Most of us have basely accepted the EU’s General Data Protection Regulation (GDPR) as a fact of life. Now brace yourself for California’s Consumer Privacy Act (CCPA), Brazil’s General Data Protection Law (LGDP), and South Africa’s Protection of Personal Information Act (POPIA). If that isn’t enough, there are a slew of data privacy laws proposed in the U.S. and around the world.
With so many acronyms swirling around, you could easily be overwhelmed. Although you will need to pay attention to the details of individual data regulations as they arise, all the privacy regulations share many commonalities. At MarTech East, I addressed eight areas of privacy practice that you need to adopt right now to ensure sustainable digital marketing for the coming privacy changes. They are:
Out of the privacy practices for digital marketing discussion, the following set of questions arose. These are my thoughts on the details of digital privacy marketing practices:
Q: Can you tell me about a client who moved from a compliance mentality to truly embrace it as a core value of their marketing and what triggered that change?
I worked with a life sciences company that aggressively wanted to expand its market share in North America. Coming from a heavily regulated industry, the majority of marketers were used to thinking in the context of a compliance framework, which gated the creativity and innovation required to support the business growth margin. The CMO, in collaboration with the other C-Suite executives, decided to develop a set of core guardrails that addressed a slew of concerns. The guardrails ranged from regulatory (e.g., which countries allow drug promotion to consumers) to legal (e.g., privacy). I call these guardrails digital policies as they dictated the boundaries of what is and is not allowed in digital marketing. Everything inside of the edges is fair game.
Within 18 months of rolling out the new approach, marketing teams reported increased satisfaction with their ability to do their job. Local market digital teams had an even higher rate of satisfaction. Campaigns began to have a noticeable level of “out of the box” thinking. While the company is not able yet to directly measure market share increase, it has been able to see healthcare practitioner recommendations to patients increase. That KPI is a good indicator that in time market share will expand.
Q: Is it a good way to address data privacy through data governance processes?
Data governance processes can help ensure you are compliant with legal and regulatory practices, but I am not a proponent of entirely relying on data governance to drive privacy practices for digital marketing. When organizations adopt data governance processes, they often do so at the cost of being overly process-oriented. This slows down campaign and content production. It can also limit creativity and hyper-targeted engagement with the end-user. Embedding data governance efforts into digital governance can balance out that behavior and usually results in the best scenario for the organization – freedom within a framework.
Q: What advice do you give to marketers that want to work with large companies with different privacy guidelines (e.g., Facebook) when your internal regulations are stricter?
Be clear about your digital strategy and explore whether there are alternatives to achieving the same goal without using vendors whose principles do not align with yours. If there is no alternative, you need to document the opportunity and the risk and let the business side of the house make the decision. In other words, let the business decide what, if any, principles they are willing to sacrifice. If leaders determine the organization will engage in risky behavior, then they need to offset that business risk with insurance, fiscal reserves, or understand that the risk might result in loss of profit or brand.
I have been part of marketing efforts where third-party vendors (e.g., Facebook) were willing to make adjustments to their practices or amend their data processing agreements. For that reason, I always advise that you involve your legal team and explore possible adjustments.
Q: How do you set the boundaries far enough out to accommodate advancing data and analytics technology?
You tie your guiding principles to your organization’s core values and objectives. That way, no matter the technology or digital channel, your boundaries will not change unless the organization’s core mission changes. For example, if the trust is a core business value, then all of your digital behavior will work to support confidence, with investors, prospects, customers, employees, etc. That will fundamentally dictate how much data you collect, what you do with it, and how long you keep it. Advancing data and analytics tools will still keep you aligned with the intent of trust, no matter what tools and technology you adopt. But you may not be the first adopter of the technology, choosing instead to embed trust as part of the adoption process.
Q: Is there an easy way to measure how compliant your website is? We have so many, and many more new that keep being worked on.
Yes, there many privacy and quality management tools on the market. Because I remain vendor-neutral, I can’t publicly endorse any of them, but they are a good part of a holistic quality program. The problem is that none of them will get you to 100% privacy compliance because there is only so much that a tool can automatically check. Also, most platforms selectively choose which data privacy regulations and laws they will include in their roadmap (e.g., GDPR, CCPA) but don’t look to adopt 100% of the world’s laws. And regulations (e.g., POPIA, LGDP, etc.). As a result, you will need to supplement with manual validation.
Q: With data breaches becoming more frequent and IT teams already overwhelmed, it seems this is almost inevitable. Have you heard of data breach insurance? Or data breach recovery companies?
Yes, there are two types of insurance that we are talking about when we think privacy and ample vendors who provide them. There is insurance for non-compliance with data privacy regulations, and then there is specific insurance for data breaches. Which you choose heavily depends on your risk tolerance, the investment you want to make in shoring up your systems, and the likelihood of something terrible happening. Most organizations will face a data breach, and the question is when that will happen and how extensive will it be. I highly recommend that organizations consider insurance as an alternative to both legal/regulatory compliance and data breach. It is an option, and it might not be the right one for the organization. But sometimes it is, and everyone needs to be aware of that option.
Data breach recovery companies are helpful to understand. Again, everyone will face a breach sooner or later. The question is the extent and how quickly will you be able to assess the damage – if any – done. I had a client who faced a breached nine months ago. The organization had no relationship with a data breach recovery company. When the breach happened, the organization made a good number of missteps which resulted in financial losses, but also the loss of customer trust and brand reputation.
Planning ahead of time and developing the right vendor relationships to address a potential breach is a prudent move by any organization.
Q: Are data onboarders like LiveRamp a “safer” way to share data with the Facebooks and Googles of the world?
Data onboarders can be a way for organizations to leverage alternative targeting ecosystems that compete with the Facebooks and Googles of the world. For GDPR, CCPA, LGDP, and POPIA compliance purposes, going directly to the Facebooks or Googles of the world are preferable. This is mainly becase you are dealing with first-party data and consent mechanisms, versus third-party data from vendors such as LiveRamp, which are viewed with more suspicion. But they are an option, and I don’t shy away from presenting them as such, even though they may not be the top choice solution for my clients.
The bottom line for your digital marketing privacy practices is clear. After years of collecting as much data as we could, we are starting to realize that all that data has an evil twin: risk. Consumers are also becoming more aware that their information is a valuable resource. Take the time now to ensure you have the right practices in place. It will support sustainable marketing efforts for many years ahead.