that end to end coveted platform. But there isn’t one out there quite yet.
The obligatory slide that we see in just about every conference of the lumascape here, continues to grow. It’s important to look at this and realize that every single one of those logos that are so small and pixelated, we can’t even make them out anymore, has the opportunity to hold personal data. It is subject to data privacy concerns. So, if you’re an advertiser in this day and age, whether it’s you and the organization doing this in house or leveraging partners across this broad ecosystem of AdTech and MarTech, you are handling and processing and in some cases, the controller of personal data.
Again, that first foundational step means we need to map out which of these logos exists inside our organization, which homegrown solutions are behind the scenes. That’s going to help us do a few things. To set the foundation for everything else that we’ll do with respect to data privacy. So, again this is a foundation. By doing a proper mapping of your MarTech and in some cases, your AdTech stack as well, you are able to do a few things. Namely, number one first and foremost, you can finally understand all the different systems, the tools, the technologies, the vendors, and of course all of the data that they’re producing, inside your preview. That again, is probably the biggest single thing that we can take from this.
The second thing is that we can now enable some things. For example, we can not get compliance for data we don’t know we’re collecting and don’t know which of our agency partners are collecting it. By doing this mapping, we are starting to enable all of these tactical things that we do need to do in order to become compliant with legislation or to do the right things when it comes to the broader concepts of data privacy.
Then last, it’s really important to realize that this is not just a one time exercise done by one department within the organization. This is something that is an ongoing evolution, and it’s something that as we start to see progression in the space, we’re also going to allow ourselves this vast understanding of everything that’s in the sight of our systems from the marketing technology perspective so that we can enable data governance and the change control and the processes are going to keep up compliant and keep us ahead of the curve with respect to data privacy as we go.
As we’ll see in the rest of this presentation here, I want to walk through five tips that we’ve seen are really important for our customers and the folks in the marketing technology landscape right now in order to map out this marketing technology stack. And in so doing take that first step and that foundational step for just about everything else we’re going to do to address data privacy as an organization.
The first one is coming back to people and not technology. I think the first thing we need to do is make sure that we are spreading knowledge around the organization. GDPR specifically or any other kind of legislation and more generally, data privacy, does impact just about everyone in the organization from the c-suite all the way down to the intern program. Virtually, everyone has the ability to touch personal data at some point in the process of how it is flowing around a set of departments.
We first of all want to look at this across the disciplines within the organization. Of course, the functional disciplines as well. Of course, the marketing department is going to be involved here. We do need to understand what it is that’s being done across all the different campaigns and channels that we’re using, we need to understand what technology is in place. We need to understand the execution processes and planning processes and everything else. We also need to know which of our agency partners are involved here as sub processors or processors of the data we control as an organization.
In each of those functional areas and groups, we really have to also understand what is it that each level of organizational leadership and execution is looking to get from this particular mapping. If we start up at the c-suite, this is kind of a high level executive summary. What we’re looking for here is show me a picture that tells me everything we’ve got and which ones are at risk and which ones we think are in a good place. That will again help to set the strategy in order to put those initiatives in place, prove those budgets to do those things, and tackle those problems at the highest levels.
From the management of those particular priorities and perspectives, we’re going to really need to understand a little bit more. Maybe there was one tool that was marked as red out of compliance. At the management level, we’re going to need to know why. What components of data privacy compliance were having trouble? What are some of the solutions that we can take to solve those problems?
And then of course, at the execution level, we have everyone from developers and planners and folks who are in on just about every aspect of this to actually deliver those solutions. And of course they have to understand why it is we’re doing this and understand that the technical details of how we, for example, deploy a new piece of technology or update existing content areas that we all want to maintain as part of our digital landscape footprint.
So, understanding each of these stakeholders is going to be key to having some stakeholder interviews, and at that point, we’re going to understand what it is that people really want out of this exercise in the organization. That’s going to help us to position this mapping properly, and again, collect and collate and make available all of this information that does reach all of these different needs.
The second thing that I think is really important is to go through and audit the tools that are apart of your technology stack. There’s a couple ways to do this. There are a number of enterprise tools out there that can be used to take a pretty good look at everything that’s inside of a website or a mobile app or anything like this. That can identify your web analytics tools, your testing and personalization tools, your tag management tools, your adpixels and all the conversion tracking that you may have. Anything else that’s out there and available, on the client's side that a crawler can go and find. These are pretty sophisticated. They can go through mock ecommerce scenarios and understand everything that’s behind the logged in areas and things of that nature. And this is an automated way of really understanding all of the different technologies that are a part of your marketing technology stack. As we’ve done this with many of our clients, it’s pretty amazing to see how many times there is surprise or confusion when we tell an end user or an end customer that they have these technologies in their stack and they don’t remember purchasing them or don’t remember a third party vendor asking to put a tag on their site or anything like that. This can be very instructive. This is going to be the raw data that will eventually feed into our mapping.
That said, there are a lot of things that we’re not going to be able to see. Those we will require the stakeholder interviews, and this is going to be from the CIO, the CTO’s organization to understand what sort of behind the scene things are inside your marketing technology landscape that we can’t see from a website scan or things like that. We’re talking about back in CRMs, we’re talking about in some cases, data management platforms, enterprise, data warehouses, UTL tools that are helping to clean and prep our data for use downstream. And of course all of the internal processes that are driven by that.
So, once we’ve gotten this list of everything that makes up our marketing technology stack, we’ve drawn a circle around the marketing landscapes, we’re not getting into some other areas of the organization where we can certainly see scope creep in this particular project. It’s time to deep dive into each of these tools, technologies, and systems.
At this point, we’re going to start to ask some key questions. We want to understand not just, what specifically is being collected? How is this data passing between or is integrated with other components within the marketing technology stack? But we also want to know things like who owns this? What’s the vendor in play? Who is the contact that we have there, and what’s that phone number in case we need it?
The other piece that we would really want to understand is are there any other third party agencies, consultants, or partners involved that are also having access to this or in some cases, in charge of this? All of that information can make it into our eventual mapping. By the time we’re done with this step, it is time to start doing that mapping. I’ll share with you for a minute what we’ve developed over here that allows us to visualize this in an interactive manner and keep this thing up to date as a living, breathing set of documentation.
Essentially, it does just what we’ve talked about so far. What it does is it breaks down each of the different components in the MarTech stack by functional areas. We see things that are related to contents, things that are related to insights and reportings or any kind of tracking pixels and tags and things like that. In this tool as we hover over any of these, we can start to see how data is flowing. So if data is coming from one into another, we get this high level overview of everything that’s in our marketing technology stack as well as the data that’s being passed around and how these things are interacting and integrated.
From there, of course, we want to get a little bit more information. If we remember back to the stakeholders having different needs and different set of details that are required, if we drill into any of these we can start to see some of that data.
For example, drilling into an analytics tool, we can see who it is in the organization who owns this. What exactly this is responsible for from a capability perspective. If it’s hosted by us internally or if it’s a software as a service cloud based solution. We can see any other vendors or service partners that are involved. And of course we can see that detail of all the connections of things that it is sending data to and things that it is ingesting data from. This is again a key step in the governance process for the data landscape that continues to evolve.
If we move into even deeper aspects of this, we can start to see a data privacy screen for example. This is where we can kind of see that green is good, red is bad set of compliance. This may be GDPR specific to some of the parts of that directive, but more generally, this has a lot of those data privacy sets in there. So however you decide to do this, certainly make sure that you are taking stock of whether consent is being collected, whether it’s maintained, and is it editable, and if someone does have a request to be forgotten, you can accommodate that request. You can change any of the data that you may need if all those things are in place, you can very quickly see this by hovering around and clicking on each of these boxes. What is the expected behavior or outcome and what is it that we have now and what risks exist? Once we have that, we have ourselves a basis for making a plan to identify what it is we’re going to prioritize as an organization. And then put together that executional plan for how we’re going to address it.
So last thing and the fifth tip that I’ve got here is to make sure that this is something that does drive action. It shouldn’t be just a project that you do to check off your box and then this visualization or this mapping sits in the corner and gathers dust. This should be something that is updated. It should be something that keeps up with the change of the marketing technology landscape.
We’re starting to see new platforms and products and technology solutions out there that many organizations are going to adopt. What we see is a good step here is making sure that if this does have a defined owner and there are defined governance initiatives and responsibility matrices and change control processes, that this is the way that this actually happens.
As these things are updated, we need to make sure that these things are available to everyone who needs it. This is not just your legal department. It’s not just your marketing department. This needs to be available to all the partners who are playing a part in this broader data landscape. It needs to be IT, who’s governing the tools and technology, the marketers and sales teams that are actually leveraging it and using it, the consumers of the data visualizations that come from it, any third party partners, executional agencies, consultants, anything like that. Again, this democratization and visibility of this data is something that’s going to be key in order to jump off from the starting block.
What I want to leave you with is some next steps. I think what we’ve talked about here is really putting in place a solid foundation to where we finally have a way to look at and understand all of the data that we’re using inside of our organizations. At that point, it’s time to do three things.
- Number one, raise some awareness. There’s plenty of educational opportunities out there across video and text and all the mediums on the web to make sure that people across the organization are understanding data privacy and what it means to us as marketers.
- The second thing is that each organization will individually have to assess their risks, have to have their own discussions with their own legal teams from a compliance and legal perspective. Of course, they're going to have to balance this with the business objectives that they have. Put together a list of the things that they do want to tackle. What order they want to tackle them in. Then they can put together the tactical plan for who is responsible for taking on these plans and solving these problems as number three indicates.
- Really taking action against this informed plan now that we do have a place to start, a jumping off point, and a very solid view of everything. It is inside of our marketing technology landscape.
So with that, I will say thank you, and I will turn it back to Brian for some closing words. Thanks again for joining us, hope you enjoy the rest of the conference and have enjoyed it so far. Look forward to hopefully meeting some of you in the industry in which we play. Thanks so much.