The growing concern on data privacy and compliance is no doubt an Achilles heel for your data-driven marketing efforts. 73% of marketers believe that data privacy will negatively affect their analytical efforts. But what does the law (GDPR, CCPA, PECR) say? How does the intent of the collection of personal information, the level of intrusion, and the compliance with necessary regulation affect your data-driven marketing efforts? What does it truly mean to be privacy-first? and how is the management of user data favorable in the long run.
The bottom line for data-driven marketing efforts is to improve customer experience and offer bespoke services. Another application of this data is to maximize ROI on their personalized targeted ads. At the bare minimum, customer data is needed to secure your account details, send notifications and invoices, protect against unauthorized activity, etc. Establishing this intent in collecting user data is essential in complying with relevant regulations. To explain in more detail.
Customer Experience and Tailored Service: As mentioned earlier, a preliminary requirement for the collection of customer data is to improve customer experience (CX). As a marketer this data becomes paramount. It involves the tracking of customer touchpoints with your brand. This provides insights on their interaction like preferred social media channels, pages visited, time spent per page, etc.
Using it to suggest products or services, their individual features or the development of new ones based on their engagements and demography — just as an application would require your location information to offer better deals near you. Not to mention data from customer support. All of the above serve in the analysis of customer data and illustrates what works and what doesn’t in enhancing CX.
Improving Personalized Advertising: Additionally, websites track users for personalized advertising. The goal of this is to display ads using data collected on your browser activity so as to identify your interests. A common method of this is known as retargeting. This involves cross-site tracking, where your browser activity includes previous sites which you have visited. Especially product pages and transactional search queries which will serve as data to target advertisements for you. Most retargeting efforts require ad servers which utilize third-party cookies. This type of tracking is generally considered intrusive in nature.
While the intent on the collection of personal information may not seem malicious from a marketing perspective. Web analytics in marketing is always more accurate when there is more data available in quantity and variety, for example:
But to be privacy-first, it is important to know that the level of intrusion might allude to the gathering of PII or personally identifiable information. This involves the collection and processing of personal information which could be used for legal and illegal applications.
Factors.ai is fully transparent on the use of user data and does not monetize customer data or run targeted ad campaigns. More details on the information collected and intent of use are provided here
First-party and third-party cookies play a major role in the collection of personal information. The regulation is built around the intent of the cookies being used. Discerning the two is imperative as a privacy-first marketer.
Before we get into the differences between first-party and third-party cookies, here’s a textbook definition of cookies just so we’re all on the same page. Cookies or HTTP cookies are small pieces of data that are sent to your browser from a web server. This data will be stored locally in your device. These cookies are made so that the website can identify you the next time you visit it. Cookies are broadly classified as first-party cookies and third-party cookies. Now that that’s out of the way.
First-party cookies are set by the website you are browsing on. Their preliminary intent is to collect website analytics data to make a website functional and enhance user experience without having to authenticate every interaction. If these cookies were blocked, a user would have to sign in every time they visited a new page on the website. From a marketing perspective, this is the bare minimum for the functionality and analytical efforts. Even things like a change in language settings would require a first-party cookie so that the change in the settings would sustain, let alone any other data required for data-driven marketing. For example, first-party cookies could be used to highlight how many visits to certain blog pages correlate with user firmographics.
Third-party cookies are tracker cookies which are set by a third-party server (or an ad server) that are not part of the website you are browsing on. They are accessible to any website that can load the server’s script. More often than not, these cookies are used for advertising and are set by advertising networks — like Google’s AdSense program.
Websites that accommodate ad spaces from servers such as Google’s “DoubleClick” also allow them to place third-party cookies. These cookies can track your browser history and identify interests for it to facilitate retargeting. So, when you visit a website that also hosts a similar ad server, it will display a targeted advertisement using the third-party cookie.
Factors.ai only uses first-party cookies to enhance your user experience with zero intention in building an interest profile or a third-party context with first-party cookies. More information on the usage of cookies here.
Now that we understand how data is collected and the different intentions behind collecting it, understanding the regulation built around it comes next. Given that one in five marketers report that marketing privacy compliance is a major challenge, compliance is a prevalent bottleneck in data-driven marketing. Understanding the regulations that govern privacy compliance can help seal the deal in being privacy-first. Without getting into much detail about the specifics of these regulations. Here are how the following regulations affect the tracking of user data as a marketer:
It is important to note that the consent of collecting personal information cannot be preordained or implied like in the form of pre-ticked boxes. Instead, the user must choose to opt-in to the collection of data and provide adequate detail on the information being tracked.
When complying with the GDPR, businesses must also comply with a set of rights with regards to personal information being collected. These include:
· The right to disclose and access the information collected
· The right to request for a correction of the information
· The right to request the erasure of personal information
· The right to register a complaint on the handling of personal information
· The right to request a restriction in the processing of personal information
· The right to object to the method in which your information is being processed
· The right to retrieve personal information and transfer it to another party, and
· The right not to be subject to a decision that is based on automated processing and has an adverse legal effect on the user
Under the CCPA (Applicable to California residents, all businesses that interact with Californian residents including online businesses, and any business outside of California — but within the United States of America — that subscribe to the regulation as a form of good faith). The collection of personal information does not require opt-in consent. However, there is an exception. If the user of the domain is between the ages of 13 and 16, the collection of personal information would require their consent. But, if the user is under the age of 13 the user’s parent or guardian would have to consent to the collection of personal information. As a marketer — with users applicable under the CCPA — corrective action to delete personal information of users under the age of 16 collected inadvertently must be exercised. And the consent of users that require it must be informed of the personal information they are consenting to and appropriate party (parent or guardian) required to opt-in. Just like the GDPR, users under the CCPA have the right to access personal information being collected and the right to opt out of the sale of personal data to third parties.
This regulation (PECR is applicable in the United Kingdom and non-UK businesses that do business in the UK) deals with unsolicited electronic marketing, which includes things like cold calls, fax, text and emails, etc. PECR does not apply to solicited marketing — or marketing messages that are voluntarily requested. Even if a person has opted-in for marketing from your businesses, there are still instances that are defined as unsolicited, which would have to comply with PECR. As a marketer that relies on email marketing, detailed information on the consent must be provided to the person you are emailing. Consent must be received in the form of an action, whether it is written or ticked on a box. The rules of PECR slightly differ for B2B, where there is an exception to retrieving consent for emails and text messages. If you intend on the processing of personal information of corporate subscribers (B2B) or/and individual subscribers (B2C), the rules of UK GDPR apply.
While marketing under the aforementioned regulations would advocate a fair degree of privacy assurance to your users and necessitates consent. A service organization controls 2 or SOC 2 compliance, raises the stakes on the safety and confidentiality of customer data. And that’s exactly what it is. A SOC 2 is a set of criteria that define how a business should go about managing customer data and the examination of relevant controls in accordance with those criteria. While it is not legislation for data privacy, an SOC2 certification is the cherry on top of your data privacy practices and the forefront of establishing security standards as a part of being a privacy-first organization. It works on 5 trust principles:
1. Security: This involves the use of tools such as application firewalls and two-factor authentication for the protection against unauthorized access of systems.
2. Availability: This refers to the software, systems, or information that is available and is being maintained at a minimum acceptable performance level.
3. Processing integrity: This ensures that a system completes its objectives in a valid, timely and authorized manner with no errors in the system processing.
4. Confidentiality: Using encryption and limited access of data to ensure its disclosure is only restricted to a few people.
5. Privacy: This refers to the personal information of the system that is being collected, retained, used, disclosed and disposed of in compliance with the organization’s privacy notice and GAPP (Generally Accepted Privacy Principles).
Factors.ai is compliant with all of the regulations mentioned above (GDPR, CCPA, PECR). Factors.ai uses de-identified data for their analytical purposes (more information about that on https://www.factors.ai/privacy-policy). Factors.ai ensures complete data transparency and user control over information collected which can be disclosed and/or erased on request by emailing firstname.lastname@example.org. Factors.ai is also SOC 2 compliant — developed by the American Institute of Certified Public Accountants (AICPA).
As more intent and uses of personal information by businesses get discovered, postmodern norms for regulation on the safe collection of data gets more rigid. Falling short on the compliance of these regulations will lead to the obstruction of marketing efforts. Here are some reasons as to why marketers should consider becoming privacy-first:
1. Data privacy and being privacy-first is bound to become an industry standard for marketing considering that web analytics is more of a necessity than a value adding requirement.
2. The legality of data privacy regulations will severely affect the operational efficiency, and even the going concern of the business. Data privacy under legislation is an obligation.
3. The conception of regulation for data collected and processed by artificial intelligence caused by an inevitable surge in automated workload is well underway.
The ban of Google Analytics (GA) in Austria as a result of not complying with the GDPR has GA treading on thin ice. Regulation will only get more stringent — like the new revisions of the CCPA under the CPRA which goes into more detail on the sharing or disclosure of personal information. Being compliant early will help you stay ahead of the game.
More businesses will need to prioritize being privacy-first by building a decision framework around the management of personal information. This means making data privacy, its regulation, and the control of user data for the long haul the cornerstone of marketing efforts.
Get the latest best practices in Marketing Analytics
delivered to your inbox. You don't want to miss this!!