Eliminating Vendor Risk Is a Critical Step to Win Back Consumer Trust

You don’t have to work in ad tech to know there’s growing distrust around how personal information is being collected, used, or misused. With the GDPR in effect and the CCPA on its way, publishers should consider what third-party partners are doing with their data and take steps to eliminate vendor risk.

Editor’s Note: While originally written for the publishing audience, marketers face a similar situation, as they work with vendors and must be compliant with GDPR and eventually CCPA.

You don’t have to work in ad tech (or even advertising at all) to know that there’s a growing sense of distrust around how people’s personal information is being collected, used, or misused by the various content, commerce, and online service providers they interact with every day. But publishers have a front-row seat to the drama as it all unfolds – and an added layer of responsibility, given the direct relationship between users and their content.

With the General Data Protection Regulation (GDPR) in effect and with a look ahead to the California Consumer Privacy Act (CCPA), it’s important for publishers to consider a potential consumer trust issue of their own: what third-party partners and vendors are doing with their data.

You’re Only as Safe as Your Partners Are

To be clear, many publishers have already stepped up their privacy game. Whether it’s to stay compliant with new regulations or actively regain public trust, legacy and digital-first publishers have raised the bar on internal privacy standards, moved toward restricting access to their user data, and worked to secure their systems against breaches and attacks.

Unfortunately, implementing these changes alone is not enough. Not when publishers rely on a host of third-party partners to help keep everything – from video players, to content personalization tools, to programmatic ad deals – functioning effectively.

Each of these partners has its own approach to data collection and usage that needs to be added to the publisher’s overall privacy equation.

Since cutting ties with all third parties isn’t exactly a simple (or realistic) solution for most publishers, partnering with service providers on a privacy action plan – one with overarching standards, but with enough modularity to work across multiple vendors – is a straightforward way to help eliminate that risk.

1. Standardize the Vendor Selection Process

Keeping consumer data sacred starts with being highly selective about whom you work with. Rather than asking ad-hoc privacy and data usage questions, develop standardized questionnaires as part of your vendor selection process. Ask prospective partners pointed questions such as:

  • What data will you collect from us?
  • What is the purpose for collecting this data?
  • What controls and safeguards do you have in place to ensure data is handled properly?
  • Will you share our data with other third parties? If so, with whom and why?

Furthermore, only work with vendors that have received industry certifications from trusted third-party auditors. And of course, put a process in place to revisit each vendor’s data management approach on an annual basis and as regulations change.

2. Get Technical and Business Leaders on the Same Page

Obviously, technical subject matter experts such as the CTO and CPO, and regulatory experts like Legal should play a significant role in managing vendors’ data privacy compliance. But the responsibility shouldn’t stop there. Protecting user data and preventing leakage requires input from key stakeholders in disciplines like sales, marketing, and even platform support.

Business leaders often own the day-to-day relationship with the vendor, and thus have an on-the-ground perspective that the technical experts may not. As a result, they can be more aware of the intricacies of the relationship than the technical experts alone.

Similarly, platform support and sales leaders may have an understanding of site glitches that could be compromising user data, and examples of how, when, and why privacy shortcuts might have been taken in the past.

Privacy and trust are far too important to be relegated to technical leads only, so keep business leaders looped in from the beginning to ensure full coverage and alignment.

3. Plan and Communicate

Trust, of course, is built on communication.

Be transparent with customers about the partners you work with, the data they use, and how you’re working with partners to keep everyone’s data safe. Ideally, this info comes as part of a broader education campaign about how you’re putting customer privacy first in your data initiatives.

Meanwhile, the sheer volume of consumer data in play means that missteps are unfortunately inevitable. This makes having clear emergency protocols and plans for handling worst-case scenarios – including how to communicate details to customers – a critical step in the process.

Throughout these communications, be sure you’re conveying information in simple English, not technical jargon or legalese. To see how it’s done right, learn from some of the brands noted for doing it best.

Remember That You Don’t Need to Go at It Alone

Use trusted vendors as a resource for best practices and as trusted privacy guides. At a minimum, they’ll be able to help you better secure data through their own systems. They may also give you fresh perspectives on how to choose other vendors wisely, and can provide critical support in driving better data standards industry-wide.

With the right approach to partnerships, publishers can leverage vendors as allies (as opposed to bearing with them as potential risks) in the fight to win back customer trust.

2019 to 2022: The Evolution of Consumer Consent and How to Adapt

By opening a dialogue with audiences about data collection and processing, as well as empowering them to decide how their data is used, marketers and publishers can enhance their relationships with consumers.

Editor’s Note: While this piece was originally written for the publishing audience, privacy legislation and consumer consent are still very important topics for marketers to navigate.

The EU’s General Data Protection Regulation (GDPR) laid the foundation for privacy legislation in 2018. One of its key aims was to give consumers more control over their personal information and make users understand they have a choice when it comes to providing consent to data collection and processing.

In the US, initial responses to the GDPR ranged from criticism to pay walls or completely blocking EU visitors from accessing content. While many companies made sure their legal teams were up to speed with the newly introduced regulation, multiple factors are now making US publishers sit up and further address data privacy, associated regulations, and the importance of consumer consent.

Google’s €50 million fine — issued by French regulator CNIL, for lack of valid consent in ad personalization — was one of the first to grab attention. Fines for data breaches might not have been as frequent as some expected, but regulators have had time to build cases and more large fines are expected to come, according to The Wall Street Journal.

In addition, US states are working to implement their own regulations. California’s Privacy Act (CCPA) is due to come into force in January 2020, Vermont’s new legislation is already in place, and a consumer privacy bill has been proposed in New York. The exact requirements of each regulation may differ from the GDPR — the CCPA relies on the user opting out rather than opting in, whereas opt-in is expected as part of the New York Privacy bill development. There may even be a federal regulation requiring opt-in on the horizon, with privacy advocates such as Apple CEO Tim Cook, as well as members of the Federal Trade Commission, calling for a stricter national privacy law.

Collecting user consent may not yet be a legal obligation, but publishers are realizing that it makes good business sense as consumers demand more control over their personal data. According to GlobalWebIndex, more than 70% of US consumers say they are both more aware of, and more concerned about how companies use their information than they were 12 months ago, while less than half feel they are in control of their personal data online.

By opening a dialogue with audiences about data collection and processing, as well as empowering them to decide how their data is used, publishers can enhance their relationship with consumers. Demonstrating transparency and responsible data use builds trust, but also educates users via one-to-one communications about the necessity of data to their business models and the inherent value exchange.

Publishers that go beyond the one-size-fits-all approach to create meaningful consent experiences right now will reap the rewards in the long term. The next two years will be critical for consent and there are a number of practical considerations to take into account when implementing consent programs.

Ensure Usability

The consent interface is often the first point of contact between publisher and consumer, so care needs to be taken in its design and functionality. Consent requests need to achieve the perfect balance between giving the user the details they need to make an informed choice and not alienating them with complex jargon they won’t understand or unnecessarily disrupting their user experience – all while ensuring legal compliance. Consent requests should be highly explicit, giving users the power to opt in or out of data collection for specific purposes or by particular companies. Ideally, publishers should test a variety of messaging formats to deliver the best possible experience.

Execute Consent Seamlessly

Once a user submits their consent preferences, publishers need to make sure they are integrated across the advertising supply chain. The IAB released its Transparency and Consent Framework (TCF) as a tool to help publishers and other participants in the digital advertising ecosystem comply with their obligations. The updated second version of the TCF increases the importance of consent by enabling users to object to data collection under legitimate interest, an alternative legal basis for data processing. It’s also important that consent preferences can be communicated across non-IAB vendors.  

Apply Preferences Across Devices

With consumers frequently switching between laptops, smartphones and TVs to consume content, it is best practice for publishers to share choices across multiple devices. The ability to connect user preferences to an authenticated profile and apply these everywhere the user interacts with a publisher’s content saves the user from having to supply consent every time they log in through a different device. An authenticated profile is a tool that allows users to manage their preferences across site, browser, and devices, and allows publishers to collect consent signals based on identity rather than cookies.

Publishers in the US who aren’t yet legally obliged to implement a consent program yet might be hesitant, with the fear it will be disruptive to their business or they will lose advertising revenue if their audiences fail to give permission. However, they need to consider that across the EU, the publishers that experienced the least disruption were those that adapted early and gave themselves plenty of time to get the consent process right.

By 2021, with GDPR well established, the CCPA in force, and other regulations underway, consent will be a user expectation if not a legal obligation. Publishers should start implementing consent programs now to build trusting relationships with their audiences, increase transparency around data processes, and put themselves in a good position to deal with the regulatory changes ahead.

7 Privacy UX Tips From a Privacy and Marketing Expert

There are all kinds of marketing awards, but how about one for privacy UX? How do you make your customers comfortable with your privacy user experience? It’s not just agencies — but ad tech and martech companies, data providers, analytics firms and even management consulting firms that are in the data-driven mix.

Do we need to have an award for a better Privacy UX?

With the Association of National Advertisers’ acquisition of the Data & Marketing Association last year came new ownership, too, of the International ECHO Awards. As a lover of data-driven marketing (and an ECHO Governor), it’s very exciting to see brands recognize the strategic role of data in driving more relevant consumer (and business) engagement, and the myriad ad and data partners that brands rely on to make this engagement happen.

It’s not just agencies — but ad tech and martech companies, data providers, analytics firms and even management consulting firms that are in the data-driven mix. These are the facilitators of today’s consumer intelligence that forms the basis for smarter and more efficient brand communication. Some folks even eschew the term “advertising” as we move into a world where branded and even non-branded content underlie data-inspired storytelling that are hallmarks of today’s forward-thinking campaigns.

By the way, the call for entries for this year’s ECHO Awards (to be presented March 2020 as ANA moves what was the DMA conference from this Fall to next Spring) is happening soon — though the entry portal is now open. Let me know if you’d like an invite to the launch party in New York (Wednesday, May 22, in the afternoon).

An Important Part of Brand-Consumer Dialogue — Privacy Notices

One category that won’t be part of this year’s ECHOs is related to privacy-specific communication from brands.

You’ve seen it. I’ve seen it. Again and again — all over our smartphone and laptops … communications asking for our consent for cookies, for newsletters, for device recognition, for terms and conditions — all in an effort to help enable data collection to serve the brand-consumer value exchange and subsequent dialogue.

Some of this is mandated from Europe’s General Data Protection Regulation, with halo impact in other nations and markets. Others are anticipating such notice requirements from California’s forthcoming privacy and advertising law. Still others are simply adopting heightened transparency (and choice) as part of self-regulatory and best practices regimes, where no laws may yet exist.

All of this devoted to one objective: getting a consumer (or business individual) to say “yes” to data collection about them, their devices and digital behaviors, in an effort to serve them better.

This week, during the International Association of Privacy Professionals’ Global Privacy Summit 2019 in Washington, DC, one expert — Darren Guarnaccia, Chief Product Officer, Crownpeak — offered some research insights from some 17 million preference experiences that Crownpeak has helped to facilitate on behalf of its brands. These experiences are focused on Europe in light of GDPR, but the findings offer good counsel to any brand that is thinking through its privacy UX.

Some Privacy Communications Concepts to Test

Here are just a few of the tips Guarnaccia reported:

  • Privacy Notices are Not Just a Matter of Compliance: Yes, they may be legally required in some jurisdictions – but more vitally, they should be treated with the same discipline and care of any other branded communication. Because the ultimate goal is to earn trust — going beyond compliance and permission. As a result, the whens, wheres and hows of such notices are vital to test and perfect.
  • Avoiding Legal Penalty Is Table Stakes — We Ought to Design Such Notices for Higher Purpose: To extend the previous point on consumer trust, there’s a higher price to pay if a privacy notice simply meets a legal expectation, and nothing more. Many consumers have gone “stealth” — using ad blockers and going incognito on browsers. We must remind, convince or persuade consumers of the value a brand seeks to offer in exchange for permissions and consents for data collection, analysis and application. Are we extending such notice in plain language at the right time?
  • Brand’ the Privacy Communication: This may seem obvious — but it’s often overlooked. Does the privacy notice look like it’s coming from the brand — or from somewhere else (such as a browser or ad tech partner)? In gaining consent, it’s always superior for the notice to be owned, cared and looked after by the brand itself — even if a third-party (such as an ad tech provider) is facilitating the notice. Does the creative of the notice match the colors, fonts and point sizes of the brand content behind it? By extending brand requirements to such communication, a brand is taking “ownership” of the data collection, consent and trust-building directly — as it should, in the eyes of the user.
  • Earn Before You Ask: Oftentimes, the consumer is presented with a cookie or related privacy notice upon entering a brand’s digital property — first page, upon entry. Test giving consumers a more anonymized experience for the few page visits, and then present a notice — “Are You Enjoying What You’re Seeing?” where a data collection permission is then sought. This allows the consumer to indeed value what’s on offer in information on the site.
  • Give Consumers Both an ‘Accept’ and a ‘Decline’ Choice or Button: Many sites offer only an “accept” button, leaving the consumer with an impression that they can “take it or leave it,” with no sense of real control. Test offering both an accept or decline offer — just seeing the word “decline” reminds consumers they are in control — and the actual decision to “decline” becomes more apparent for those consumers who indeed wish to be stealth.
  • Test Progressive Consent: Not every Website (or app) may need immediate access to user data for all purposes of consumer engagement. For data minimization purposes, perhaps ask visitors permission to collect only basic information (say, for contact, site optimization or customer recognition purposes) first. Then, only when necessary for utility, ask permissions for location data or other data categories, alongside the rationale for such collection and consent, as those needs arise. Asking for everything, upfront, all at once, can be a real turnoff — especially if a user is “new” to a brand. Consumers love — and frankly, need to know — the context for the permissions they give (or deny).
  • Test Privacy Notices by Market: Did you know users in the United Kingdom, for example, are 1.4 times more likely to give consent than those in France and Germany? How notices are worded and rationales explained — how transparency is conveyed — can have a big impact between markets, so it’s best to test notices by individual market (and language) to optimize consent rates. In short, national cultures and language nuance matter, too, in privacy communication.


In summary, there’s more payback than just permission. Consent rates in Europe can go as high as 60 to 70 percent — and hurtling over cookie walls at 80 to 90 percent — when privacy communications are optimized. Crownpeak offered far more tips (and real-market examples) in its session — about search engine optimization, personalization, analytics disclosures and other related topics. But there’s also lifetime value, and indeed consumer trust in the balance. We have an entirely new area for many marketers to test, working with their counsel and technology colleagues.

Who knows? Maybe the best such privacy-focused campaigns could still win a 2020 ECHO — based on compelling strategy, creative and results toward an earn-their-trust purpose. Is there a courageous brand ready to show us how? After all, this is one area where we all benefit from ways to raise consumer trust in advertising by sharing successful case studies. We shall see.

Data Privacy Policymaking Words of Warning of Europe

Two weeks back, two hearings in Congress were held about a possible forthcoming new federal data privacy law for the United States. Some of the testimony included fascinating insight.

Two weeks back, two hearings in Congress were held about a possible forthcoming new federal data privacy law for the United States. Some of the testimony included fascinating insight.

It’s been nearly nine months since the European Union’s (EU) General Data Protection Regulation (GDPR) took effect with its tentacle effects worldwide – and it is helpful to look at what has transcribed, and to avoid making GDPR’s mistakes. That’s what one of the witnesses, Roslyn Layton, visiting scholar, American Enterprise Institute, had to say to the House Committee on Energy and Commerce, Subcommittee on Consumer Protection and Commerce, in her statement titled “How the US Can Leapfrog the EU.”

GDPR’s Early Impacts Are Foreboding

From Dr. Layton’s testimony, I found these excerpts (footnotes removed) to be particularly insightful – and somewhat frightful, though some of it predictable. She examined GDPR’s early deleterious effects which we, in the United States and elsewhere, would be wise to reject:

GDPR Is Not about Privacy  It’s About Data Flows

“A popular misconception about the GDPR is that it protects privacy; it does not. In fact, the word ‘privacy’ does not even appear in the final text of the GDPR, except in a footnote. Rather, the GDPR is about data protection or, more correctly, data governance. Data privacy is about the use of data by people who are allowed to have it. Data protection, on the other hand, refers to technical systems that keep data out of the hands of people who should not have it. By its very name, the GDPR regulates the processing of personal data, not privacy.”

GDPR Has Only Concentrated Big Digital Since Taking Effect

“To analyze a policy like the GDPR, we must set aside the political pronouncements and evaluate its real-world effects. Since the implementation of the GDPR, Google, Facebook and Amazon have increased their market share in the EU.”

GDPR Has Decimated Small- and Mid-Sized Ad Tech

“One study suggests that small- and medium-sized ad tech competitors have lost up to one-third of their market position since the GDPR took effect. The GDPR does not bode well for cutting-edge firms, as scientists describe it as fundamentally incompatible with artificial intelligence and big data. This is indeed a perverse outcome for a regulation that promised to level the playing field.”

GDPR Raises Costs, Prohibitively Acting as a Trade Barrier

“To do business in the EU today, the average firm of 500 employees must spend about $3 million to comply with the GDPR. Thousands of US firms have decided it is not worthwhile and have exited. No longer visible in the EU are the Chicago Tribune and the hundreds of outlets from Tribune Publishing. This is concerning because the EU is the destination of about two-thirds of America’s exports of digital media, goods and services. Indeed, the GDPR can be examined as a trade barrier to keep small American firms out so that small European firms can get a foothold.”

GDPR Denies Valuable Content to European Citizens

“Of course, $3 million, or even $300 million, is nothing for Google, Facebook and Amazon (The Fortune 500 firms have reportedly earmarked $8 billion for GDPR upgrades.), but it would bankrupt many online enterprises in the US. Indeed, less than half of eligible firms are fully compliant with the GDPR; one-fifth say that full compliance is impossible. The direct welfare loss is estimated be about €260 per European citizen.”

What if the US Enacted GDPR Here … Oh, the Costs

“If a similar regulation were enacted in the US, total GDPR compliance costs for US firms alone would reach $150 billion; twice what the US spend on broadband network investment and one-third of annual e-commerce revenue in the US.”

Dr. Layton, in her testimony, also questioned the California Consumer Privacy Act, which may create even more enterprise requirements then GDPR. She suggested more pragmatic paths need to be forged.

A Better Way Privacy by Design

“Ideally, we need a technologically neutral national framework with a consistent application across enterprises. It should support consumers’ expectations to have same protections on all online entities. The law should make distinctions between personally identifiable information which deserves protection, but not require same high standard for public data, de-identified, and anonymized data which do not carry the same risks. Unlike the GDPR, the US policy should not make it more expensive to do business, reduce consumer freedom or inhibit innovation.”

Data ‘Seat Belts and Air Bags’ for Privacy

In a second hearing, before the Senate Committee on Commerce, Science and Transportation, Interactive Advertising Bureau (IAB) CEO Randall Rothenberg provided a spirited statement of data’s role in the U.S. economy and the benefits that continue to accrue. He, too, drew from an another industry’s history which he believes offers a helpful analogy and cooperative blueprint:

IAB CEO Randall Rothenberg | Credit: Photo: Chet Dalzell

Internet’s Profound Communication Power

“The Internet is perhaps the most powerful and empowering mode of communication and commerce ever invented. It is built on the exchange of data between individuals’ browsers and devices, and myriad server computers operated by hundreds of millions of businesses, educational institutions, governments, NGOs, and other individuals around the world.”

Advertising’s Essential Role Online Much of It Data-Driven

Advertising has served an essential role in the growth and sustainability of the digital ecosystem, almost from the moment the first Internet browsers were released to the public in the 1990s. In the decades since, data-driven advertising has powered the growth of e-commerce, the digital news industry, digital entertainment, and a burgeoning consumer-brand revolution by funding innovative tools and services for consumers and businesses to connect, communicate and trade.

The Indispensable Ingredient: Trust

“Central to companies’ data-fueled growth is trust. As in any relationship, from love to commerce, trust underlies the willingness of parties to exchange information with each other; and thus, their ability to create greater value for each other. The equation is simple: The economy depends on the Internet; the Internet runs on data; data requires trust. IAB strongly believes that legislative and regulatory mechanisms can be deployed in ways that will reinforce and enhance trust in the Internet ecosystem.”

Universal Truth: Consumer Data Is Good

“We recommend Congress start with a premise that for most of American history was self-evident, but today seems almost revolutionary: consumer data is a good thing. It is the raw material of such essential activities as epidemiology, journalism, marketing, business development, and every social science you can name.

The Auto Industry Offers Us a Proactive Model

“We believe our goals align with the Congress’ decision to take a proactive position on data privacy, rather than the reactive approach that has been adopted by Europe and some states. We believe we can work together as partners in this effort with you to advance consumer privacy. Our model is the partnership between government and industry that created the modern concept of automotive safety in the 1960s. Yes, the partnership began as a shotgun wedding. Yes, the auto industry resisted at first. But an undeniable consumer right to be safe on the highways met well-researched solutions, which the Congress embedded in well-crafted laws that were supported by the states.

Auto Safety and Digital Wellness

“The result has been millions of lives and billions of dollars saved. We believe the analogy holds well here. Americans have a right to be secure on the information superhighway. Well-researched solutions and well-crafted laws can assure their ‘digital wellness.’ We should be thorough, practical and collaborative. Our goal should be to find the three or five or 10 practices and mechanisms the seat belts and air bags of the Internet era  that companies can implement and consumers can easily adopt that will reinforce privacy, security and trust.”

Notice and Choice Bombardment Or Predictable Rules of the Road

“Together, based on our members’ experience, we can achieve this new paradigm by developing a federal privacy law that, instead of bombarding consumers with notices and choices, comprehensively provides clear, even-handed, consistent and predictable rules of the road that consumers, businesses and law enforcers can rely upon.

One Federal Standard in Harmony

“Without a consistent, preemptive federal privacy standard, the patchwork of state privacy laws will create consumer confusion, present significant challenges for businesses trying to comply with these laws, and ultimately fall short of consumers’ expectations about their digital privacy. We ask the Congress to harmonize privacy protections across the country through preemptive legislation that provides meaningful protections for consumers while allowing digital innovation to continue apace.”

It is worth reading the testimonies of the privacy advocates present at these two hearings, as well. These GDPR fans have many sympathetic voices in the media and Congress, and truly need to be part of any conversation where consensus ought to be built. It is my hope the right federal legislation will result. The early evidence from Europe where advocates won over reason portends the punitive risks of getting it wrong.

New Privacy Regulations Coming Your Way: California Consumer Privacy Act (CCPA)

Have you recovered from last spring’s GDPR adrenaline rush yet? As much anxiety as GDPR regulations provoked, that may soon look like the good old days. Now California passed a privacy initiative you will be expected to follow starting Jan. 1, 2020.

Editor’s Note: While this piece is directed at publishers, CCPA also will be something marketers will have to be compliant with, just like GDPR.

Have you recovered from last spring’s GDPR adrenaline rush yet? Everybody in publishing was nervous about finding the right way to comply with new European privacy regulations. It did not seem like there was one clear path to compliance.

As much anxiety as GDPR regulations provoked, that may soon look like the good old days. At least in the EU, 27 countries came together with one edict. They also spent the time necessary to be smart and coherent, whether or not you agree with all the details.

Now California passed a privacy initiative you will be expected to follow starting Jan. 1, 2020. In many industries as goes California law, so go U.S. standards. This will be, in practice, a new national standard. California is too dominant a market, larger than most countries on the globe. Add to that a quirk in the drafting of the law, which says you must treat anyone who has left California and intends to return as a Californian. What?

Newly minted California Governor Gavin Newsom hailed the “first-in-the-nation digital privacy law” in his first State of the State address, according to reporting by Wendy Davis in MediaPost. “Companies that make … billions of dollars collecting, curating, monetizing our personal data also have a duty to protect in. Consumers have the right to know and control how their data is being used.”


“The California law was written in five days, and really shows,” says Christopher Mohr, VP of intellectual property and general counsel at SIIA. “It is an extraordinarily complicated and poorly written statute.” Adding insult to injury, it is grammatically inconsistent and difficult to understand. I can’t imagine what compelled them to rush such important legislation through. It sounds irresponsible when you consider the EU worked on GDPR for more than three years.

“This is not the same as GDPR — it’s much broader.” Not a statement the already GDPR-fearing publishing industry wants to hear. Mohr continues, “In GDPR the information is tied to a data subject, for example, an individual. The CCPA covers ‘households’ as well as individuals. In addition, the CCPA’s potential ban on the use of information extends not only to the information but to the ‘inferences’ you might draw from it.” Inferences? Yikes! The law goes on to explain what is meant, but the idea of inferring conclusions sounds ripe for misinterpretation to me.

The main goal of the law is to regulate the collection and sale of personally-identifiable (PI) consumer data to third parties and service providers. You do not need to get paid for the data. If you disclose it to another party, it is considered a transaction. Using outside vendors to help manage your data is not a problem, because you are the controlling party.

Everyone will now have the “right to delete.” I asked Mohr to confirm that means deleting people from your database, not from your articles. “That’s the intent, I think. Whether the words match the intent is a completely different issue, and it’s not as clear as it could be. Personal information covers any information that could be associated with an individual.”

Anyone can tell you to cease disclosing their data to others; and you must comply. You cannot deny goods or services to anyone because of their data opt-out. That becomes the new Catch-22: In order to know you are not supposed to have data on an individual, you must have that individual in your database. And since it is likely you must have data on an individual in order to do business with him or her, how do you conduct business with data exceptions? For those rare European GDPR complainants, admittedly some American publishers will simply delete; good-bye. In the Hotel California, “you can check out any time you like, but you can never leave.”

Preventing a Privacy Tower of Babel

Fortunately, enforcement is by state attorney general, not by individuals. In other words, thank God this is not an invitation to everyone in California to sue. Of course this law will be challenged in court. It may be too vague, according to some. It may be discriminatory, since non-profits (and government agencies) can ignore it and do what they want, the way it is written.

Living in this hyper-intrusive world, it’s hard to disagree with the intent of CCPA since we are all being personally data mined. But play this out. Imagine what mischief the other 49 states can do. Davis reports, Washington state “lawmakers are considering a bill that would not only give consumers the right to learn what data is collected about them, but would also allow them to prevent their personal data to be used for ad targeting.”

Federal legislation is coming on this after the recent grillings on Capitol Hill of some of the leading big-tech luminaries. Typically federal legislation trumps local law, which is what makes interstate commerce work. Hopefully there will be one law of the land, so any company handling data can maintain sanity versus bowing to every state, city, or county passing a law. But in these Alice in Wonderland times we are in, I will leave that speculation to you.

You have complied with GDPR so that means you now have DPO (data protection officer). The CCPA gives your DPO a little more to do.

I’m no lawyer, so I’ll provide the usual disclaimer on all the above. On the other hand, I am a member of and advocate for the Specialized Information Publishers Association, part of SIIA, whose general counsel Chris Mohr was invaluable in enabling me to share an understanding of this law. I believe it makes great sense to occasionally be involved with your peers and work on common problems like privacy laws. As a member of SIPA or Connectiv, you won’t need to call your lawyer every time there is a question about the new privacy landscape. You can take advantage of knowledgeable experts in your corner.

Do I have you pining for the muddy clarity of GDPR yet?

Warning: Marketing Data Policy-Making Ahead in the U.S.

U.S. data policy-making efforts make certain assumptions about marketing. It’s as if there’s a sign coming, saying: “Data Is a Weapon.” But what if lawmakers instead assumed data was a force for good?

U.S. data policy-making efforts make certain assumptions about marketing. It’s as if there’s a sign coming, saying: “Data Is a Weapon.” But what if lawmakers instead assumed data was a force for good?

Certainly, when dealing with the European data protection community — who may seek 4 percent of your global profits — it is wise to be deferential, even praiseworthy.

Apple CEO Tim Cook, in his speech last week to European data commissioners that hearkens back to President Eisenhower’s warning in 1961 about the “military-industrial complex,” identified commercial data collection interests as a “data-industrial complex” that has “weaponized” the collection and monetization of data with great efficiency.

Reading of this, one might extrapolate that all data collection is worrisome, and that this so-called trade in data amounts to “surveillance” that is inherently harmful.

To some, this might be 1961 all over again — or 1984, for that matter.


In reality, some may be singing from the choir book brought to us by European Parliamentarians. Every time I see a cookie notice on my U.S. website visits, I’m reminded, perhaps gently, that our sovereignty is being visited upon by foreign lawmakers. Europe’s leaders are trying to remake the Internet in its image — while China’s leaders do the same — and the world may be a lot less friendly toward each other as a result.

Considerations of a Healthful Policy Debate

As consumers, we may welcome privacy and security in our nation’s Internet public policy debate. All is not the same, however. We must handle our own policy-making with utmost care. Europe’s General Data Protection Regulation (GDPR) is one model — but is this European law really the right fit for the United States or, for that matter, other regions of the world?

In the private sector:

  • Consider the role that ad-financing (read, digital data) plays in ensuring quality journalism necessary for a healthy democracy.
  • Consider what consent restrictions (read, opt-in) would play in diminishing the ability of start-ups and mid-sized companies to compete with established companies — competition in the digital economy.
  • Consider an appreciation of the long-tail of the Internet — and the diversity of content and niche interests that meet consumer demands, made available through small publishers.
  • Focus on who is at the center of privacy restrictions — the citizen, digital user and the consumer. In every aspect, what are the trade-offs that individuals would experience when responsible data flows are effectively shut down?
  • Appreciate that all data are not the same. Are there data collection scenarios where there is a greater likelihood for harm? Are there categories of personal and user data that are more harmful than others — to the interests of that individual? In the United States, we already highly and wisely regulate such data as credit, health, children’s data, government identification numbers and more.
  • And importantly, understand how private sector use of data — and public sector use of data — differ. How should the two exchange, and not exchange, data between them?

Globally and certainly here in the United States, data enables commerce, consumer choice and diversity of content. Truly, the commercialization of data drives incredibly powerfully beneficial social aims. Such aims deserve recognition as policymakers weigh measured regulation.

Some global business leaders, for whatever motivations, heap praise on GDPR, but there’s danger in assigning “one size fits all”-type regulation. “Surveillance,” too, is a very loaded word — especially where responsible data collection and use represent an unparalleled force in the private sector for good: jobs, economy, competition, ad-financed content and services, and much more. Even governments package public records for beneficial use in the private sector. Remember the only reasons businesses exist is to create and serve a customer.

Where Surveillance Is a Material Concern

On the other hand, where surveillance truly is not a loaded word is where the public sector gathers and uses digital and mobile information to monitor citizens. Or where a government, foreign or domestic, demands the handover or censorship of such information from and of the private sector.

Here, I applaud close – very close – attention to what our government, or any other government, does with digital data, including that which exists in the private sector. Within the U.S., warrants, court orders and subpoenas should be demanded before private sector entities satisfy any government requests for information (and/or deletion of information). As government indeed has honest objectives — combatting fraud, terrorism and other crimes, or advancing public safety or health, for example – then it is wise to provide for independent judicial overview as a necessary check and balance to validate such laudable goals.

Data is a weapon only when it’s perversely used to disserve a consumer, a voter or a democracy. Let the private sector freely use information responsibly for all else, for it unleashes forces for good that serve consumers, the economy and robust discussion.

Marketing and Beyond: The Evils of Inertia vs. a Bias to Act

Inertia is a terrible thing. In marketing and beyond, inertia breeds complacency. It defeats initiative. And often leaves us stuck in life and work situations that very much prevent progress.

“The chill of inertia, the failure to make an ongoing effort to progress, is the greatest barrier to success and happiness in life.” Yogananda

Inertia is a terrible thing.

In marketing and beyond, inertia breeds complacency. It defeats initiative. And often leaves us stuck in life and work situations that very much prevent progress.

In our free democracy, where we have full opportunity to act with will as citizens, as voters, as employees (and employers), as consumers, as individuals too often we find ourselves victims of inertia; often ,in the form of our own indifference, or bias to do nothing.

This summer I’ve seen three instances of inertia local, national and global, each with their own potential for terrible outcomes. All are preventable.

Inertia Hurts My Savings

For three of the past four years, my cooperative has sought to introduce a transfer fee where the seller of an apartment pays a fee to the cooperative as a sort of “kiss” goodbye. The funds generated from the sale are dedicated to a reserve where such proceeds can finance many predictable capital projects over time. Building such a reserve lessens the need for high maintenance increases and/or a series of one-off assessments to fund necessary capital projects. In a buoyant New York real estate market, the fee often can be recouped in the sale price. Having such a reserve in good standing also keeps our building attractive to buyers. These are all wonderful benefits of having a transfer fee in place and why it’s part of a fee structure in many New York co-ops.

Yet getting the necessary two-thirds of our shareholders to pass such a common-sense measure had been trying. Despite pleas and prods from the board, we could never muster enough votes at our annual meeting. It wasn’t that shareholders en masse opposed the proposal a far majority of those who voted did favor it it’s just that we couldn’t get enough favorable ballots to meet the mandatory two-thirds threshold of our governing rules. So this year, we took a “vote over time” approach, where we used the summer months to garner the two-thirds majority. It took one tremendous effort interacting as we could with each shareholder by phone, email and visits and we achieved our goal.

Still, nearly a third of shareholders did nothing, said nothing, and paid no attention … inertia. Even when confronted with a worse outcome, they failed to take notice and act. Thankfully, in this situation, enough neighbors picked up the slack. A potential financial emergency has been averted.

Inertia Hurts Democracy

It’s the day after Labor Day and now we start our march to vital mid-term elections. Left or right or in the middle, the decisions of our elected officials matter during the next two (Representatives), four (Governors) and six (Senators) years. Guess which age cohort of voter could hardly be bothered?

A new survey from NBC/GenForward reveals insights on inertia and ambivalence on a growing and key voter bloc Millennials and there’s a potential high price to pay through inertia.

Yes, that’s 43 percent who are uncertain or will probably not or definitely not vote. I understand why many younger individuals may have less faith in our political institutions than prior generations, but we get exactly what we deserve when we don’t show up to vote. Staying home cedes control to someone else. Is this purposefully not voting to stoke some imagined revolution or is this ambivalence? The effect, in any measure, is inertia and the status quo is hard to change when we keep sending the same people back to high office. Voting is the means to change, if you show up to vote.

We healthfully debate guns, police brutality, immigration, healthcare access and affordability, gender equality, climate change, conflicts of interest and Russian meddling. This voter bloc diverse as it is is the very generation who is empowered to make a difference! Folks, we just need to vote for the change and culture we believe in! There’s a lot more behind these survey results, I fear, that I have room to expand upon in this blog. Suffice it to say inertia, again, hurts all our interests.

Inertia Hurts Advertising

And now to a marketing issue wholly predictable and preventable. Europe has instituted a data freeze called the General Data Protection Regulation. I doubt it’s helpful to the average European and I know it is harmful to American interests. It actually institutes inertia as public policy.

Whole categories of beneficial information use in marketing the use of web-viewing and app-usage data for more relevant messaging, for example have been prohibited subject to opt-in permissions. Let’s revisit my co-op example: how many people opt-in to “anything” when it’s wholly desirable and beneficial for them to do so? Very few. Add a little doubt and fear political scandal, hypothetical evils not based in reality and the opt-ins are even harder to come by.

With a stroke of well-intended but ill-informed law, European Parliament slammed publishers, advertisers and consumers alike all in the name of privacy and they are proud of this accomplishment! Time will tell the true toll. But already, Europeans have less information, less choice, less competition, less revenue and more generic advertising all in the name of chasing ad tech profits as a privacy surrogate. These negative effects may not be immediately apparent to the consumer how do you count a beneficial offer not received? The familiar retort behind this law is “privacy is a fundamental human right.” Well, we can see how well that’s going again, all very predictable and preventable.

Let me be clear: I believe in privacy rights, too most certainly. [Disclosure, I work with a digital advertising privacy program for U.S. consumers, the YourAdChoices program.] But let’s make sure that mere annoyances a pop-up ad, for example don’t get conflated with government surveillance of citizens, or personal information misuse by the private sector where consumer harm is likely where privacy concerns as a society are truly legitimate. There are annoyances, which can be managed by ethics and best practices, and there are scenarios where privacy indeed is at risk. One needs to grade privacy protections accordingly. I’ve long argued U.S.’s current and extensive privacy regimen a thoughtful sectoral approach dutifully enforced, complemented by ethics, self-regulation and business contracts is far superior to Europe’s one-size-fits-all prescriptive approach. In short, Europe has mandated that inertia freeze (or even undo) responsible data use. Thus, in this zeal for consent, the tremendous flow of benefits accrued through responsible data deployment largely ceases.

In short, I’m hopeful, stateside, that we shun this European import. Transparency, choice, security and sensitive data we have effective, existing means in the United States to deliver toward these laudable aims. We have other ways to assert such privacy protections, yet we still allow beneficial information flows and innovation to continue.

So, will this be a summer and fall where we let inertia win? Or will we have a bias to act, to keep all-too-predictable sorry outcomes from happening?

GDPR Leads Brands to Better CX

A year ago, most companies had no clue where all of their customer data resided, let alone whether or not it was secure. With the implementation of GDPR, and California’s digital privacy law scheduled to take effect in January 2020, companies have started taking their customer and prospect data, and its security, much more seriously.

A year ago, most companies had no clue where all of their customer data resided, let alone whether or not it was secure. With the implementation of GDPR, and California’s digital privacy law scheduled to take effect in January 2020, companies have started taking their customer and prospect data, and its security, much more seriously.

Most organizations keep their customer data in a customer relationship management (CRM) database. However, prior to GDPR, the information was incomplete, the accuracy of the data was not taken seriously, and the data was not secure due to a lack of business process management and master data management policies.

Based on the interviews I have conducted with IT executives involved in databases, big data, AI/ML and security, there has been a significant change in the past year; whereby, companies are now implementing and enforcing data management best practices and creating data Centers of Excellence. Employees are learning the importance of data and its security.

Given that a well-maintained CRM is necessary to deliver a great customer experience (CX), we can expect to see companies begin taking CX seriously, because they are getting their data in order and their competitors will begin using that data to deliver improved CX. We’re now in a race to see who can use data first and best to improve the CX.

Updated privacy policies and security protocols will increase the opportunity to deliver personalized and relevant information of value. In addition to getting consumers’ explicit permission to communicate with their customers and prospects, organizations will want to enact progressive profiling; whereby, they learn more about each customer or prospect every time they interact with your website or organization. The more you know about a customer, the more relevant you should be able to be to them by providing information of value while anticipating needs and wants.

Organizations need to learn what customers and prospects need and want to make their lives easier. This is key to building a disruptive business and earning a customer for life. Lyft has done this for me. Every time I need to travel to or from an airport, I no longer need taxis, rental cars or parking at the airport. Lyft has made my life traveling much simpler and easier. Lyft has earned a customer for life — or at least until its business model is disrupted.

A good CRM with proper data management processes is beneficial to organizations on several fronts:

1. The CRM serves as the repository for all customer data and enables customer-facing employees to have a 360-degree view of the customer so they understand the customer’s relationship with the company — interactions, products/services bought, considered, feedback. All customer-facing employees are able to see the actions that have taken place and know what actions need to take place in the future based on sales and CX processes.
2. Organizations are able to provide more relevant help and information; thereby, making customers’ lives simpler and easier. Some organizations, e.g. financial institutions, are already using predictive analytics to recommend the “next best action” for the customer to the employee.
3. The CRM can be integrated with calendars and marketing automation software for appropriate follow-up before and after a sale, for nurturing marketing qualified leads (MQLs) to sales qualified leads (SQLs) or to market to “lookalike” prospects.
4. The CRM provides real-time metrics enabling team members to see where prospects and customers are in the sales, post-sales, follow-up or problem/resolution cycle.
5. A sound CRM enables the organization to scale in a thoughtful way with proper data management, security and updates. Leveraging even more data to improve the CX.

How has GDPR affected your organization and its data management practices?

How a CDP Can Be Used to Build Consumer Trust & Comply With GDPR

How a CDP can be used to ensure accurate first-party data and consistent brand messaging – which help build consumer trust – while also maintaining compliance with consumer data protections such as GDPR.

For anyone who has ventured into the “Quotes” section of Pinterest, you’ve seen thousands of quippy memes dealing with loss of trust. The gist is once trust is lost, it’s hard to regain. Although mostly focused on romantic relationships, the same can be said for relationships with brands and business.

Consumer trust in businesses is low and dropping. According to the industry standard measure of consumer trust, the Edelman Trust Barometer, overall consumer trust dropped 10 full percentage points during 2017 from 58% to 48%. Coincidentally 2017 was a record high point for US data breaches (1,579 data breaches in all), as well as ushering in the birth of the Cambridge Analytica/Facebook debacle.

In this series on specific customer data platform (CDP) use cases, you’ll see the core competencies of CDP’s go a long way toward maintaining consumer trust. In this post we’ll look at how a CDP can be used to ensure accurate first-party data and consistent brand messaging – which help build consumer trust – while also maintaining compliance with consumer data protections such as GDPR.

Managing First-Party Data

All communication from a brand/business to its customers and prospects is an expression of its brand. Many brands and businesses have relied heavily on third-party sources to provide targeting options for reaching prospects and customers.

Understanding the flaws in this method is as simple as creating an account at https://aboutthedata.com. Sponsored by Axciom, the leading aggregator of third-party targeting data, this portal will allow you to access your digital profile. Each of the characteristics in this profile identifies how you are being targeted. Now think about brands and marketers crafting messages directed to YOU based on this data. A mismatch between messaging and targeting will chip away at authenticity and brand trust.

First-party data collection and activation are the reasons the CDP exists. By ingesting, organizing, reconciling, segmenting, and activating first-party data across all customer data siloes, the CDP creates the opportunity to communicate around specific data gained from the direct, first-party relationship between brand and consumer. Imagine the following:

  • Adjusting the content of your website based on the user’s past content tastes and interests. Right message.
  • Determining the appropriate channel for your message based on the behavior of an individual target. Right channel.
  • Choosing the appropriate timing of your message based on the intensity of your customers behavior. Right time.

GDPR and Data Management

Aside from creating more consistent and authentic conversations between customers and brands, a CDP also creates a potentially smoother path to compliance with recent privacy policy legislation including GDPR and the California Privacy Act. Key to compliance are two factors, both of which should be core capabilities of any CDP system.

  1. Choice: A core capability of CDP technology is the identification and reconciliation of known and unknown users. As unknown users are accessing your site, the ability to offer them the appropriate experience (cookies for tracking or not) can be offered or directed and the preference maintained. More and more tools in the marketing technology stack are offering this capability, but maintaining these preferences in one environment that is used for all customer data collection and interaction makes the most sense.
  2. Transparency: The portability aspects of the GDPR and California Privacy Act specifically relate to delivering a comprehensive profile of all data points and their use for an individual. Whenever asked, an organization must be able to produce a succinct and complete picture of the user’s data and how it might be used within the organization. There is really no better place to create and extract that comprehensive picture than the CDP.

Being a steward of your customer data is not just a nice thing to do but an absolute requirement in an age where consumer trust is rapidly eroding and regulations on data protection are mounting. Adopting a philosophy and discipline in growing and activating first-party data from customers and prospects pays off by creating more authentic relationships grounded in trust. Statistically speaking, a highly-personalized relationship steeped in authenticity converts and performs optimally every day of the week. To cite one of those Pinterest quotes, “To be trusted is a greater compliment than being loved.” For marketers, trust is the pathway to business success.