Is Your Organization Prepared to Establish a First-Party Data Strategy?
Issue 46: March 10, 2022
The criticality and the stakes for embracing a first-party data strategy are becoming more and more urgent as the days pass. The evolving regulatory requirement is to adopt organizational privacy practices that put the controls of one’s data in the hands and decision-making power of an individual, not an organization. In late spring of 2021, in anticipation of the regulatory changes, we advised our clients to move away from, or minimize the use of third-party, anonymous user-generated, and cookie-based data. The urgency then, and now, was to encourage organizations to embed first-party practices and strategies.
Why is first-party data that represents an organization’s curated known users becoming more of a critical strategy for doing business in today’s economy?
Organizations that have aspired to or have had some success with moving to a data-driven model to be more informed about their customers, prospective customers and content consuming users, are now confronted with having to provide individuals with opt-out or opt-in choices for being tracked and having their data stored and used within an organization.
Web analytic platforms, marketing automation, and similar data collectors and trackers enable organizations to collect behavioral information:
- User navigation paths (how users move through a website, app or application), how often they visit.
- Organic search keyword drivers that may have resulted in their visit to the organization as well as a collection of device and location-based data.
- Leveraging cookies to further track or target users based on their prior behaviors with advertising and to reveal how social channels bring those users to a site, app or application.
Austrian and French privacy advocates, led by NGO European Center for Digital Rights (NYOB), recently scored a major victory as two complaints prompted the Austrian and French data protection authorities to declare Google Analytics illegal for unduly transferring the personal data of EU residents to the United States. NYOB has now sent 270 draft complaints to website operators who use cookie banners that do not comply with the EU data protection rules.
If you are an organization that serves Austrian and French audiences and you are using Google Analytics to collect data from either country or then transporting that data to your US business location, your actions may now be considered illegal.
If you are an organization, that serves the EU citizens and you have oversimplified your consent banner presentation, watch out, you may soon receive a complaint and be in violation.
Anonymous User Behavioral Data
Most tracking and data collection via an organization’s website, app or applications comes from anonymous users (people who have not logged in or otherwise identified themselves). Historically, organizations have sought to make digital usage and interaction easy given human failure to remember usernames and passwords. Keeping content free and frictionless to consume has been popular, however, there are significant consequences.
The data that is valuable to an organization and informs understanding of its general user base, but the analysis of such, to gain insights and intelligence to assist with decision making, can lead to faulty conclusions.
Although we may discern how anonymous users navigate through a website, what location they are in and what device they are using, that is pretty much all we know about them. We don’t know if all or a percentage of them represent our target market. We also don’t know what needs or wants they had that resulted in them coming to our digital properties. Nor do we really know who they are, where they work, what their interests and perhaps how we can serve them better.
When users don’t take an offer, convert or otherwise reveal themselves, we are in an identity blind. If an organization doesn’t know who users really are, what their interests are, what positions they hold, who they work for, or why they have a need or want, then how does an organization strategize and take action?
Organizations using anonymous data to drive decision-making are only looking at one loop of data. To drive real value, concentric data circles are needed to inform brand value perceptions and actions that trigger conversion, deepen value, and identify current or desired sets of users within the targeted market.
Known User Behavioral and Demographical Data
Known user behavioral data, collected and managed via a first-party data strategy, is going to become more and more critical; what we do is often very different from what we say we do. Consider how responses to surveys are inconsistent and may not reveal objective actionable data. This is because an organization decides what questions to ask to get the answers it wants. At the same time, respondents often feel compelled to tell what they think we want to hear and know. The result is a disconnect from reality; only behavioral data can help close the gap.
The solution then is a focus on first-party data that collects behavioral data from known users and matches their interests, needs and wants with the demographics of known users. This approach also includes additional implicit and explicit data capture. Want to learn more about First-Party Data Strategies? Read our First-Party newsletter edition from last spring. Link.
Regulations are evolving to define and classify behavioral, location and other anonymous data as inference-based data. In other words, it can be used to identify an individual user’s wants and interests in a variety of ways, whether that be by IP correlated to a physical address or the like. Where an organization hasn’t received consent, an organization is going to have even less anonymous user-generated inference data.
A major gap and omission across US state-based policy, and to some degree in the EU, is the definition of inference-based data. Definitions are currently broad and far-reaching to include IP address, Numeric “tracking” IDs in use by Google Analytics, and any data generated that can be curated, joined, herded, and analyzed to profile and identify users. Even if a user is anonymous, the inference data is considered the individual’s data, by virtue of a numeric tracking identifier (browser ID, IP Address, session ID or the like).
Regulatory Privacy Compliance
Why has it become even more urgent for organizations to make the shift to first-party data? The regulatory environment is more and more energized to protect privacy and put control of data and decision-making in the individual’s hands.
The regulatory activity began with GDPR in the European Union. States within the United States, given the inability of the US Congress to enact a Federal Regulation and Policy, have put in place their own state-based policies. Most recently Utah will become the fourth state in the US to adopt their own major state-specific policy, joining countries around the world, most recently UAE, Saudi Arabia and Australia, which have enacted privacy regulations to protect users.
Changes in privacy regulations are escalating and creating an environment of diversity that will require organizations to offer customized regional-specific controls, language and agreements to their users around the globe. The one-size-fits-all approach taken in response to GDPR won’t remain a viable and compliant strategy and will initially inhibit an organization in continuing to collect and use user data — until they are told to stop.
In the United States, President Biden appears to have a new focus on Federal level privacy policies in the US. At the end of his recent State of the Union address, he alluded to the possibility of a Federal Policy to protect all users from having their data collected or being retargeted with advertising. He talked more specifically about protecting our children from business practices that cause harm and stated: “As Frances Haugen (Meta/Facebook whistleblower), who is here with us tonight, has shown, we must hold social media platforms accountable for the national experiment they’re conducting on our children for profit. It’s time to strengthen privacy protections, ban targeted advertising to children, and demand tech companies stop collecting personal data on our children.”
EU’s Evolving Privacy Regulations
Strict privacy protocols started in the EU. The EU opt-in structure gives complete control to the user. In other words, EU citizens must first opt-in to a relationship with an organization. Many companies and organizations sought to comply in the simplest means possible, often by maintaining a strategy to protect the user experience. Corporate awareness and consent for compliance are now under great scrutiny by EU policymakers. They are investigating how companies and organizations implemented consent in response to their policies that led users not being fully aware, nor informed of what they are agreeing to have used and collected.
As a result, stricter changes are now set in stone defining how organizations must present, inform and gain consent. The Digital Services Act (DSA) in the EU is expected to be approved in the near term, expanding new regulations for digital communications including advertising, retargeting and user choice for the suppression or display of any type of advertising.
Are you currently using cookie-based tracking for retargeting advertising? Once the DSA is implemented, organizations will have few if any options remaining to reach, curate and understand an audience and target them with advertising enticing them to buy, subscribe, join or register, only first-party data from known users who provided consent will be viable and able to be leveraged.
Privacy in the US
The consent process is different in the US. Several states in lieu of a specific Federal level policy have enacted state-specific regulations and policies. Most states which have implemented some form of a privacy regulation or policy (with the exception of Colorado) have structured the regulations and policies around user “opt-out.” This means a business/organization has the opportunity to communicate with users or prospective users until and up to the time the user “opts-out” and tells them to stop.
The CCPA and the CPRA, put in place by California is viewed as a set of stronger regulations that seek to protect citizen privacy and provide them options for providing consent. State-based laws in the United States, notably Nevada, Virginia and Colorado have enacted similar regulations in the absence of a United States Federal regulation.
With new privacy attention in the US Congress sparked by President Biden, it may be a foregone conclusion that once the federal regulations to protect children are put in place, states will soon follow. It may be another foregone conclusion that the regulations put into place to protect children may extend to protect all individuals in the United States.
Do You Need a Privacy Manager?
Managing the evolving landscape of privacy consent may be best facilitated by a privacy manager. This role can build bridges between management and tech teams, fully informed by state and federal regulations. Ziprecruiter defines the position as a manager responsible for risk management and data security for an organization, ensuring compliance with local, state, and Federal regulations and implementing a privacy program for the organization. The privacy manager works with leadership to create the consent platform, ensuring that it includes all relevant stakeholders.
Privacy policies encompass both external and internal focuses. Managers also seek to protect employee biometric data, customer credit card information, sales information and market reports. The privacy manager needs to be a subject matter expert when it comes to risk management and data security, and duties involve working with cybersecurity teams on potential breaches, managing issue resolution, and other responsibilities depending on the industry. And of course, ensuring consent programs are consistent with the regulations and protect user privacy choices and protection of first-party data tops the list.
Planning for Today and the Future
Organizations have challenges ahead to be compliant with a growing list of different regulations, and they will have to implement and actively manage consent-based platforms as well as internal systems to collect and manipulate user data. Organizations must begin the transition to first-party data by enticing users to identify themselves and provide the organization permission to collect and use the data they provide.
As this consent process unfolds, implementation and management with all its jurisdictional iterations will decrease the amount of user data by potentially 30%-40%. The remaining data will provide a complementary percentage decrease in market intelligence that will lead to necessary guesswork and assumptions related to users who declined consent.
The only viable recourse for any organization is to move beyond upsetting users with login requirements to encouraging viable user relationships. This approach results in a user becoming known to an organization and providing consent based on the trusted relationship.
Anonymous user data has always had limited value and came with the inability to gain additional information from users to understand their needs, wants and interests. So, if an organization decides that moving to first-party data is too hard, there really is no other alternative for continued sustainability and growth of data.
We are the first to admit that staying one step ahead of the changing regulatory environment could be a full-time job. At 2040, our job is to stay informed about the changes and requirements and share the best path forward with clients. We know the nuances and potential challenges compliance can present. We can help prevent disruption, confusion and non-compliance. Let us know if you need guidance in deconstructing the regulatory policies and how to reset your own data strategy.
The Truth about Transformation
Book Preview Excerpt
Organizations, whether private companies, non-profits, charities or governments seek to transform to take advantage of new opportunities, including technological advances. Often, technology is the major driver of change that results in transformation. As a result, the organization often fails to achieve its objective and goal to truly transform. You see, technology remains an enabler, not a silver bullet. True transformative change requires understanding of the human factors at play, human conscious and subconscious behaviors, how humans inter-relate and how society itself and all of its members are changing.
Our workforces are changing, the expertise we need is becoming harder to acquire and roles are shifting. In addition, before and because of Covid in 2020, the world around us is becoming very different, a new reality is taking hold, one that will fundamentally change who we are, how we work and yes, how we seek to ensure organizations transform for today and for the future.
The Truth about Transformation, a new book by Kevin Novak, will soon become available. Enjoy a short preview.