How New Data Protection Laws Affect Your Non-Transactional Website

Good news! Regulatory agencies are taking privacy policies and data protection more seriously than ever. Bad news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

Good news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

Bad news! Regulatory agencies are taking privacy policies and data protection more seriously than ever.

The increased regulatory activity is certainly good news for all of us as consumers. As marketers, that silver lining can be overshadowed by the cloud of fear, uncertainty, and doubt — to say nothing of the potentially enormous fines — attached to these new regulations. Let’s take a look at what your responsibilities are (or are likely to become) as privacy regulations become more widely adopted.

Before we begin: I’m not a lawyer. You should absolutely consult one, as there are so many ways the various regulations may or may not apply to your firm. Many of the regulations are regional in nature — GDPR applies to the EU, CCPA to California residents, the SHIELD Act to New York State — but the “placelessness” of the Internet means those regulations may still apply to you, if you do business with residents of those jurisdictions (even though you’re located elsewhere).

Beyond Credit Cards and Social Security Numbers

With the latest round of rules, regulators are taking a broader view of what constitutes personally identifiable information or “PII.” This is why regulations are now applicable for a non-transactional website.

We are clearly beyond the era when the only data that needed to be safeguarded was banking information and social security numbers. Now, even a site visitor’s IP address may be considered PII. In short, you are now responsible for data and privacy protection on your website, regardless of that website’s purpose.

Though a burden for site owners, it’s not hard to understand why this change is a good thing. With so much data living online now, the danger isn’t necessarily in exposing any particular data point, but in being able to piece so many of them together.

Fortunately, the underlying principles are nearly as simple as the regulations themselves are confusing.

SSL Certificates

Perhaps the most basic element of data protection is an SSL certificate. Though it isn’t directly related to the new regulatory environment it’s a basic foundational component of solid data handling. You probably already have an SSL certificate in place; if not, that should be your first order of business. They’re inexpensive — there are even free versions available — and they have the added benefit of improving search engine performance.

Get Consent

Second on your list of good data-handling practices is getting visitor consent before gathering information. Yes, opt-in policies are a pain. Yes, double opt-in policies are even more of a pain — and can drive down engagement rates. Both are necessary to adhere to some of the new regulations.

This includes not only information you gather actively — like email addresses for gated content — but also more passive information, like the use of cookies on your website.

Give Options

Perhaps the biggest shift we’re seeing is toward giving site visitors more options over how their PII is being used. For example, the ability to turn cookies off when visiting a site.

You should also provide a way for consumers to see what information you have gathered and associated with their name, account, or email address.

Including the Option to Be Forgotten

Even after giving consent, consumers should have the right to change their minds. As marketers, that means giving them the ability to delete the information we’ve gathered.

Planning Ad Responsibilities For Data Breaches

Accidents happen, new vulnerabilities emerge, and you can’t control every aspect of your data handling as completely as you’d like. Being prepared for the possibility of a data breach is as important as doing everything you can to prevent them in the first place.

What happens when user information is exposed will depend on the data involved, your location, and what your privacy and data retention policies have promised, as well as which regulations you are subject to.

Be prepared with a plan of action for addressing all foreseeable data breaches. In most cases, you’ll need to alert those who have been or may have been affected. There may also be timeframes in which you must send alerts and possibly remediation in the form of credit or other monitoring.

A Small Investment Pays Off

As a final note, I’ll circle back to the “I’m not a lawyer” meme. A lawyer with expertise in this area is going to be an important part of your team. So, too, will a technology lead who is open to changing how he or she has thought about data privacy in the past. For those who haven’t dealt with transactional requirements in the past, this can be brand new territory which may require new tools and even new vendors.

All of this comes at a price, of course, but given the stakes — not just the fines, but the reputational losses, hits to employee morale, and lost productivity — it’s a small investment for doing right by your prospects and customers.

Lessons From the Facebook Fiasco

The funniest and the most ironic part of this Facebook fiasco is that target marketing based on data actually worked. If it didn’t, no one would care about some data geeks hoarding data somewhere in the cloud. And any reader of a magazine called “Target Marketing” shouldn’t be surprised by any of this.

The funniest and the most ironic part of this Facebook fiasco is that target marketing based on data actually worked. If it didn’t, no one would care about some data geeks hoarding data somewhere in the cloud. And any reader of a magazine called “Target Marketing” shouldn’t be surprised by any of this.

Why should it be surprising that, with all of those behavioral and demographic data that Facebook collected, some analytics company could actually figure out who is more likely to vote for Trump? A mediocre-level analyst can do that with data far less immediate and complete than what were used in actuality.

In fact, the whole basis of the Facebook business model is that:

  • It is the largest billboard in the world; and
  • It can effectively deliver customized messages to each individual.

Facebook has been doing this kind of targeting with or without any third-party analytics vendor such as Cambridge Analytica. The fact that Facebook is expert in grabbing people’s attention (or their eyeballs) for elongated time makes it ever more powerful and effective than third parties; hence, all of the hoopla in the media.

The scarier part (to me, at least) is that a senator actually had to ask Mr. Zuckerberg about his company’s business model, to which he simply answered it shows targeted ads to its users. Seriously, how these fine gentlemen on Capital Hill will regulate any information business is beyond me. Maybe these senators should delegate that work to their grandchildren.

Because I — like readers of this fine publication — do target marketing for living, I wouldn’t blame Facebook for doing things that I would have done myself. And yet, this recent revelation of Facebook’s business with Cambridge Analytica doesn’t sit right with even the most avid practitioners of target marketing. It is not just the fact that it actually affected the presidential election, which is a personal matter for many. Even without any political ramification — which certainly is acting as a magnifying glass in this instance — something certainly went wrong here. Basically, sensitive data were mishandled, and there is no sign of data governance when it comes to sharing data with third-party companies. Considering the influential power of Facebook, no wonder everyone is talking about it as a scandal.

But here, let’s dig into this from a data player’s point of view.

PII – Handle With Care

Facebook is sitting on an amazing amount of personal data, as the users voluntarily share them. Just the profile page alone is a goldmine. Added to that, Facebook has data regarding what the users clicked, liked, shared, reviewed and bought. We are talking about all three major elements of data in target marketing — demographic, behavioral and attitudinal data (refer to “Big Data Must Get Smaller”) all in one place, with an amazing depth in each area. In the business of analytics, that is like having some kind of superpower.

In the early days of Facebook, I voluntarily shared the details of personal information, just to see how good the targeting would be. For the record, to this date, I’m not totally blown away by its targeting accuracy.

Sure, I put down my hobby as guitar playing, and Facebook would show me more guitar stuff. Anyone should be able to do that with such explicit data. But when I go to my Facebook wall, it still feels like I’m looking at a billboard, not a series of targeted messages. Especially the sponsored ads on the right side of the screen. Facebook has been showing me some SUVs (I’m not an SUV guy) and men’s apparel commercials (sure, I’m a man) for days. Meh. That looks like Facebook is just selling regular banner ads, targeted with some rudimentary selection logic using basic data.

Even during the last election cycle, with all of those hyper-political memes and reactions to them floating around, I’ve seen some “totally off the mark” political ads on my wall. What a shame, with all of that rich data in its hands.

So this Cambridge Analytica comes along, and promises the kinds of things that Facebook is supposed to be able to do with all its data for a bunch of politicians. And some bit the bait and paid a good amount of money for the vendor’s services.

Now, this third-party company got to have access to the Facebook user data or a pathway to collect more data on Facebook users. For that matter, any app that runs on Facebook — such as innocuous-looking personality tests — is specifically designed to harvest data. We all do it because it is fun to play, and the cost seems low. Not to offend anyone, all the apps normally require is signing on using Facebook ID. But that is all they really need.

Things get a little tricky there, though; so, who owns the data? The user, Facebook or the third-party vendor? It really depends on that user agreement that 99.99% of users didn’t bother to read. If I must provide an answer as a professional data player, I’d say “all three,” because data collection and refinement warrants some value. Saying a user has the sole ownership of data is like saying that a rice farmer has a right to every piece of sushi sold in restaurants indefinitely.

People who do target marketing for living, in this case or in general, are less scared of such data sharing. What would be the worst thing that could happen? That I get to see an ad of a political candidate who I can’t stand on my Facebook wall? That is, however, if the data are used for general targeting purposes only. Data breaches are indeed scary, because pretty much everything that you put in and you did are linked to your personally identifiable information (PII).

We know that no reputable data player would look up one person at a time by name and see what she is up to. In this case, the operative word is “reputable.” Even the folks who gave permission to Facebook to collect and use data wouldn’t agree that that third-party vendor was indeed reputable. Figuring that out is assumed to be the duty of Facebook, and it is sad that even it didn’t seem to know.

Facebook did not have a good handle on “who gets to use what data.” That is the most unsettling part for people who deal with data for living. Facebook is not exactly dealing with credit card or medical data there, but the sheer volume of data makes the matter as serious. Would it be harsh if I say that Facebook, in pursuit of increasing its revenue and shareholder value, just went for things that it shouldn’t have gone for? Where is the governance? All this mess, for what? Some “semi-accurate” targeting? (I’d love to see some reports on the backend.)

Data-Mining Friends, Too?

It is one thing that Facebook or its partners used data that I shared on Facebook in the form of profile and interests. It is quite another if some shady vendor downloaded the entire list of my friends and call it “its” data source.

That is just a sleazy practice. I’m pretty sure that I did not give permission to share the entire list of my friends with a company that conducts some goofy political spectrum test. No one would put that in an agreement in case just “1” person reads it. Because they themselves would know that that is a sleazy thing to do.

Data players must follow a very simple rule; if you don’t want someone to do certain things with your data, don’t do it yourself (refer to “Don’t Do It Just Because You Can”).

Don’t Be a Data Hoarder

In the business of targeting (or analytics for such targeting), more data don’t always guarantee accuracy. There are all kinds of data out there, and not all data are useful or effective in prediction (refer to “Not All Databases Are Created Equal”). That is why I have been writing repeatedly that one must set the project goal first, not just before some elaborate analytical exercise, but even before data collection.

Mindless hoarding often gets the collector in trouble like we are seeing here. Sometimes “more” data increase only trouble, not the targeting accuracy. Yes, the databases must be broad, accurate, recent and consistent to be useful. But too many data players became too greedy, and there are consequences of being greedy.

Maybe the notion of Big Data gave a wrong impression that big is always good. There are costs involved in dealing with really large data, and another lesson that we must learn here is that a collector can make people mad if “they” think that he is going after too much data.

If the goal is to obtain a “reasonable” level of accuracy in targeting, no, you don’t have to have every piece of data about the target. No analyst likes missing values, but there will be no complete database now or in the future, anyway. A job of analysts is to make the most of what they get, not asking for the entire universe. So, always consider the cost of hoarding too much information, including the social cost.

If all Cambridge Analytica wanted was to predict who was more likely to vote for Trump last year, there were many safer and simpler ways to go about doing that.

Facebook Is Too Powerful?

The ironic part of it all is that Facebook, thanks to its vast coverage, doesn’t require pinpoint targeting precision, anyway. It’s not like it’s going to spend over $1 per piece in direct mailing. Targeted messages are cheap on that platform, and the risk of being wrong is not that high (relatively speaking).

And it seems like Facebook knows it, too. Based on numerous articles that I read about this incident, its analytics is more about maintaining a captive audience by creating a very addictive platform. If the number of eyeballs and time spent on the page are what they are really pursuing, they seem to be doing a fine job there.

If the goal is about increasing targeting accuracy — while not pissing off a great number of people — then it is obvious that Facebook must tighten up its grip on data governance. Like most other data players like us have been doing all along.

Facebook will remain as a powerful force in the market. With or without precision targeting, it’s the biggest billboard in the world. Let’s just say that I didn’t sell off Facebook stocks because of all of this. But if Facebook really wants to benefit human collectives like it used to say in the beginning, lots of significant changes are warranted. And I think that subject is for other forums, not here.

Security Is Part of the Customer Experience in Marketing

As companies work to define an exceptional customer experience, my guess is few of them think about the security of the customer and their personally identifiable information (PII). While consumers are willing to trade privacy for convenience, is it incumbent upon application providers to provide secure apps.

As companies work to define an exceptional customer experience, my guess is few of them think about the security of the customer and their personally identifiable information (PII). While consumers are willing to trade privacy for convenience, is it incumbent upon application providers to provide secure apps.

When we buy a product or service from a manufacturer, we do so with the assumption that the product will solve a problem. But what if it creates one with unforeseen circumstances?

Seventy-seven percent of applications have known vulnerabilities. Based on my interviews with hundreds of IT executives, they are not surprised. Organizations put much more emphasis on getting apps to market and monetizing them than ensuring they are secure.

Developers are rewarded for releasing applications as quickly as possible, without regard for the security of the application. Until consumers start worrying about the security of the apps they use and foregoing those apps that do not value the privacy of their information, we can expect more egregious breaches of B2B and B2C data.

While it’s not pleasant to think about, caveat emptor. The emoji keyboard that pops up on your phone has a vulnerability. The key fob to your car is easily replicated to steal your car. Hundreds of mobile websites and apps leak PII.

What’s a consumer to do? Ask questions about how the items they are buying are being secured. By asking questions, we begin to let manufacturers and solutions providers know that security matters and will be part of our purchase decision.

We know 55 percent of consumers are willing to pay more for a better customer experience. How many more are willing to pay for a better customer experience that’s also secure?

We’re in an ongoing battle with hackers to develop and deploy secure apps that protect our PII. It is incumbent upon us as consumers to hold suppliers accountable for the products and services we buy.

This goes for the security of our infrastructure, medical devices, as well as our cell phones. It’s a matter of making security part of the product requirements upfront and then employing security testing throughout the development process.

Personalization: What’s in It for the Customers?

Too many marketers are personally annoying their customers in the name of personalization. For that reason alone, I am looking for an alternative word for “good” personalization.

personalization-aiAny salesperson would know that remembering a few personal details about a customer or prospect is the first step toward building a relationship. Of course, one shouldn’t be too “salesy,” as anyone can see through manufactured friendliness. Going too far in the wrong direction, the seller can even be seen creepy. That rule equally applies to all types of 1:1 marketing. Just because you know “something” about the person, it doesn’t mean that you “know” the person.

Personalization should be gentle nudges toward relevant products and services for the customers, and it should never be bombardments of seller-centric marketing messages through all imaginable channels. No one deserves such abuse just because she forgot to uncheck some pre-populated checkbox about future marketing messages at some point in the distant past. I bet even marketers feel abused when they open their personal email boxes.

Too many marketers are personally annoying their customers in the name of personalization. For that reason alone, I am looking for an alternative word for “good” personalization.

If marketers think that they are still in control just because they got to have a few tidbits about their customers in some fancy Big Data platform, well, they are utterly wrong. They are not in control at all any more. In the age of multichannel marketing, consumers are trained to ignore things that look even remotely salesy. Age of mobile? Forget that, too. You don’t own that customer just because he downloaded your app a long time ago and forgot to purge it. How many apps do you routinely use on your smartphone?

Modern human beings look at six to seven types of screens every day — as big as a billboard and as small as a wristwatch. Marketers may think that all of those new channels may provide new opportunities to sell. Well, maybe. But only if they do it right. When was the last time an invention of a new channel actually increased demand of certain products (other than the medium, such as the smartphone itself)? During the first dot.com boom, many thought that the Internet would sell more things magically. Now we know better — that people do not buy extra TVs, jeans or sporting equipment, just because there is a new channel through which they can shop.

Yet, most companies created new divisions to handle new channels, as if mastering each domain would attract more customers. No. Maybe they are just annoying their customers using new technologies. Unfortunately for one-track minded marketers, human brains have evolved to ignore unnecessary information from their “personal” point of view.

Our brains do not process all of the things that our eyes see. Case in point? When you land on a familiar Web page, you don’t always notice most banners that are on the right-hand side. You already know where information you seek is located on a certain page. If all of the banners were removed all of a sudden, you would know that the page looked somewhat empty. But that’s it. Like you would notice a piece of furniture was removed, but wouldn’t know what exactly was missing.

The game is about how we gently make people aware that we may have something that “they” may care for. It is about them, not us. To do that, we have to show them something that is relevant to “them.” To do that, we have to know what they are about. To do that, we need to know who they are, and rearrange all of the information that we have around them. And to do that effectively and holistically, we have to fill in the gap — as we will never know everything about everyone — using modeling techniques. Only then, we can stay relevant to them at any time, and we may deserve some of their attention, if only briefly.

The first breakdown in this chain of events is often the fact that we don’t even know who they are, really. Not necessarily in terms of personal identification, but any ID or proxy of a person that binds personal trails of information. Now, since a cookie, IP address or email address do not really represent a person, we should not give up the efforts to collect personally identifiable information and consents from the target individuals. And that is where the question of “what is in it for the customers?” comes in

Surely, no one would give up cherished PII if she know that she was indeed signing up for all of those irrelevant marketing messages. To most of the consumers, “You will occasionally receive relevant offers from us and our respected partners” really means that “You will have to delete a whole bunch emails from us and anyone who purchased information from us on a daily basis, until you explicitly opt out of every one of them separately.” So, just stating that the messages will be relevant isn’t enough. We should really mean it. And it is really hard to personalize every message to everyone through every channel. It involves lots of work regarding data, analytics, content and various technologies (refer to “Key Elements of Complete Personalization”).

On top of the promise of relevancy, the collection of PII should be a beneficial transaction for the customers. Why should they give up their private information? For future savings? Loyalty points? Coupons for the next purchase? An extra 10 percent discount, right now?

I’ve seen retailers who boast of collection rates over 90 to 95 percent for PII and related behavioral data. The trick? There is no trick. They see the value of personal information in this personalization game, and they are just willing to pay for it. That type of investment, of course, only comes to fruition if the organization has the commitment, means and ability to carry out necessary data, analytics and technology work for complete “customer-centric” personalization. And the first step toward that kind of commitment is to share the benefits of increased marketing efficiency — and the right to exist as a seller in this multichannel environment — with the customers.

We came a long way from “Fill-in everybody’s mailbox with seller-centric mailing offers,” by way of “No emails unless you have double-opt-in,” to “Keep bombarding every customer through every channel until they explicitly opt out.” Modern consumers, who are much savvier in terms of digital technologies, are willing to share their information if, and only if, it benefits them. They will let you know who they are, what they are about, where they are, what they are about to do and even what they are thinking. This is the age of social media, after all.

But if they even remotely feel that they are being taken advantage of in any way, if they think a marketer is acting creepy, or if they think their privacy is violated even implicitly, they will sever all ties with the company in question immediately. Some may even go as far as posting damaging images and other content on social media, or seeking legal action against the violators of real or perceived trust in the data exchange. A healthy relationship is founded on the fair exchange of values, and they will determine what is fair or not.

Marketers are not in control of data and technologies when it comes to personalization. Customers are. Marketers are only temporary custodians of information about their customers. And they have to pay a lease on such information, in the form of real value. Further, they have to act like that lease won’t renew all by itself, either. If the customers feel that there is nothing to gain from that relationship — even without a clear violation of privacy — they will cut it out mercilessly. That is how relationships work.

Like every relationship counselor will say, if you want to maintain a good relationship with anyone, first start listening to her and make the relationship mutually beneficial. Then maybe, just maybe, the customers may allow marketers to talk to them once in awhile.

And figuring out how often is often enough and what is most relevant to each customer? That is the key job of analysts in the age of abundant data.