Does that make it our fault if a company uses the information in a way that doesn’t give us a better experience? Is it our fault we don’t ask for more specific details on what they want to collect and how they plan to use it? Because I will be honest, I’ve yet to see a website that takes my information and uses it to really improve my experience going forward.
There’s plenty of responsibility to go around on why and how personal data is collected and used. And the EU General Data Protection Regulation (GDPR) puts in place rules that help both consumers and companies own up to it.
The rights of data subjects (consumers)
Let’s focus on consent and data subject rights:
- Consent to store and leverage data - in clear and easy understand language what they are collecting, why, who they are sharing it with
- The right to access that data - find out what data they have, see it and get a copy of it in easy machine-readable format, even change it
- Right to be forgotten - to request it be removed and prove it has been removed
- Right to data portability - request to bundle it up and send it to another party (often a competitor)
Tim Walters, Principal Analyst and Privacy Lead for the Content Advisory, and co-founder and Principal Analyst for the Digital Clarity Group points out a couple of key things around these rights in a recent podcast I did with him for a client.
- First, what constitutes personal data has expanded greatly. It should considering the digital footprint we leave. Personal data is anything that applies to a natural person (so not an entity, company, or a dead person) either directly (name, address, other PII, PCI data) or indirectly (device id, browser cookies, IP addresses). Walters offered the example of gender, age, and postal code - alone each of these won’t point to a particular person but used in combination - they could easily identify a person; this makes this information personal
- Companies have to respond to requests in a timely manner - typically within one month, and they can’t charge for this request - although Walters pointed out that they may be able to do so for repeated requests.
- Consent is a tricky thing. Every consumer doesn’t respond to consent requests in the same way. Expectations for value exchange are different as an example. Walters believes marketers and CX professional should be responsible for defining the experience of consent management, leveraging work done on personas and segments to figure out how to best formulate and design the request.
- For most organizations, data is siloed and fragmented. Figuring out what, if any, data you have on a person may seem nearly impossible. There’s a huge data governance exercise that needs to happen, and it requires marketing and IT to work together to resolve it.
Consent management software takes center stage
With the GDPR so close we are starting to hear more about software that supports consent management - asking permission to collect data along with the rights of data subjects to know what data you have on them, see it, change and even request it be deleted or given to someone else.
When I spoke with Dave Scrim from Conversant, he talked about what his company was working on in this area. He said Conversant took a privacy-first mentality from day one; it is audited yearly by PWCC to make sure there’s no way to tie a person to the data they store on that person. Privacy is built-in.
In the EU, Conversant plans to be 100% compliant and have been developing tools to support the rights of data subjects, including everything noted above. Scrim said they will share these new tools with clients and with their publishers; possibly even competitors (and they don’t plan to charge for the tools). Conversant believes this is about protecting consumers.
But it isn’t just Conversant developing tools in this area. Lytics is a customer data platform for marketers that connects customer data across marketing technology. It is offering three new tools for GDPR compliance including consent management, profile management and security and portability. There’s not a great deal of information on these tools on Lytics website (then again there isn’t on Conversant’s either), but what I did find indicated full support for Data Subject rights.
What’s good about Lytics is their ability to stitch customer identities across platforms, their social login capabilities to manage consent across multiple websites, as well as a tool called Campaign Builder, that lets you build and manage your consent forms in a single location.
A few more software companies that are providing privacy and compliance: Consentua, OneTrust, and Kudos Data Solutions. There are more - here’s a free report listing a ton of them - and there’s also the point that you could build something in-house using tools you already have.
Is the cultural change required too big?
As marketers, and even customer support teams, we are taught to capture as much information as possible about customers and visitors so that we can use this data to make their experience better - better products and services, better website experiences, better applications and so on. This is the time of the data-driven marketer - more information is better. But is it really?
Walters told me that one of the biggest challenges to GDPR compliance is that the regulation is asking for a fundamental cultural change in how we deal with customers and their data. But he thinks it’s not as big a challenge as some might think. According to Walters, intense data-driven marketing and customer experience hasn’t been around that long and isn’t that mature.
He sees compliance with the GDPR as a way to improve customer experience because you have to take the time to think about what you need, why you need it and how you are going to use it. And... you are being completely transparent with the consumer on all of this. Transparency leads to consumers being more willing to share their data, and get a better experience for it.
As consumers, most of us are willing to share our data if we believe we are getting something of value in return. But as Scrim pointed out, in our rush to share our personal information, we are just now starting to realize we have given up control over it. GDPR is designed to stop that for the EU, but is it something that the US or Canada will adopt?
The truth is, it may never be adopted in the same manner, but that doesn’t mean companies can’t provide these data subject rights on their own. Scrim said it could be a competitive advantage. Walters agrees and said companies must choose how they will adapt to this new business environment - are they just looking simply to align to it to ensure compliance, or will they look for opportunities to innovate and thrive?
Maybe it’s time companies look at their data practices, whether it’s for the EU or any other part of the world, and start thinking smarter about what they need and how they will provide a better customer experience with it. It’s also time for consumers to pay more attention to who we give our personal information to and why. We have a responsibility to ensure our data is used for the right reasons, and when it’s not, to do something about it. It’s time everyone started paying better attention.