ObservePoint Privacy Compliance - Marketing Analytics Summit 2021

May 25, 2021

Introducing Privacy Compliance from ObservePoint

Learn how to protect your customers, their data, and your reputation by ensuring privacy compliance. Support your CCPA, GDPR, and other regulatory compliance efforts with 100% visibility of cookies, personal identifiable information (PII) detection, and regular consent management platform (CMP) testing.

Privacy Compliance operates by:

  • Delivering a full list of all cookies and network requests
  • Sending alerts when new technologies appear
  • Revealing what data is collected, by whom, and where it’s sent
  • Generating customizable approved/unapproved lists

Jim Sterne: 
And we are back. Our next speaker is Mr. Mike Fong, who spent three and a half years as an analytics architect at Tesco, which if you're not in the UK, you need to know is one of the world's largest retailers of consumer goods and food and fashion. But for the past six years, he has been at ObservePoint where he is now Senior Consultant and the Solutions Engineer. Mike is here to introduce us to ObservePoint's Privacy Compliance offering. So Mike, welcome to Marketing Analytics Summit.

Mike Fong: 
Thank you very much, Jim. It's it's great to be here. I'm following a great session by Carol. So I guess just a bit about myself, my name's Mike as Jim mentioned, I've been ObservePoint for a while. And before that I was in charge of setting up the Adobe stack on Tesco using back then it was DTM. We didn't have Launch then. But in the time, so basically in my career about 10 years, we've basically seen a situation where privacy laws have gone from being an idea, to being a tick box exercise a few years ago, to actually genuinely being enforced. And so it's been interesting starting my career right at the start when cookie banners first appeared, and when you would always just ignore them on a website, and they were just an annoyance, to the point where you didn't notice them because they've been around for so long, and now where you got million pound, and million dollar fines just flying around everywhere.

And actually before I go any further, I must apologize for my background. I'm actually in my mum's a storage room. So this is not one of the prettier virtual backgrounds, but unfortunately I haven't got a virtual background, so yeah, we've got, we've got the owl from Harry Potter actually. And I don't, I haven't seen the films or read the books. I don't actually know what it was called, so I'm very sorry.

But back on topic so we've seen a situation where GDPR has has really, you know, it's in effect now. The fines are flying. There's been a bit of a truce because of COVID, but I'm pretty sure that once COVID dies down those fines will be flying all over again. So this image I want to show you is just an idea of the geographical range of data privacy regulations at the moment.

So according to a report published by Gartner last September. So which means, you know, my stats are already out of date, but back then, about 10% of the world was protected under some kind of data privacy regulation. And we're broadly talking about, basically back then, you know, Europe and California, basically. The report also predicts this number rising to 65% of the world by 2023. Of course there'll be delays, there'll be things shifting, but by and large, the number doesn't matter. The fact is that every organization in the world, you're not going to be able to ignore the legal requirements placed upon two thirds of your market. And that's by 2023, you know, that's two years away. So in order to meet these requirements many digital businesses, website owners are investing in a consent management platform or a CMP. Now, there are plenty of choice out there, lots of vendors, but it's often the case with these digital things is that no one thinks about checking the quality of the implementations.

And I like to draw an analogy with web-dev or app-dev, right? It would be insane to spend a million dollars on a development team and not spend some money on a quality assurance testing team. We found that out over the last 20 years when websites were really bad 20 years ago and the they improved and a lot of that is thanks to automated testing. So now in my role, ObservePoint over the last five and a half years, I've seen the same realization Dawn upon digital marketeers. Why is it that every time you implement a new tag or you do a digital transformation project, why is it that the data is always wrong? Why do we spend so much time chasing our own tails, looking at the data and figuring out why there's problems? And the answer is that automated testing generally hasn't even been thought of, or planned. So even in the MarTech space, many organizations are playing catch up.

So I want to help you all look ahead, get ahead of the game and say, "actually, we're going to implement a CMP. AND we're going to think about QA at the same time." Because if you think about QA as an afterthought, you will be two or three years behind. And guess what? Those fines will be flying. And if right now 10% of the world is protected in two years' time, 65% of the world is going to be protected. Imagine how much exposure your organization has to those large fines.

So I'd like to introduce ObservePoint's Privacy Compliance feature. So this is designed from the ground up, very recently in order to help our customers get ahead of the game. And rather than running a product down your throats, I thought I'd give you something more useful. This is a simple checklist, it's product agnostic, it's layman's terms. We know that when it comes to a new almost a new market, or a new skill set, it's going to need to be built up from people who are new to the space. So even a layman's simple reading of the GDPR should logically lead you to look at these six simple requirements.

So firstly, think about, just basically, do you or anybody in your organization know what is the entire MarTech stack on your website? This is 101, it's taking an inventory. Imagine a worst case situation where some sensitive information has been accidentally published on your website, say employees salaries, or I don't know, some leak from Facebook or something like that. One of the things you need to do is inform the market, you tell your data authority, and then you need to trace where the data has gone. Where does that data potentially have gone? So you need to know every single third party vendor that's on your site. 99% plus of the individuals at your organizations I talked to over the last few years have not been able to provide a list like that. They've not even be able to tell me whose job it is to provide a list like that. So, simple preparedness is just know what you're paying for. Often, you can actually remove many technologies that are redundant.

So let's move on to step two, ensuring your MarTech is delivered through your tag management system. And the question is why, so consent management platforms generally work by communicating with the tag management system and then a tag management system is will be enabling or disabling the tags. So if you have tags outside of your tag management system, then your consent management platform will have no effect.

So third one, this is a really obvious one. So GDPR says that the customer must be granted the option to opt out of cookies and analytics the moment they land on your website. It follows logically that your consent management platform must be on every single page that a customer could potentially land on. So rather than having lots of caveats and lots of logic, why not just go the nuclear option and insure, your CMP is on every single page, simple and effective.

So next step, ensure your cookie notice is accurate. So, gone are the days where you could have a cookie notice that everyone ignored. As part of GDPR, the old cookie notice laws have been superseded, and now you see many websites will explicitly list out a list of cookies and notify this to their customers. But how do you know that cookie notice has been updated? What's your process for keeping up to date, and how are you auditing, how are you comparing your list to the truth? ObservePoint, and products like ObservePoint, many can give you a cookie inventory by crawling your site across many thousands of pages. Comparing the reality to what you're notifying your customers of, is one of the low hanging fruit, and one of the easiest, things that you can do. The downside is I spoke to someone yesterday and they told me that they spent literally five months checking manually the cookies across all the brands under their group. And I really felt for that person, cause if he'd spoken to us five months ago, we could've saved him all that heartache. Especially since the work he's done is probably out of date by the time that five months was up.

Nearly at the end of this list. So number five, ensuring that your consent preferences are actually respected. I'd say between 30 to 40% of the CMP implementations I inspect, do not work properly. The first major flaw is point three, the CMP isn't on every page. And the second major flaw is that the CMPs that are on every page, don't do anything. You'll see later on that it's very easy to misconfigure your CMP, and I do believe that many of you in the audience may have experienced this yourselves. Hopefully none of you will have experienced that, and not know about it. So, if you are sleeping safe at night, knowing that you've implemented a CMP, I want you to go and check that you've implemented it correctly on every single page.

Finally, one of the pillars of GDPR is that personal information must stay within the European union. So very bluntly, you need to know where the data is going. So let's look at how ObservePoint can actually help you with each of the six. So you know, the MarTech stack, this is something that ObservePoint has been able to provide for 10-12 years of my history. This very simple screenshot simply lists what technologies were found on the left, which pages or how many pages the texts were found on, and how many are missing. So you can do a completion check, but you can also more importantly know what technologies you have, and whether they're duplicating.

So in this example, we've got an organization that's using both Adobe analytics and Google analytics. So that's a business decision, but to be aware of that allows you the information to make an informed decision. So let's move on to step two. We talked about knowing which tags are delivered for your tag management system. So on screen is the Tag Initiators feature. And this allows you to actually see how tags are related to each other. So on the screen here, we can see a Facebook tag is hard-coded to the page at the top, below that we can see three Google tag manager containers, below that you can see Yandex Metrica hard-coded to the page. So there's a lot wrong with this page. Now, what I would say is that this appears to be basically an incomplete implementation. We're not passing any judgment here, but the feature exists to allow customers to really keep control of piggybacking and hard coded tags.

So one of the most important points I mentioned is a CMP on every page. So at the bottom right of my screenshot, you'll see a highlighted stack. And so just for your information, we scanned 500 pages of a website. We found these technologies, but we found OneTrust, the actual CMP itself was available in less than a half of the pages we scanned. So let that sink in for a moment. You've paid for a CMP license. You've paid someone to implement it correctly, but you are not protected at all. So your bottom line has actually decreased. Things have got worse because of a poor implementation, and this is not a slight at all the technology. This is definitely an implementation problem rather than a problem with technology. So that the most likely problem here is that the implementation team dive straight into the technicals and in the planning phase, they didn't ask themselves a simple question: How many pages are on our website? Who's in charge of the CMS? We should talk to that person. That's all it would have taken. Simple, simple mistakes that could have been prevented with an automated QA solution.

Moving on, the cookie note accuracy. So ObservePoint allows you to crawl your website, create an inventory of all your cookies and actually export the data and do a side-by-side comparison with your notification. Do this on a regular basis, and you can guaranteed that your notice is up to speed all the time.

And then nearly final one, are the content preference is actually respecte? This is my favorite mistake, because when I'm doing sales demos, people's faces drop and jaws drop to the floor. They're like, "Oh my God." So you'll see the title of this audit is called Audit Denied Cookies. So, but see the third row of this the third from bottom row I should say, is actually the OneTrust CMP. So in essence, what this result set tells us is that the CMP is there, but it doesn't do anything. Adobe analytics is still present Bing ads, Google ads, Google analytics. These are all a flaming, black and white, obvious violation of GDPR. Of course, you know, it's it's an unknown website, we'll keep them anonymous to save any blushes.

So the final feature that I really want to highlight, and we're really proud of this one, is the ability to show you, all our customers, where the data is actually going. It's important now that, in GDPR, PII can not be processed outside of the European Union, and process is a very vague word. So, it basically means data can't go anywhere, or PII can't go anywhere.

So, if there are any questions in the chat, we will have a look at those, but I want you to go away. And even if you just remember one of these, it is find out in your organization who is a starting point to know your MarTech stack. And we're in a space right now where no one really feels confident that they've got a skill to do this. No one really even feels confident that they know who else's job is to do this. So from a cultural perspective, I encourage everyone to take accountability. That's one of the values we have at ObservePoint -taking accountability, and if you see a problem that needs to be resolved, go and talk to people about it, raise the profile. Because assuming it's someone else's role when it's a brand new problem, it's a missed opportunity potentially for yourselves, but it's also definitely a gap that needs to be covered. So, yeah. Thank you very much. Wonderful.

Jim Sterne:
Thanks. We do indeed have couple of questions. Let me start with, where do you find in most organizations, where does this responsibility sit? Who is usually responsible when you go into a company?

Mike Fong: 
So typically it's the marketing team. They are the first people to get attacked by this because it's marketing's fault. The IT team get involved because they're the only ones that know anything about cookies, but digital marketing gets involved because they're the ones that set up the tags. The legal team gets involved because it's law. And then they are scrambling around searching for a CDO or, or a CRO. So all those teams and job titles I've just kind of dropped, need to work together and assign a clear owner.

Jim Sterne: 
So the answer is, truly, it doesn't sit on anybody's desk. It belongs to everybody.

Mike Fong: 
Boils up to the CEO and the shareholders.

Jim Sterne: 
With GDPR being sort of the first shot across the bow, one assumes that the European Union is ahead of the game. Especially, cause the US, we're with a concept of privacy, what about the implementation side? Do you find that Europe is implementing earlier and better than the US?

Mike Fong: 
Definitely earlier, obviously like you said, we're basically three years ahead of you in the curve. But what I would say is even today three years after the implementation, the legal deadline for GDPR, most companies are not GDPR compliant. There is a lot of fines out there just waiting to be sent. The various commissions and authorities, they will be looking for large organizations to make an example of. So if I were to use this hindsight and advise, your audience I believe are mostly US based, I would recommend that you get ahead of the curve, and start investigating and preparing those investments now, rather than waiting for a federal regulation to come in.

Jim Sterne: 
Wonderful. Mike, thank you so much. Our thanks to you. And Hedwig is the name of the owl behind you. Yeah. Hedwig.

Mike Fong: 
Well gonna learn something every day. Excellent.

Jim Sterne: 
Mike, thank you so much. Thank you very much. 

Previous Video
DataChat LIVE! Episode #1
DataChat LIVE! Episode #1

Episode #1 - A conversation with Jeremy Moran of Quadratic about building robust identities with CDPs, the ...

Next Video
Learning to Fly: Taking Your Campaign Tracking to New Heights
Learning to Fly: Taking Your Campaign Tracking to New Heights

Marketers use multiple channels to increase traffic to their site including paid search, paid ads, email, e...