Consumer Privacy and Regulatory Compliance
Organizational Transformation Considerations
The friction between balancing personalization with privacy is a challenge for any organization transforming its business to a digital model. Privacy policies established in the European Union a few years ago are guiding new regulations in the US, and recent announcements from American tech companies are preparing us for a new digital data, communications, and marketing reality. A reality that at its core significantly alters and limits marketing techniques, data collection and practices that many organizations have used and leveraged to engage current and prospective customers. How organizations have measured their marketing, communication and engagement to assess performance, effort and effectiveness is also about to be radically altered.
The key issue for all organizations in the very near term will be how to understand and leverage the demographics, behavior, actions and interests of current and prospect stakeholders when the data that was formerly available is restricted. The temptation to stick to a current approach and model may result in fines and/or consumer backlash while a holistic approach and model that does not allow for customization to region or regulation will create self-imposed roadblocks that are simply not necessary.
Addressing compliance is not a one-size fits all strategy or approach. Although many would promote a holistic approach is easier as there are less moving parts.
The EU’s Government Data Protection Regulations (GDPR) has influenced regulation in the US. In the absence of US Federal action, states have put in place or are developing regulations that will protect consumer privacy within state borders. In many ways, organizations doing business in the US over time may find they are contending with 50 different sets of regulation as more and more states address privacy.
- The California Consumer Privacy Act (CCPA) and the subsequent California Consumer Rights Act (CCRA), the first regulations in the US to be enacted at a state level, apply to any company with data on more than 50,000 consumers or more than $25 million in gross revenue, and carries fines of up to $7,500 per customer record for non-compliance.
- Nevada and Delaware have followed suit with their own regulations and New York State and the Commonwealth of Virginia are expected to pass a version of the CCPA/CCRA that will make California’s laws look like a picnic as they include an expansion of protection and oversight of what many define as “public domain personal data” like addresses, real estate records and more.
- And let’s not forget HIPPA, GLBA, the Children’s Online Privacy Protection Act, the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, the NY Cybersecurity Requirements for Financial Services Companies, and the SEC Statement and Guidance on Public Company Cybersecurity Disclosures.
- Lastly, in the past few weeks, the US Congress is once again talking about Federal level privacy and anti-competitive practices and has already moved several new pieces of legislation on a bipartisan basis out of committee to regulate major tech companies.
For those companies doing any business in the UK or Europe, GDPR continues to be enforced. Recently, the EU has started to formulate a significant fine applied to Amazon for their use of customer data and the EU is furthering anti-competitive suits against Google for their use of customer data, specifically the ability for the Chrome browser to take advantage of user data via third-party cookies.
Google and Apple
In February 2020, Google announced the phaseout of cookies by 2022, explaining, “Users are demanding greater privacy–including transparency, choice, and control over how their data is used–and it’s clear the web ecosystem needs to evolve to meet these increasing demands.” Apple has instituted and is continuing to expand via its operating systems (OS), its own privacy policies changes that will prevent the ability of the “pixel” to communicate back to email and marketing automation platforms and shut off the ability of marketers to see if and when an email is opened through Apple’s Mail app. The newly released strategy also reveals that users (and companies) will have the ability at will to hide IP address and device ID information to prevent tracking web usage.
Activity by tech companies in some regards is being driven by comments or actions of regulators and legislators with the intent to demonstrate that the tech industry can continue to self-police itself and address public criticism of its practices. Regulators and legislators around the World represent that self-policing has failed and its time to take action.
Organizations need to educate themselves and develop competencies to correlate the current changes and attempt to make some predictions of what is coming and accord the education and competencies to organizational strategies, plans and tactics.
The Road to Transformation
Transformation to an actionable, transparent data-driven business model is critical to address the complexity of personalization and privacy. Many organizations have bought into the marketplace hype on becoming data driven. Unfortunately, we see often that focus has aligned too closely to a “just good enough” mentality.
Mastery of data is complex considering system limitations, lack of skillsets and/or lack of understanding of the definition, value and actionability of customer data. We often find that individual priorities, decision-making or focus result in siloed plans that do not take a systems thinking approach to the interrelationships within the internal organization and relationships with current and prospective customers. As such, compliance may not be achieved nor will an organization be able to collect and curate the most valuable customer data (First-Party Data).
At 2040, our core belief is that true data-driven cultures and business models embed, understands and focuses on concentric circles of interrelated data and establishes the priority for high quality data collection across every internal and external process in place.
Data must have definition and meaning in context of the organization and the relationship with its current or prospective customers.
What Do You Do?
The transition from leverging third-party data to building a foundation of first-party data cannot be underestimated. As much of third-party data is about to disappear and second-party data freely shared historically between partners (organization to organization) will be limited at best without explicit consent of each and every customer, your critical path strategies must include a focus on first-party data and a move to bring capacity and capability in house. The providers, partners and platforms you have relied upon simply may not exist, be able to share and exchange data or continue to be of value.
Now more than ever, you need expertise and capability built into your internal workforce and processes.
First-party data can be defined as the data you collect via your customers and the constituencies that interact with you and the action they take with what you offer. This data includes internally capturing data of purchase or interaction, implicit or explicit attributes (demographics and inferred or direct psychographics), duration and frequency of interaction and more.
Why should first party data be your primary focus?
First-party cookies that track basic data about your own website’s visitors are still safe for now. With a first-party cookie, you can learn about what a user did while visiting your website, see how often they visit it, and gain other basic analytics that can help you develop or automate an effective strategy around them.
Your own marketing automation, with a customer’s permission and an effective compliance program, can continue to provide some insight.
However, your overall transformation strategies, tactics and plans need to focus on explicit customer consent, delivery of a valuable relationship, how data is defined and what its value is along with clear communication of why an organization wants data from its customers.
2040 helps organizations navigate the sea changes of finding their new normal. We offer actionable expertise in the strategy and operations of digital growth and engagement, empowering an empathetic workplace culture, strengthening your value proposition and driving revenues. We’ve been in your shoes and we know what impedes transformation … and what unlocks it.